Network Time Protocol
Network Time Protocol (NTP) is a protocol used to synchronize time on all the devices in a network.
NTP Overview
Network Time Protocol (NTP) is a widely used protocol used to synchronize the clocks of routers and other devices on the Internet. Primary NTP servers are synchronized to a reference clock directly traceable to the Coordinated Universal Time (UTC). Reference clocks include GPS receivers and telephone modem services. The NTP accuracy expectations depend on the application requirements, but NTP can maintain time to the accuracy of tens of milliseconds over the public internet.
NTP is defined in the RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification. Junos OS may also be configured to accept NTP Version 3, defined in RFC 1305.
Devices running Junos OS can be configured to act as an NTP client, a secondary NTP server, or a primary NTP server. These variations are as follows:
-
Primary NTP Server—Primary NTP servers are synchronized to a reference clock that is directly traceable to the UTC. These servers then re-distribute this time data downstream to other Secondary NTP servers or NTP clients.
-
Secondary NTP Server—Secondary NTP servers are synchronized to a primary or secondary NTP server. These servers then re-distribute this data downstream to other Secondary NTP servers or NTP clients.
-
NTP Client—NTP clients are synchronized to a primary or secondary NTP server. Clients do not re-distribute this time data to other devices.
The NTP subnet includes several widely accessible public primary time servers which can be used as a network’s primary NTP server. Juniper Networks strongly recommends authentication of each primary server used.
Each device on a network can be configured to run in one or more of the following NTP modes:
-
Client/Server Mode—Devices are organized hierarchically across the network in client/server relationships.
-
Symmetric Active (peer) Mode—Two or more devices are configured as NTP server peers to provide redundancy.
NTP must not be used in the broadcast mode or multicast mode in the evaluated configuration.
By default, if an NTP client time drifts so that the difference in time from the NTP
server exceeds 128 milliseconds, the NTP client is automatically stepped back into
synchronization. The NTP client will still synchronize with the server even if the
offset between the NTP client and server exceeds the 1000-second threshold. You can
manually request that a device synchronize with an NTP server by using the
set date ntp operational command on the router. On devices
running Junos OS that have dual Routing Engines, the backup Routing Engine
synchronizes directly with the primary Routing Engine.
Each Juniper platform that runs Junos OS supports the leap second adjustment. By default, if the NTP server is aware of the leap second calculations, then the Junos device will automatically add the 1 second delay. PTP (Precision Time Protocol) is used to detect and propagate leap second synchronization changes throughout all nodes in a network. NTP is also required for Common Criteria compliance. For more information on the Common Criteria certification, seePublic Sector Certifications.
For more details about the Network Time Protocol, go to the Network Time Foundation website at http://www.ntp.org.
NTP supports IPv4 VPN and IPv6 routing and forwarding (VRF) requests on Junos OS. VRF request is also supported on Junos OS Release 24.4R1 onwards. This enables an NTP server running on a provider edge (PE) router to respond to NTP requests from a customer edge (CE) router. As a result, a PE router can process any NTP request packet coming from different routing instances.
The evaluation and certification of the Junos OS does not include TLS. Therefore, Network Time Security (NTS) is also not included. It must not be used in the evaluated configuration. Instead, the NTP messages must be authenticated with a cryptographically secure hash function. SHA-256 is recommended, but SHA-1 is also allowed.
NTP Time Servers
When configuring the NTP, you can specify which system on the network is the authoritative time source, or time server, and how time is synchronized between systems on the network. To do this, you configure the router, switch, or security device to operate in one of the following modes:
-
Client mode—In this mode, the local router or switch can be synchronized with the remote system, but the remote system can never be synchronized with the local router or switch.
-
Symmetric active mode—In this mode, the local router or switch and the remote system can synchronize with each other. You use this mode in a network in which either the local router or switch or the remote system might be a better source of time.
Symmetric active mode can be initiated by either the local or the remote system. Only one system needs to be configured to do so. This means that the local system can synchronize with any system that offers symmetric active mode without any configuration whatsoever. However, we strongly encourage you to configure authentication to ensure that the local system synchronizes only with known time servers.
-
Server mode—In this mode, the local router or switch operates as an NTP server.
In NTP server mode, the Junos OS supports authentication as follows:
-
If the NTP request from the client comes with an authentication key (such as a key ID and message digest sent with the packet), the request is processed and answered based on the authentication key match.
-
If the NTP request from the client comes without any authentication key, the request is processed and answered without authentication.
-
NTP messages must be authenticated with SHA-256 or SHA-1 in the evaluated configuration.
Configure NTP Time Server and Time Services
When you use NTP in the evaluated configuration, configure the router or switch to operate in one of the following modes:
-
Client mode
-
Symmetric active mode
-
Server mode
The following topics describe how to configure these modes of operation:
- Configure the Router or Switch to Operate in Client Mode
- Configure the Router or Switch to Operate in Symmetric Active Mode
- Configure the Router or Switch to Operate in Server Mode
Configure the Router or Switch to Operate in Client Mode
To configure the local router or switch to operate in client mode, include
the server statement and other optional statements at the
[edit system ntp] hierarchy level:
[edit system ntp] server address <key key-number> <version value> <prefer>; authentication-key key-number type type value password; trusted-key[key-numbers];
Specify the address of the system acting as the time server. You must specify an address, not a hostname.
To include an authentication key in all messages sent to the time server,
include the key option. The key corresponds to the
key number you specify in the authentication-key statement,
as described in .
By default, the router or switch sends NTP version 4 packets to the time server. To set the NTP version level to 3 or 4, include the version option.
If you configure more than one time server, you can mark one server preferred by including the prefer option.
The following example shows how to configure the router or switch to operate in client mode using SHA-256:
[edit system ntp] authentication-key 1 type sha256 value "$ABC123"; server 10.1.1.1 key 1 prefer; trusted-key 1;
The following example shows how to configure the router or switch to operate in client mode using SHA-1:
[edit system ntp] authentication-key 1 type sha1 value "$ABC123"; server 10.1.1.1 key 1 prefer; trusted-key 1;
Configure the Router or Switch to Operate in Symmetric Active Mode
To configure the local router or switch to operate in symmetric active mode,
include the peer statement at the [edit system
ntp] hierarchy level:
[edit system ntp] peer address <key key-number> <version value> <prefer>;
Specify the address of the remote system. You must specify an address, not a hostname.
To include an authentication key in all messages sent to the remote system,
include the key option. The key corresponds to the
key number you specify in the authentication-key statement.
By default, the router or switch sends NTP version 4 packets to the remote system. To set the NTP version level to 3 or 4, include the version option.
If you configure more than one remote system, you can mark one system preferred by including the prefer option:
peer address <key key-number> <version value> prefer;
Configure the Router or Switch to Operate in Server Mode
In server mode, the router or switch acts as an NTP server for clients when the clients are configured appropriately. The only prerequisite for “ server mode” is that the router or switch must be receiving time from another NTP peer or server. No other configuration is necessary on the router or switch.
When configuring the NTP service in the management VRF
(mgmt_junos), you must configure at least one IP
address on a physical or logical interface within the default routing
instance and ensure that this interface is up in order for the NTP service
to work with the mgmt_junos VRF.
To configure the local router or switch to operate as an NTP server, include
the following statements at the [edit system ntp] hierarchy
level:
[edit system ntp] authentication-key key-number type type value password; server address <key key-number> <version value> <prefer>; trusted-key [key-numbers];
Specify the address of the system acting as the time server. You must specify an address, not a hostname.
To include an authentication key in all messages sent to the time server,
include the key option. The key corresponds to the
key number you specify in the authentication-key statement.
By default, the router or switch sends NTP version 4 packets to the time server. To set the NTP version level to 3 or 4, include the version option.
If you configure more than one time server, you can mark one server preferred by including the prefer option.
The following example shows how to configure the router or switch to operate in server mode using SHA-256:
[edit system ntp] authentication-key 1 type sha256 value "$ABC123"; server 192.168.27.46 prefer; trusted-key 1;
The following example shows how to configure the router or switch to operate in server mode using SHA1:
[edit system ntp] authentication-key 1 type sha1 value "$ABC123"; server 192.168.27.46 prefer; trusted-key 1;
Example: Configure NTP as a Single Time Source for Router and Switch Clock Synchronization
Debugging and troubleshooting are much easier when the timestamps in the log files of all the routers or switches are synchronized, because events that span the network can be correlated with synchronous entries in multiple logs. We strongly recommend using the Network Time Protocol (NTP) to synchronize the system clocks of routers, switches, and other network equipment.
By default, NTP operates in an entirely unauthenticated manner. The following sample configuration synchronizes all the routers or switches in the network to a single time source. The server statement identifies the NTP server used for periodic time synchronization. The authentication-key statement specifies that Secure Hash Algorithm 1 (SHA1) or Secure Hash Algorithm 2 family (SHA-256) scheme to be used for NTP message authentication, preventing the router or switch from synchronizing with an unauthentic time stamp.
Using SHA-256, this is done as follows:
[edit]
system {
ntp {
authentication-key 2 type sha256 value "$ABC123"; # SECRET-DATA
server 10.1.4.2 key 2;
trusted key 2;
}
}
Using SHA-1, this is done as follows:
[edit]
system {
ntp {
authentication-key 2 type sha1 value "$ABC123"; # SECRET-DATA
server 10.1.4.2 key 2;
trusted key 2;
}
}
Synchronize and Coordinate Time Distribution Using NTP
Using NTP to synchronize and coordinate time distribution in a large network involves these tasks:
Configure NTP
-
To configure NTP on the switch, include the
ntpstatement at the[edit system]hierarchy level:[edit system] ntp { authentication-key number type type value password; ; broadcast <address> <key key-number> <version value> <ttl value>; broadcast-client; multicast-client <address>; peer address <key key-number> <version value> <prefer>; server address <key key-number> <version value> <prefer>; ntp source-address; trusted-key [ key-numbers ]; }
How to Restart an NTP Process
To restart an NTP process, terminate the NTP process and restart NTP using
the restart ntp command.
user@host# restart ntp
Specify a Source Address for an NTP Server
For IP version 4 (IPv4), you can specify that if the NTP server configured at
the [edit system ntp] hierarchy level is contacted on one
of the loopback interface addresses, the reply always uses a specific source
address. This is useful for controlling which source address NTP will use to
access your network when it is either responding to an NTP client request
from your network or when it itself is sending NTP requests to your
network.
To configure the specific source address that the reply will always use, and
the source address that requests initiated by NTP server will use, include
the source-address statement at the [edit system
ntp] hierarchy level:
[edit system ntp] source-address source-address;
source-address is a valid IP address
configured on one of the router or switch interfaces.
When configuring the NTP service in the management VRF
(mgmt_junos), you must configure at least one IP
address on a physical or logical interface within the default routing
instance and ensure that this interface is up in order for the NTP service
to work with the mgmt_junos VRF.
Starting in Junos OS Release
24.4R1,
and Junos OS
Release
24.4R1
you can configure the source address using the
routing-instance statement at the [edit system
ntp source-address source-address] hierarchy
level:
[edit system ntp] user@host# set routing-instance routing-instance-name
For example, the following statement is configured:
[edit system ntp] user@host# set system ntp source-address 12.12.12.12 routing-instance ntp-source-test
As a result, while sending NTP message through any interface in the ntp-source-test routing instance, the source address 12.12.12.12 is used.
The routing-instance statement is optional and if not
configured, the primary address of the interface will be used.
If a firewall filter is applied on the loopback interface, ensure that
the source-address specified for the NTP server at the
[edit system ntp] hierarchy level is explicitly
included as one of the match criteria in the firewall filter. This
enables the Junos OS to accept traffic on the loopback interface from
the specified source address.
The following example shows a firewall filter with the source address
10.0.10.100 specified in the from
statement included at the [edit firewall filter
firewall-filter-name] hierarchy:
[edit firewall filter Loopback-Interface-Firewall-Filter]
term Allow-NTP {
from {
source-address {
172.17.27.46/32; // IP address of the NTP server
10.0.10.100/32; // Source address specified for the NTP server
}
then accept;
}
}
If no source-address is configured for the NTP server,
include the primary address of the loopback interface in the firewall
filter.
Example: Configure NTP
This example shows how to configure NTP:
Requirements
This example uses the following software and hardware components:
-
Junos OS Release 11.1 or later
-
A switch connected to a network on which an NTP server reside
Overview
In this example, an administrator wants to synchronize the time in a switch to a single time source. We recommend using authentication to make sure that the NTP peer is trusted. The server statement identifies the NTP server used for periodic time synchronization. The authentication-key statement specifies that a Secure Hash Algorithm 1 or a Secure Hash Algorithm 2 family (SHA-256) scheme is used to hash the key value for authentication, which prevents the switch from synchronizing with an attacker’s host that is posing as the time server.
Configuration
To configure NTP:
Procedure
CLI Quick Configuration
To quickly configure NTP, copy the following commands and paste them into the switch’s terminal window using SHA-256:
[edit system]set ntp server 10.1.4.2 set ntp authentication-key 2 type sha256 value "$ABC123"
To quickly configure NTP, copy the following commands and paste them into the switch’s terminal window using SHA1:
[edit system] set ntp server 10.1.4.2 set ntp authentication-key 2 type sha1 value "$ABC123"
Step-by-Step Procedure
To configure NTP:
-
Specify the NTP server:
[edit system] user@host# set ntp server 10.1.4.2
-
Specify the key number, authentication type (SHA-256), and key for authentication:
[edit system] user@host# set ntp authentication-key 2 type sha256 value "$ABC123"
OR using SHA-1
[edit system] user@host# set ntp authentication-key 2 type sha1 value "$ABC123"
Results
Check the results:
[edit system]
user@host# show
ntp {
authentication-key 2 type sha256 value "$ABC123"; ## SECRET-DATA
server 10.1.4.2;
}
Or using SHA-1
[edit system]
user@host# show
ntp {
authentication-key 2 type sha1 value "$ABC123"; ## SECRET-DATA
server 10.1.4.2;
}
Verification
To confirm that the configuration is correct, perform these tasks:
Checking the Time
Purpose
Check the time that has been set on the switch.
Action
Enter the show system uptime operational mode command to
display the time.
user@host> show system uptime fpc0: -------------------------------------------------------------------------- Current time: 2025-06-06 00:00:27 PDT Time Source: NTP CLOCK System booted: 2025-06-05 06:11:32 PDT (17:48:55 ago) Protocols started: 2025-06-05 06:14:01 PDT (17:46:26 ago) Last configured: 2025-06-05 06:13:41 PDT (17:46:46 ago) by root 12:00AM up 17:49, 1 users, load averages: 1.06, 2.08, 2.61
The output shows that the current date and time are June 12, 2009 and 12:49:03 PDT. The switch booted 4 weeks, 6 hours, and 24 minutes ago, and its protocols were started approximately 3 minutes before it booted. The switch was last configured by user admin1 on May 27, 2009, and there is currently one user logged in to the switch.
The output also shows that the load average is 0.05 seconds for the last minute, 0.06 seconds for the last 5 minutes, and 0.01 seconds for the last 15 minutes.
Displaying the NTP Peers
Verify that the time has been obtained from an NTP server.
Enter the show ntp associations operational mode command
to display the NTP server from switch obtained its time.
user@host> show ntp associations remote refid auth st t when poll reach delay offset jitter rootdelay rootdisp ===================================================================================================================== *anyntp.juniper.net 169.254.0.1 - 3 u 44 64 7 2.446 -0.387 0.463 225.876 5.157
The asterisk (*) in front of the NTP server name, or peer, indicates that the time is synchronized and obtained from this server. The delay, offset, and jitter are displayed in milliseconds.
Displaying the NTP Status
View the configuration of the NTP server and the status of the system.
Enter the show ntp status operational mode command to
view the status of the NTP.
user@host> show ntp status associd=0 status=0615 leap_none, sync_ntp, 1 event, clock_sync, version="ntpd 4.2.8p15-a Sat May 31 00:24:58 2025 (1)", processor="amd64", system="JUNOS24.4R1.9", leap=00, stratum=4, precision=-23, rootdelay=228.261, rootdisp=948.450, refid=66.129.233.81, reftime=ebed0f58.8cda01e1 Thu, Jun 5 2025 23:55:20.550, clock=ebed0f60.a5456e2a Thu, Jun 5 2025 23:55:28.645, peer=32293, tc=6, mintc=3, offset=-0.387001, frequency=+29.155, sys_jitter=0.000000, clk_jitter=0.137, clk_wander=0.000
The output shows status information about the switch and the NTP.
NTP Authentication Keys
To authenticate other time servers, include the trusted-key
statement at the [edit system ntp] hierarchy level.
The
trusted keys refer to the configured key that is trusted and used by NTP for
secure clock synchronization. Any configured key not referenced in the
trusted-key is not qualified and is rejected by NTP. Only
time servers that transmit network time packets containing one of the specified
key numbers are eligible to be synchronized. Additionally, the key needs to
match the value configured for that key number. Other systems can synchronize to
the local switch without being authenticated.
[edit system ntp] trusted-key[ key-numbers ];
Each key can be any 32-bit unsigned integer except 0. Include the
key option in the peer,
server, or broadcast statements to
transmit the specified authentication key when transmitting packets. The key is
necessary if the remote system has authentication enabled so that it can
synchronize to the local system.
To define the authentication keys, include the
authentication-key statement at the [edit system
ntp] hierarchy level:
[edit system ntp] authentication-key key-number type type value password;
number is the key number, type is the authentication type (only SHA-1 and SHA-256 are supported), and password is the password for this key. The key number, type, and password must match on all systems using that particular key for authentication. There must be no space in the password for configuring the Network Time Protocol (NTP) authentication-key.