HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 2316
15
Step Command Remarks
2. Specify a symmetric-passive
peer for the device. ntp-service
unicast-peer
[ vpn-instance vpn-instance-name ]
{ ip-address | peer-name }
[ authentication-keyid keyid |
priority | source-interface
interface-type interface-number |
version number ] * By default, no symmetric-passive
peer is specified.
Only the HP 5500 EI supports the
vpn-instance
keyword.
The ip-address argument must be a
unicast address, rather than a
broadcast address, a multicast...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-2315.png "Page 2316
15
Step Command Remarks
2. Specify a symmetric-passive
peer for the device. ntp-service
unicast-peer
[ vpn-instance vpn-instance-name ]
{ ip-address | peer-name }
[ authentication-keyid keyid |
priority | source-interface
interface-type interface-number |
version number ] * By default, no symmetric-passive
peer is specified.
Only the HP 5500 EI supports the
vpn-instance
keyword.
The ip-address argument must be a
unicast address, rather than a
broadcast address, a multicast...")
10
NTP message format
NTP uses two types of messages: clock synchronization and NTP control messages. All NTP messages
mentioned in this document refer to NTP clock sy nchronization messages. NTP control messages are
used in environments where network management is needed. Because NTP control messages are not
essential for clock synchronization, they are not described in this document.
A clock synchronization message is encapsulated in a UDP message in the format shown in Figure 6.
Figure 6 Clock synchronization message format
The main fields are described as follows:
• LI (Leap Indicator) —A 2-bit leap indicator. If set to 1 1, it warns of an alarm condition (clock
unsynchronized). If set to any other value, it is not to be processed by NTP.
• VN (Version Number) —A 3-bit version number that indicates the version of NTP. The latest version
is version 4.
• Mode —A 3-bit code that indicates the operation mode of NTP. This field can be set to these values:
{ 0—Reserved
{ 1—Symmetric active
{ 2—Symmetric passive
{ 3—Client
{ 4—Server
{ 5—Broadcast or multicast
{ 6—NTP control message
{ 7—Reserved for private use.
11 • Stratum —An 8-bit integer that indicates the stratum level of the local clock, with the value ranging from 1 to 16. Clock precision decreases from stratum 1 through stratum 16. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized. • Po l l—An 8-bit signed integer that indicates the ma ximum interval between successive messages, which is called the poll interval. • Precision —An 8-bit signed integer that indicates the precision of the local clock. • Root Delay —Roundtrip delay to the primary reference source. • Root Dispersion —The maximum error of the local clock relative to the primary reference source. • Reference Identifier —Identifier of the particular reference source. • Reference Timestamp —The local time at which the local clock was last set or corrected. • Originate Timestamp —The local time at which the request departed from the client for the service host. • Receive Timestamp —The local time at which the request arrived at the service host. • Transmit Timestamp —The local time at which the reply departed from the service host for the client. • Authenticator —Authentication information. Operation modes Devices that run NTP can implement clock synchronization in one of the following modes: • Client/server mode • Symmetric peers mode • Broadcast mode • Multicast mode You can select operation modes of NTP as needed. If the IP address of the NTP server or peer is unknown and many devices in the network need to be synchronized, adopt the broadcast or multicast mode. In the client/server or symmetric peers mode, a device is sy nchronized from the specified server or peer, so clock reliability is enhanced. Client/server mode Figure 7 Client/server mode When operating in client/server mode, a client sends a clock synchronization message to servers with the Mode field in the message set to 3 (client mode). Upon receiving the message, the servers automatically operate in server mode and send a reply, with the Mode field in the messages set to 4 (server mode). Upon receiving the replies from the servers, the client performs clock filtering and selection and synchronizes to the optimal reference source. Network Server Client Clock synchronization message (Mode3) Automatically works in client/server mode and sends a reply Reply ( Mode 4) Performs clock filtering and selection, and synchronizes its local clock to that of the optimal reference source
12 In client/server mode, a client can synchronize to a server, but a server cannot synchronize to a client. Symmetric peers mode Figure 8 Symmetric peers mode In symmetric peers mode, devices that operate in symmetric active mode and symmetric passive mode exchange NTP messages with the Mode field 3 (client mode) and 4 (server mode). Then the device that operates in symmetric active mode periodically se nds clock synchronization messages, with the Mode field in the messages set to 1 (symmetric active). The device that receives the messages automatically enters symmetric passive mode and sends a reply, with the Mode field in the message set to 2 (symmetric passive). This exchange of messages establishes sy mmetric peers mode between the two devices, so the two devices can synchronize, or be synchronized by, each other. If the clocks of both devices have been synchronized, the device whose local clock has a lower stratum level synchronizes the other device. Broadcast mode Figure 9 Broadcast mode In broadcast mode, a server periodically sends clock synchronization messages to broadcast address 255.255.255.255, with the Mode field in the messages set to 5 (broadcast mode). Clients listen to the broadcast messages from servers. When a client receives the first broadcast message, the client and the server start to exchange messages with the Mode fi eld set to 3 (client mode) and 4 (server mode), to calculate the network delay between client and the serv er. Then, the client enters broadcast client mode. The client continues listening to broadcast messages, and synchronizes its local clock based on the received broadcast messages.
13 Multicast mode Figure 10 Multicast mode In multicast mode, a server periodically sends clock synchronization messages to the user-configured multicast address, or, if no multicast address is configured, to the default NTP multicast address 224.0.1.1, with the Mode field in the messages set to 5 (multicast mode). Clients listen to the multicast messages from servers. When a client receives the first multicast message, the client and the server start to exchange messages with the Mode field set to 3 (c lient mode) and 4 (server mode), to calculate the network delay between client and server. Then, the client enters multicast client mode. It continues listening to multicast messages, and synchronizes its local clock based on the received multicast messages. In symmetric peers mode, broadcast mode, and multicast mode, the client (or the symmetric active peer) and the server (the symmetric passive peer) can operate in the specified NTP operation mode only after they exchange NTP messages with the Mode field 3 (client mode) and the Mode field 4 (server mode). During this message exchange process, NTP clock synchronization can be implemented. NTP configuration task list Task Remarks Configuring NTP operation modes Required Configuring optional parameters Optional Configuring access-control rights Optional Configuring NTP authentication Optional Configuring NTP operation modes Devices can implement clock synchronization in one of the following modes: • Client/server mode —Configure only clients. • Symmetric mode —Configure only symmetric-active peers. • Broadcast mode —Configure both clients and servers. • Multicast mode —Configure both clients and servers.
14
Configuring the client/server mode
For devices operating in client/server mode, make configurations on the clients.
If you specify the source interface for NTP messages by specifying the source interface source-interface
option, NTP uses the primary IP address of the specified interface as the source IP address of the NTP
messages.
A device can act as a server to synchronize other devices only after it is synchronized. If a server has a
stratum level higher than or equal to a client, the client will not synchronize to that server.
To specify an NTP server on the client:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Specify an NTP server for the
device. ntp-service
unicast-server
[ vpn-instance vpn-instance-name ]
{ ip-address | server-name }
[ authentication-keyid keyid |
priority | source-interface
interface-type interface-number |
version number ] * By default, no NTP server is
specified.
Only the HP 5500 EI supports the
vpn-instance
keyword.
In this command, the ip-address
argument must be a unicast
address, rather than a broadcast
address, a multicast address or the
IP address of the local clock.
You can configure multiple servers
by repeating the command. The
clients will select the optimal
reference source.
Configuring the symmetric peers mode
Follow these guidelines when you configure the NTP symmetric peers mode:
• For devices operating in symmetric mode, specify a symmetric-passive peer on a symmetric-active
peer.
• Use any NTP configuration command in Configuring NTP operation modes to ena
ble NTP.
Otherwise, a symmetric-passive peer does not pr ocess NTP messages from a symmetric-active peer.
• Either the symmetric-active peer or the symmetric- passive peer must be in synchronized state.
Otherwise, clock synchronization does not proceed.
To specify a symmetric-passive peer on the active peer:
Step Command Remarks
1. Enter system view.
system-view N/A
15
Step Command Remarks
2. Specify a symmetric-passive
peer for the device. ntp-service
unicast-peer
[ vpn-instance vpn-instance-name ]
{ ip-address | peer-name }
[ authentication-keyid keyid |
priority | source-interface
interface-type interface-number |
version number ] * By default, no symmetric-passive
peer is specified.
Only the HP 5500 EI supports the
vpn-instance
keyword.
The ip-address argument must be a
unicast address, rather than a
broadcast address, a multicast
address, or the IP address of the
local clock.
After you specify the source
interface for NTP messages by
specifying the source interface
source-interface option, the source
IP address of the NTP messages is
set as the primary IP address of the
specified interface.
You can configure multiple
symmetric-passive peers by
repeating this command.
Configuring the broadcast mode
The broadcast server periodically sends NTP broadcast messages to the broadcast address
255.255.255.255. After receiving the messages, the device operating in NTP broadcast client mode
sends a reply and synchronizes to the server.
Configure the NTP broadcast mode on both the server and clients. The NTP broadcast mode can only be
configured in a specific interface view because an interface needs to be specified on the broadcast
server for sending NTP broadcast messages and on each broadcast client for receiving broadcast
messages.
Configuring a broadcast client
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 3 Ethernet
interface view or VLAN
interface view. interface
interface-type
interface-number This command enters the view of
the interface for sending NTP
broadcast messages.
You can configure an Ethernet port
as a Layer 3 Ethernet port only on
the HP 5500 EI switch.
3.
Configure the device to
operate in NTP broadcast
client mode. ntp-service
broadcast-client N/A
Configuring the broadcast server
16 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 3 Ethernet interface view or VLAN interface view. interface interface-type interface-number This command enters the view of the interface for sending NTP broadcast messages. You can configure an Ethernet port as a Layer 3 Ethernet port only on the HP 5500 EI switch. 3. Configure the device to operate in NTP broadcast server mode. ntp-service broadcast-server [ authentication-keyid keyid | version number ] * A broadcast server can synchronize broadcast clients only when its clock has been synchronized. Configuring the multicast mode The multicast server periodically sends NTP multicast messages to multicast clients, which send replies after receiving the messages and synchronize their local clocks. Configure the NTP multicast mode on both the server and clients. The NTP multicast mode must be configured in a specific interface view. Configuring a multicast client Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 3 Ethernet interface view or VLAN interface view. interface interface-type interface-number This command enters the view of the interface for sending NTP multicast messages. You can configure an Ethernet port as a Layer 3 Ethernet port only on the HP 5500 EI switch. 3. Configure the device to operate in NTP multicast client mode. ntp-service multicast-client [ ip-address ] You can configure up to 1024 multicast clients, of which 128 can take effect at the same time. Configuring the multicast server Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 3 Ethernet interface view or VLAN interface view. interface interface-type interface-number This command enters the view of the interface for sending NTP multicast messages. You can configure an Ethernet port as a Layer 3 Ethernet port only on the HP 5500 EI switch.
17 Step Command Remarks 3. Configure the device to operate in NTP multicast server mode. ntp-service multicast-server [ ip-address ] [ authentication-keyid keyid | ttl ttl-number | version number ] * A multicast server can synchronize broadcast clients only when its clock has been synchronized. Configuring optional parameters This section explains how to configure the optional parameters of NTP. Specifying the source interface for NTP messages If you specify the source interface for NTP messages , the device sets the source IP address of the NTP messages as the primary IP address of the specified interface when sending the NTP messages. When the device responds to an NTP request received, the source IP address of the NTP response is always the IP address of the interface that received the NTP request. Configuration guidelines • The source interface for NTP unicast messages is the interface specified in the ntp-service unicast-server or ntp-service unicast-peer command. • The source interface for NTP broadcast or multicast messages is the interface where you configure the ntp-service broadcast-server or ntp-service multicast-server command. • If the specified source interface goes down, NT P uses the primary IP address of the outgoing interface as the source IP address. Configuration procedure To specify the source interface for NTP messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the source interface for NTP messages. ntp-service source-interface interface-type interface-number By default, no source interface is specified for NTP messages, and the system uses the IP address of the interface determined by the matching route as the source IP address of NTP messages. Disabling an interface from receiving NTP messages If NTP is enabled, NTP messages can be received fr om all interfaces by default. You can disable an interface from receiving NTP messages by using the following configuration. Step Command Remarks 1. Enter system view. system-view N/A
18 Step Command Remarks 2. Enter Layer 3 Ethernet interface view or VLAN interface view. interface interface-type interface-number You can configure an Ethernet port as a Layer 3 Ethernet port only on the HP 5500 EI switch. 3. Disable the interface from receiving NTP messages. ntp-service in-interface disable By default, an interface is enabled to receive NTP messages. Configuring the allowed maximum number of dynamic sessions A single device can have a maximum of 128 associatio ns at the same time, including static associations and dynamic associations. A static association refers to an association that a user has manually created by using an NTP command. A dynamic association is a temporary association created by the system during operation. A dynamic association is removed if the system fails to receive messages from it over a specific long time. In client/server mode, for example, when you execute a command to synchronize the time to a server, the system creates a static association, and the server simply responds passively upon the receipt of a message, rather than creating an association (static or dynamic). In symmetric mode, static associations are created at the symmetric-active peer side, and dynamic associations are created at the symmetric-passive peer side. In broadcast or multicast mode, static associations are created at the server side, and dynamic associations are created at the client side. To configure the allowed maximum number of dynamic sessions: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the maximum number of dynamic sessions allowed to be established locally. ntp-service max-dynamic-sessions number The default is 100. Configuring the DSCP value for NTP messages Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the Differentiated Service Code Point (DSCP) value for NTP messages. ntp-service dscp dscp-value The default setting is 16. Configuring access-control rights From the highest to lowest, the NTP service access-control rights are peer , server , synchronization , and query . If a device receives an NTP request, it performs an access-control right match and uses the first matched right. If no matched right is found, the device drops the NTP request.
19
• query —Control query permitted. This level of righ t permits the peer devices to perform control
query to the NTP service on the local device, but it does not permit a peer device to synchronize to
the local device. Control query refers to the query of some states of the NTP service, including
alarm information, authentication status, and clock source information.
• synchronization —Server access only. This level of right permits a peer device to synchronize to the
local device, but it does not permit the peer devices to perform control query.
• server —Server access and query permitted. This level of right permits the peer devices to perform
synchronization and control query to the local device, but it does not permit the local device to
synchronize to a peer device.
• peer —Full access. This level of right permits the peer devices to perform synchronization and control
query to the local device, and it permits the local device to synchronize to a peer device.
The access-control right mechanism provides only a minimum level of security protection for a system
running NTP. A more secure method is identity authentication.
Configuration prerequisites
Before you configure the NTP service access-control right to the local device, create and configure an
ACL associated with the access-control right. For more information about ACLs, see ACL and QoS
Configuration Guide .
Configuration procedure
To configure the NTP service access-control right to the local device:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Configure the NTP service
access-control right for a peer
device to access the local
device. ntp-service access
{ peer | query |
server | synchronization }
acl-number The default is
peer.
Configuring NTP authentication
Enable NTP authentication for a system running NTP in a network where there is a high security demand.
NTP authentication enhances network security by using client-server key authentication, which prohibits
a client from synchronizing with a device that fails authentication.
To configure NTP authentication, do the following:
• Enable NTP authentication
• Configure an authentication key
• Configure the key as a trusted key
• Associate the specified key with an NTP server or a symmetric peer
These tasks are required. If any task is omitted, NTP authentication cannot function.
Configuring NTP authentication in client/server mode
Follow these instructions to configure NTP authentication in client/server mode: