ntp
Syntax
ntp { authentication-key key-number type (md5 | sha1 | sha256) value password; boot-server (address | hostname); broadcast <address> <key key-number> <routing-instance-name routing-instance-name> <ttl value> <version value>; broadcast-client; interval-range value; multicast-client <address>; nts <local-certificate local-certificate><trusted-ca (trusted-ca-group trusted-ca-group | trusted-ca-profile trusted-ca-profile)>; peer address <key key-number> <prefer> <version value>; restrict address { mask network-mask; noquery; } server name { key key; nts <remote-identity distinguished-name(container container | wildcard wildcard) hostname hostname>; prefer; routing-instance routing-instance; version version; } source-address source-address <routing-instance routing-instance-name>; threshold value action (accept | reject); trusted-key [ key-numbers ]; }
Hierarchy Level
[edit system]
Description
Configure NTP on the device. In both standalone and chassis cluster modes, the primary Routing Engine runs the NTP process to get the time from the external NTP server. Although the secondary Routing Engine runs the NTP process in an attempt to get the time from the external NTP server, this attempt fails because of network issues. For this reason, the secondary Routing Engine uses NTP to get the time from the primary Routing Engine.
When configuring the NTP service in the management VRF (mgmt_junos
),
you must configure at least one IP address on a physical or logical interface within
the default routing instance and ensure that this interface is up in order for the
NTP service to work with the mgmt_junos VRF.
Options
authentication-key key_number | Configure key (key ID, key type, and key value) to authenticate NTP packets with the devices (servers and clients). The authentication key has two fields:
|
||||||||||||
boot-server (address | hostname) | Configure the server that NTP queries when the device boots to determine the local date and time. When you boot the device, it issues an ntpdate request, which polls a network server to determine the local date and time. You must configure an NTP boot server that the device uses to determine the time when the device boots. Otherwise, NTP cannot synchronize to a time server if the server time significantly differs from the local device’s time. If you configure an NTP boot server, then when the device boots, it immediately synchronizes with the boot server even if the NTP process is explicitly disabled or if the time difference between the client and the boot server exceeds the threshold value of 1000 seconds.
Note:
This option is deprecated starting in Junos OS Release 20.4R1. NTP boot-server is not supported in Junos OS Evolved. Configure the server using set system ntp server under the edit system ntp server hierarchy. |
||||||||||||
broadcast <address> <key key-number> <routing-instance-name routing-instance-name> <ttl value> <version value> | Configure the device to operate in broadcast mode with the remote system at the specified address. In this mode, the device sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, you include this statement only when the device is operating as a transmitter.
|
||||||||||||
broadcast-client | Configure the local device to listen for broadcast messages on the local network to discover other servers on the same subnet. To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier. |
||||||||||||
interval-range value | Configure the poll interval range.
|
||||||||||||
multicast-client <address> | Configure the local device to listen for multicast messages on the local network. To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.
|
||||||||||||
nts <local-certificate local-certificate><trusted-ca (trusted-ca-group trusted-ca-group | trusted-ca-profile trusted-ca-profile) |
Configure the Network Time Security (NTS) features for NTP on your device.
|
||||||||||||
peer address <key key-number> <prefer> <version value> | Configure the local device to operate in symmetric active mode with the remote system at the specified address. In this mode, the local device and the remote system can synchronize with each other. This configuration is useful in a network in which either the local device or the remote system might be a better source of time.
|
||||||||||||
restrict address mask network-mask noquery | Restrict packets from hosts (including remote time servers) and subnets.
|
||||||||||||
server | Configure the local device to operate in client mode with the remote system at the specified address. In this mode, the device can be synchronized with the remote system, but the remote system can never be synchronized with the device. If the NTP client time drifts so that the difference in time from the NTP server exceeds 128 milliseconds, the client is automatically stepped back into synchronization. If the offset between the NTP client and server exceeds the 1000-second threshold, the client still synchronizes with the server, but it also generates a system log message noting that the threshold was exceeded.
|
||||||||||||
source-addresssource-address <routing-instance [ routing-instance-name ]> | A valid IP address configured on one of the device’s interfaces to be used as the source address for messages sent to the NTP server, and optionally, the routing instance in which the source address is configured.
|
||||||||||||
threshold seconds action (accept | reject) | Configure the maximum threshold in seconds allowed for NTP adjustment and specify the mode for NTP abnormal adjustment.
|
||||||||||||
trusted-key [ key-numbers ] | Configure one or more keys you are allowed to use to authenticate other time servers, when you configure the local device to synchronize its time with other systems on the network. Each key can be any 32-bit unsigned integer except 0. The key corresponds to the key number you specify in the authentication-key statement. By default, network time synchronization is unauthenticated. The device synchronizes to whatever system appears to have the most accurate time. We strongly encourage you to configure authentication of network time services. |
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced before Junos OS Release 7.4.
routing-instance
option for the server
statement
introduced in Junos OS Release 18.1.
restrict
statement introduced in Junos OS Release 20.1.