Configuring Network Time Protocol

The device can be configured to sync with a Network Time Protocol (NTP) server. This device supports time updates using NTP version 4 and NTP version 3. The device authentications updates using an administrator configured symmetric key, SHA-1 and SHA-256. The device rejects broadcast and multicast time updates. The device does not place a limit on the number of NTP time sources that can be configured.

To configure the device in client mode, include the server statement and other optional statements at the [edit system ntp] hierarchy level:

[edit system ntp]
server address <key key-number> <version value> <prefer>; 
authentication-key key-number type type value password;
trusted-key[key-numbers];

Specify the address of the system acting as the time server. One specify an address, not a hostname.

To include an authentication key in all messages sent to the time server, include the key option. The key corresponds to the key number specified in the authentication-key statement.

By default, the device sends NTP version 4 packets to the time server. To set the NTP version level to 3, include the version option.

If more than one time server is configured, one server can be marked as preferred by including the prefer option.

The following example shows how to configure the device to operate in client mode:

[edit system ntp]
authentication-key 12 type sha256 value "$9$TQFn/9t0OIcywY4oGU9At"; ## SECRET-DATA
server 10.1.1.1 key 12 prefer;
trusted-key 12;

By default, NTP operates in an entirely unauthenticated manner. If a malicious attempt to influence the accuracy of a router or switch’s clock succeeds, it could have negative effects on system logging, make troubleshooting and intrusion detection more difficult, and impede other management functions.

The following sample configuration synchronizes all the routers or switches in the network to a single time source. For common criteria compliance, use trusted authentication using SHA1 or SHA256 as the message digest algorithm(s) to make sure that the NTP peer is trusted. The server statement identifies the NTP server used for periodic time synchronization. The source-address statement enables the administrator to specify one source address per family for each routing instance, The authentication-key statement specifies that a Sha256 scheme should be used to hash the key value for authentication, which prevents the router or switch from synchronizing with an attacker’s host posing as the time server.

[edit]
system {
    ntp {
        authentication-key 12 type sha256 value " $9$TQFn/9t0OIcywY4oGU9At"; ## SECRET-DATA
        server 10.1.4.2 key 12;
        source-address 10.1.4.3;
        trusted key 12;
    }
}

For IP version 4 (IPv4), you can specify that if the NTP server configured at the [edit system ntp] hierarchy level is contacted on one of the loopback interface addresses, the reply always uses a specific source address. This is useful for controlling which source address NTP will use to access your network when it is either responding to an NTP client request from your network or when it itself is sending NTP requests to your network.

To configure the specific source address that the reply will always use, and the source address that requests initiated by NTP server will use, include the source-address statement at the [edit system ntp] hierarchy level. The source-address is a valid IP address configured on one of the router or switch interfaces.

[edit system ntp]
user@host#set source-address source-address

For example:

[edit system ntp]
user@host# set source-address 10.1.4.3