ntp

Syntax

Hierarchy Level

Description

Configure NTP on the device. In both standalone and chassis cluster modes, the primary Routing Engine runs the NTP process to get the time from the external NTP server. Although the secondary Routing Engine runs the NTP process in an attempt to get the time from the external NTP server, this attempt fails because of network issues. For this reason, the secondary Routing Engine uses NTP to get the time from the primary Routing Engine.

When configuring the NTP service in the management VRF (mgmt_junos), you must configure at least one IP address on a physical or logical interface within the default routing instance and ensure that this interface is up in order for the NTP service to work with the mgmt_junos VRF.

Options

authentication-key key_number

Configure key (key ID, key type, and key value) to authenticate NTP packets with the devices (servers and clients). The authentication key has two fields:

type—When authentication is specified, the key identifier (key ID) followed by the message digest is appended to the NTP packet header. The supported message digest formats are md5, sha1, sha256.

Note:
EX4600 does not support SHA256 authentication for NTP and supports MD5 only.
value—If the key value is available in ASCII format and without special characters, it can be entered directly. If the key value contains special characters or is available in hex format, consider the following:

For specifying the keys in hex format, prepend a "\x" for each two characters. For hex key example, af60112f...39af4ced, set system ntp authentication-key <ID> value "\xaf\x60\x11\x2f\....\x39\xaf\x4c\xed".

If the key contains one of the characters from (null) 0x00, (space) 0x20, " 0x22, & 0x26, ( 0x28 ) 0x29 prepend a "\\x" . For example, \\x22.

Range: 1 to 65534

boot-server (address | hostname)

Configure the server that NTP queries when the device boots to determine the local date and time.

When you boot the device, it issues an ntpdate request, which polls a network server to determine the local date and time. You must configure an NTP boot server that the device uses to determine the time when the device boots. Otherwise, NTP cannot synchronize to a time server if the server time significantly differs from the local device’s time.

If you configure an NTP boot server, then when the device boots, it immediately synchronizes with the boot server even if the NTP process is explicitly disabled or if the time difference between the client and the boot server exceeds the threshold value of 1000 seconds.

Values: Configure one of the following:
- address—IP address of an NTP boot server.
- hostname—Hostname of an NTP boot server. If you configure a hostname instead of an IP address, the ntpdate request resolves the hostname to an IP address when the device boots up.

Note:

This option is deprecated starting in Junos OS Release 20.4R1. NTP boot-server is not supported in Junos OS Evolved. Configure the server using set system ntp server under the edit system ntp server hierarchy.

broadcast <address> <key key-number> <routing-instance-name routing-instance-name> <ttl value> <version value>

Configure the device to operate in broadcast mode with the remote system at the specified address. In this mode, the device sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, you include this statement only when the device is operating as a transmitter.

`address`	Configure the broadcast address on one of the local networks or a multicast address assigned to NTP. You must specify an address, not a hostname. If the multicast address is used, it must be `224.0.1.1`. Configure the multicast protocols PIM and IGMP in order to facilitate the device to transmit NTP packets over multicast address 224.0.1.1. Note: NTP over multicast is not supported within the routing instance on the device.
key `key-number`	(Optional) All packets sent to the address include authentication fields that are encrypted using the specified key number (any unsigned 32-bit integer except 0). The key corresponds to the key number you specified in the authentication-key statement.
routing-instance-name `routing-instance-name`	(Optional) Configure the routing instance name in which the interface has an address in the broadcast subnet. Default: The default routing instance is used to broadcast packets.
ttl `value`	(Optional) Configure the time-to-live (TTL) value. Range: 1 through 255 Default: 1
version `value`	(Optional) Specify the version number to be used in outgoing NTP packets. Range: 1 through 4 Default: 4

broadcast-client

Configure the local device to listen for broadcast messages on the local network to discover other servers on the same subnet. To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.

interval-range value

Configure the poll interval range.

Range: 0 through 3

multicast-client <address>

Configure the local device to listen for multicast messages on the local network. To avoid accidental or malicious disruption in this mode, both the local and remote systems must use authentication and the same trusted key and key identifier.

Syntax: <address>—(Optional) Specify one or more IP addresses. If you specify addresses, the device joins those multicast groups.
Default: 224.0.1.1

nts <local-certificate local-certificate><trusted-ca (trusted-ca-group trusted-ca-group | trusted-ca-profile trusted-ca-profile)

Configure the Network Time Security (NTS) features for NTP on your device.

local-certificate local-certificate

Specify the certificate loaded in your device during certificate enrollment or loaded manually by specifying certificate file.

trusted-ca

Specify a trusted CA group or a CA profile. This configuration is optional. If you do not specify a trusted CA profile the NTP trust all CA profiles configured for NTS.

trusted-ca-group trusted-ca-group

Specify the trusted CA group defined under [set security pki trusted-ca-group].

trusted-ca-profile trusted-ca-profile

Specify the trusted CA profile.

peer address <key key-number> <prefer> <version value>

Configure the local device to operate in symmetric active mode with the remote system at the specified address. In this mode, the local device and the remote system can synchronize with each other. This configuration is useful in a network in which either the local device or the remote system might be a better source of time.

`address`	Address of the remote system. You must specify an address, not a hostname.
key `key-number`	(Optional) All packets sent to the address include authentication fields that are encrypted using the specified key number (any unsigned 32-bit integer except 0). The key corresponds to the key number you specified in the authentication-key statement.
prefer	(Optional) Mark the remote system as the preferred host, which means that if all other factors are equal, this remote system is chosen for synchronization among a set of correctly operating systems.
version `value`	(Optional) Specify the NTP version number to be used in outgoing NTP packets. Range: 1 through 4 Default: 4

restrict address mask network-mask noquery

Restrict packets from hosts (including remote time servers) and subnets.

Syntax:
- address—Specify the IP address for a host or network.
- mask network-mask—Specify the network mask for a host or network.
- noquery—Deny ntpq and ntpdc queries from hosts and subnets. These queries can be used in amplification attacks.

server

Configure the local device to operate in client mode with the remote system at the specified address. In this mode, the device can be synchronized with the remote system, but the remote system can never be synchronized with the device.

If the NTP client time drifts so that the difference in time from the NTP server exceeds 128 milliseconds, the client is automatically stepped back into synchronization. If the offset between the NTP client and server exceeds the 1000-second threshold, the client still synchronizes with the server, but it also generates a system log message noting that the threshold was exceeded.

`address`	Address of the remote system. You must specify an address, not a hostname.
key `key-number`	(Optional) All packets sent to the address include authentication fields that are encrypted using the specified key number (any unsigned 32-bit integer except 0). The key corresponds to the key number you specified in the authentication-key statement.
prefer	(Optional) Mark the remote system as the preferred host, which means that if all other factors are equal, this remote system is chosen for synchronization among a set of correctly operating systems.
routing-instance `routing-instance`	(Optional) Routing instance through which the server is reachable.
nts	Enables NTS, which uses Transport Layer Security (TLS) protocol and Authenticated Encryption with Associated Data (AEAD) to obtain network time in an authenticated manner to the users. Specified server must also support the NTS feature when you enable NTS on a client device.
version `value`	(Optional) Specify the NTP version number to be used in outgoing NTP packets. Range: 1 through 4 Default: 4

source-addresssource-address <routing-instance [ routing-instance-name ]>

A valid IP address configured on one of the device’s interfaces to be used as the source address for messages sent to the NTP server, and optionally, the routing instance in which the source address is configured.

Default: The primary address of the interface

threshold seconds action (accept | reject)

Configure the maximum threshold in seconds allowed for NTP adjustment and specify the mode for NTP abnormal adjustment.

Range: 1 through 600 seconds
Values: Configure one of the following:
- accept—Enable log mode for abnormal NTP adjustment.
- reject—Enable reject mode for abnormal NTP adjustment.

trusted-key [ key-numbers ]

Configure one or more keys you are allowed to use to authenticate other time servers, when you configure the local device to synchronize its time with other systems on the network. Each key can be any 32-bit unsigned integer except 0. The key corresponds to the key number you specify in the authentication-key statement.

By default, network time synchronization is unauthenticated. The device synchronizes to whatever system appears to have the most accurate time. We strongly encourage you to configure authentication of network time services.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced before Junos OS Release 7.4.

routing-instance option for the server statement introduced in Junos OS Release 18.1.

restrict statement introduced in Junos OS Release 20.1.

ON THIS PAGE