Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

NTP Time Servers

The IETF defined the Network Time Protocol (NTP) to synchronize the clocks of computer systems connected to each other over a network. Most large networks have an NTP server that ensures that time on all devices is synchronized, regardless of the device location. If you use one or more NTP servers on your network, ensure you include the NTS server addresses in your Junos OS configuration.

When configuring the NTP, you can specify which system on the network is the authoritative time source, or time server, and how time is synchronized between systems on the network. To do this, you configure the router, switch, or security device to operate in one of the following modes:

  • Client mode—In this mode, the local router or switch can be synchronized with the remote system, but the remote system can never be synchronized with the local router or switch.

  • Symmetric active mode—In this mode, the local router or switch and the remote system can synchronize with each other. You use this mode in a network in which either the local router or switch or the remote system might be a better source of time.

    Symmetric active mode can be initiated by either the local or the remote system. Only one system needs to be configured to do so. This means that the local system can synchronize with any system that offers symmetric active mode without any configuration whatsoever. However, we strongly encourage you to configure authentication to ensure that the local system synchronizes only with known time servers.

  • Broadcast mode—In this mode, the local router or switch sends periodic broadcast messages to a client population at the specified broadcast or multicast address. Normally, you include this statement only when the local router or switch is operating as a transmitter.

  • Server mode—In this mode, the local router or switch operates as an NTP server.

    In NTP server mode, the Junos OS supports authentication as follows:

    • If the NTP request from the client comes with an authentication key (such as a key ID and message digest sent with the packet), the request is processed and answered based on the authentication key match.

    • If the NTP request from the client comes without any authentication key, the request is processed and answered without authentication.

    Note:

    We recommend configuring at least 3 and up to 5 reliable NTP servers to improve time accuracy, fault tolerance, and candidate selection. For additional security, enable authentication (using shared keys or NTS) to ensure time synchronization occurs only with trusted and verified sources.

Configure NTP Time Server and Time Services

When you use NTP, configure the router or switch to operate in one of the following modes:

  • Client mode

  • Symmetric active mode

  • Broadcast mode

  • Server mode

Configure the Router or Switch to Operate in Client Mode

To configure the local router or switch to operate in client mode, include the server statement and other optional statements at the [edit system ntp] hierarchy level:

Specify the address of the system acting as the time server. You must specify an address, not a hostname.

To include an authentication key in all messages sent to the time server, include the key option. The key corresponds to the key number you specify in the authentication-key statement, as described in .

By default, the router or switch sends NTP version 4 packets to the time server. To set the NTP version level to 1, 2, or 3, include the version option.

If you configure more than one time server, you can mark one server preferred by including the prefer option.

The following example shows how to configure the router or switch to operate in client mode:

Configure the Router or Switch to Operate in Symmetric Active Mode

To configure the local router or switch to operate in symmetric active mode, include the peer statement at the [edit system ntp] hierarchy level:

Specify the address of the remote system. You must specify an address, not a hostname.

To include an authentication key in all messages sent to the remote system, include the key option. The key corresponds to the key number you specify in the authentication-key statement.

By default, the router or switch sends NTP version 4 packets to the remote system. To set the NTP version level to 1, 2 or 3, include the version option.

If you configure more than one remote system, you can mark one system preferred by including the prefer option:

Configure the Router or Switch to Operate in Broadcast Mode

Follow the steps below to configure the device to operate in broadcast mode:

  1. (Optional) To include an authentication key in all messages sent to the remote system, set the key option. The key corresponds to the key number you specify in the authentication-key statement.

  2. Configure the NTP server address on the device.

  3. Configure the device to advertise time updates using either IPv4 or IPv6 multicast.

    For the device to work in broadcast mode you need to enable multicast on the device. Specify the broadcast address on one of the local networks or a multicast address assigned to NTP. Hostname is not allowed. If the multicast address is used, it must be 224.0.1.1 for IPv4 and ff05::101 for IPv6.

  4. (Optional) By default, the device sends NTP version 4 packets to the remote system. To set the NTP version level to 1, 2, or 3, include the version option.

  5. Configure the device to use a specific source address for NTP packets.

  6. Enable multicast protocols PIM on all the NTP client facing interfaces in order to facilitate the device to transmit NTP packets over the multicast address (224.0.1.1 or ff05::101).

  7. For IPv4 address (224.0.1.1), IGMP should be enabled on the NTP client facing interfaces.

  8. For IPv6 address (ff05::101), enable MLD (multicast listener discovery) on each NTP client facing sub-interface to join the multicast group ff05::101.

Note:

  • When configuring NTP using the set system ntp broadcast address <routing-instance-name routing-instance-name> command, the specified routing instance must be an L3 routing instance. NTP does not support L2 routing instances like EVPN and VPLS and therefore must not be specified in NTP configurations.

  • NTP over multicast is not supported within the routing instance on the device.

Configure the Router or Switch to Operate in Server Mode

In server mode, the router or switch acts as an NTP server for clients when the clients are configured appropriately. The only prerequisite for “ server mode” is that the router or switch must be receiving time from another NTP peer or server. No other configuration is necessary on the router or switch.

When configuring the NTP service in the management VRF (mgmt_junos), you must configure at least one IP address on a physical or logical interface within the default routing instance and ensure that this interface is up in order for the NTP service to work with the mgmt_junos VRF.

To configure the local router or switch to operate as an NTP server, include the following statements at the [edit system ntp] hierarchy level:

Specify the address of the system acting as the time server. You must specify an address, not a hostname.

To include an authentication key in all messages sent to the time server, include the key option. The key corresponds to the key number you specify in the authentication-key statement.

By default, the router or switch sends NTP version 4 packets to the time server. To set the NTP version level to 1,or 2, or 3, include the version option.

If you configure more than one time server, you can mark one server preferred by including the prefer option.

The following example shows how to configure the router or switch to operate in server mode:

Starting with Junos OS Evolved release 24.2R1, the following options are added to configure the NTS feature:

Related Documentation