SNTP parameters shows the SNTP parameters and their operations.
SNTP parameters
|
SNTP parameter |
Operation |
|
|---|---|---|
|
Time Sync Method |
Used to select either SNTP, TIMEP, or None as the time synchronization method. |
|
|
SNTP Mode |
||
Disabled |
The Default. SNTP does not operate, even if specified by the Menu interface Time Sync Method parameter or the CLI |
|
Unicast |
Directs the switch to poll a specific server for SNTP time synchronization. Requires at least one server address. |
|
Broadcast |
Directs the switch to acquire its time synchronization from data broadcast by any SNTP server to the network broadcast address. The switch uses the first server detected and ignores any others. However, if the Poll Interval expires three times without the switch detecting a time update from the original server, the switch accepts a broadcast time update from the next server it detects. |
|
|
Poll Interval (seconds) |
In Unicast Mode: Specifies how often the switch polls the designated SNTP server for a time update. In Broadcast Mode: Specifies how often the switch polls the network broadcast address for a time update. Value is between 30 to 720 seconds. |
|
|
Server Address |
Used only when the SNTP Mode is set to |
|
|
Server Version |
Specifies the SNTP software version to use and is assigned on a per-server basis. The version setting is backwards-compatible. For example, using version 3 means that the switch accepts versions 1 through 3. Default: 3; range: 1 to 7. |
|
|
Priority |
Specifies the order in which the configured servers are polled for getting the time. Value is between 1 and 3. |
|
-
Use the Space bar to move the cursor to the Time Sync Method field.
-
Use the Space bar to select SNTP, then move to the SNTP Mode field.
-
Complete one of the following options.
Option 1
-
Go to step Step 6. (For Broadcast mode details, seeSNTP time synchronization)
Option 2
-
Enter the IP address of the SNTP server you want the switch to use for time synchronization.
![[NOTE: ]](images/note.gif)
NOTE: This step replaces any previously configured server IP address. If you will be using backup SNTP servers (requires use of the CLI), see SNTP unicast time polling with multiple SNTP servers.
-
Move the cursor to the Server Version field. Enter the value that matches the SNTP server version running on the device you specified in the preceding step .
If you are unsure which version to use, HP recommends leaving this value at the default setting of
3and testing SNTP operation to determine whether any change is necessary.
NOTE: Using the menu to enter the IP address for an SNTP server when the switch already has one or more SNTP servers configured, the switch deletes the primary SNTP server from the server list. The switch then selects a new primary SNTP server from the IP addresses in the updated list. For more on this topic, see SNTP unicast time polling with multiple SNTP servers.
-
Move the cursor to the Poll Interval field, then go to step 6.
-
In the Poll Interval field, enter the time in seconds that you want for a Poll Interval.
(For Poll Interval operation, see SNTP parameters, on SNTP parameters.)
-
Press Enter to return to the Actions line, then S (for Save) to enter the new time protocol configuration in both the startup-config and running-config files.
Syntax:
Lists both the time synchronization method (
TimeP,SNTP, orNone) and the SNTP configuration, even if SNTP is not the selected time protocol.If you configure the switch with SNTP as the time synchronization method, then enable SNTP in broadcast mode with the default poll interval,
show sntplists the following:
SNTP configuration when SNTP is the selected time synchronization method
HP Switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Unicast Poll Interval (sec) [720] : 719 Priority SNTP Server Address Protocol Version -------- ------------------------------ ---------------- 1 2001:db8::215:60ff:fe79:8980 7 2 10.255.5.24 3 3 fe80::123%vlan10 3
In the factory-default configuration (where TimeP is the selected time synchronization method), show sntp still lists the SNTP configuration, even though it is not currently in use. In SNTP configuration when SNTP is not the selected time synchronization method, even though TimeP is the current time synchronous method, the switch maintains the SNTP configuration.
SNTP configuration when SNTP is not the selected time synchronization method
HP Switch(config)# show sntp SNTP Configuration Time Sync Mode: Timep SNTP Mode : Unicast Poll Interval (sec) [720] : 719 Priority SNTP Server Address Protocol Version -------- ------------------------------ ---------------- 1 2001:db8::215:60ff:fe79:8980 7 2 10.255.5.24 3 3 fe80::123%vlan10 3
Syntax:
show management
This command can help you to easily examine and compare the IP addressing on the switch. It lists the IP addresses for all time servers configured on the switch, plus the IP addresses and default gateway for all VLANs configured on the switch.
Display showing IP addressing for all configured time servers and VLANs
HP Switch(config)# show management Status and Counters - Management Address Information Time Server Address : fe80::215:60ff:fe7a:adc0%vlan10 Priority SNTP Server Address Protocol Version --------- ------------------------------ ---------------- 1 2001:db8::215:60ff:fe79:8980 7 2 10.255.5.24 3 3 fe80::123%vlan10 3 Default Gateway :10.0.9.80 VLAN Name MAC Address | IP address ------------ --------------- + --------------- DEFAULT_VLAN 001279-88a100 | Disabled VLAN10 001279-88a100 | 10.0.10.17
Enabling the SNTP mode means to configure it for either broadcast or unicast mode. Remember that to run SNTP as the switch's time synchronization protocol, you must also select SNTP as the time synchronization method by using the CLI timesync command (or the menu interface Time Sync Method parameter.)
Syntax:
Syntax:
Syntax:
Specifies the order in which the configured servers are polled for getting the time. Value is between 1 and 3.
Syntax:
Because the switch provides an SNTP polling interval (default: 720 seconds), you need only these two commands for minimal SNTP broadcast configuration:
Syntax:
Syntax:
Example:
Suppose that time synchronization is in the factory-default configuration (TimeP is the currently selected time synchronization method.) Complete the following:
The commands and output would appear as follows:
Enabling SNTP operation in Broadcast Mode
HP Switch(config)# show sntpSNTP Configuration Time Sync Mode: Timep SNTP Mode : disabled Poll Interval (sec) [720] :720 HP Switch(config)# timesync sntp HP Switch(config)# sntp broadcast HP Switch(config)# show sntp
SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Broadcast Poll Interval (sec) [720] :720
Like broadcast mode, configuring SNTP for unicast mode enables SNTP. However, for unicast operation, you must also specify the IP address of at least one SNTP server. The switch allows up to three unicast servers. You can use the Menu interface or the CLI to configure one server or to replace an existing unicast server with another. To add a second or third server, you must use the CLI. For more on SNTP operation with multiple servers, see SNTP unicast time polling with multiple SNTP servers
Syntax:
Syntax:
Syntax:
Syntax:
Example:
To select SNTP and configure it with unicast mode and an SNTP server at 10.28.227.141 with the default server version (3) and default poll interval (720 seconds):
HP Switch(config)# timesync sntp
HP Switch(config)# sntp unicast
Activates SNTP in unicast mode.
HP Switch(config)# sntp server priority 1 10.28.227.141
Specifies the SNTP server and accepts the current SNTP server version (default: 3).
Configuring SNTP for unicast operation
HP Switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Unicast Poll Interval (sec) [720] : 720 Priority SNTP Server Address Protocol Version -------- ---------------------------------------------- ---------------- 1 2001:db8::215:60ff:fe79:8980 7 2 10.255.5.24 3 3 fe80::123%vlan10 3
In this Example:, the Poll Interval and the Protocol Version appear at their default settings.
Both IPv4 and IPv6 addresses are displayed.
Note: Protocol Version appears only when there is an IP address configured for an SNTP server.
If the SNTP server you specify uses SNTP v4 or later, use the sntp server command to specify the correct version number. For example, suppose you learned that SNTP v4 was in use on the server you specified above (IP address 10.28.227.141). You would use the following commands to delete the server IP address , re-enter it with the correct version number for that server.
Specifying the SNTP protocol version number
HP Switch(config)# no sntp server 10.28.227.141
Syntax:
Specifies the amount of time between updates of the system clock via SNTP. The default is 720 seconds and the range is 30 to 720 seconds. (This parameter is separate from the poll interval parameter used for Timep operation.)
Example:
To change the poll interval to 300 seconds:
HP Switch(config)# sntp 300
You can choose the order in which configured servers are polled for getting the time by setting the server priority.
Syntax:
sntp server priority<1-3><ip-address>Specifies the order in which the configured servers are polled for getting the time Value is between 1 and 3.
|
|
|
|
|
NOTE: You can enter both IPv4 and IPv6 addresses. For more information about IPv6 addresses, see the IPv6 Configuration Guide for your switch. |
|
|
Example:
To set one server to priority 1 and another to priority 2:
HP Switch(config)# sntp server priority 1 10.28.22.141
HP Switch(config)# sntp server priority 2
2001:db8::215:60ff:fe79:8980
The recommended method for disabling time synchronization is to use the timesync command.
Syntax:
Example:
Suppose SNTP is running as the switch's time synchronization protocol, with broadcast as the SNTP mode and the factory-default polling interval. You would halt time synchronization with this command:
HP Switch(config)# no timesync
If you then viewed the SNTP configuration, you would see the following:
If you want to prevent SNTP from being used even if it is selected by timesync (or the Menu interface's Time Sync Method parameter), configure the SNTP mode as disabled.
Syntax:
Example:
If the switch is running SNTP in unicast mode with an SNTP server at 10.28.227.141 and a server version of 3 (the default), no sntp changes the SNTP configuration as shown below and disables time synchronization on the switch.
Disabling time synchronization by disabling the SNTP mode
HP Switch(config)# no sntp HP Switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : disabled Poll Interval (sec) [720] : 600 IP Address Protocol Version ------------- ----------------- 10.28.227.141 3
Note that even though theTime Sync Mode is set to Sntp, time synchronization is disabled because no sntp has disabled the SNTP Mode parameter.
Enabling SNTP authentication allows network devices such as HP switches to validate the SNTP messages received from an NTP or SNTP server before updating the network time. NTP or SNTP servers and clients must be configured with the same set of authentication keys so that the servers can authenticate the messages they send and clients (HP switches) can validate the received messages before updating the time.
This feature provides support for SNTP client authentication on HP switches, which addresses security considerations when deploying SNTP in a network.
You must configure the following to enable SNTP client authentication on the switch.
SNTP client authentication support
-
Timesync mode must be SNTP. Use the
timesync sntpcommand. (SNTP is disabled by default). -
SNTP must be in unicast or broadcast mode. See Configuring unicast and broadcast mode for authentication.
-
An SNTP authentication key-identifier (
key-id) must be configured on the switch and a value (key-value) must be provided for the authentication key. A maximum of 8 sets ofkey-idandkey-valuecan be configured on the switch. -
Among the keys that have been configured, one key or a set of keys must be configured as trusted. Only trusted keys are used for SNTP authentication.
-
If the SNTP server requires authentication, one of the trusted keys has to be associated with the SNTP server.
-
SNTP client authentication must be enabled on the HP Switch. If client authentication is disabled, packets are processed without authentication.
All of the above steps are necessary to enable authentication on the client.
SNTP server authentication support
|
|
|
|
|
NOTE: SNTP server is not supported on HP Switch products. |
|
|
You must perform the following on the SNTP server:
-
The same authentication key-identifier, trusted key, authentication mode and key-value that were configured on the SNTP client must also be configured on the SNTP server.
-
SNTP server authentication must be enabled on the server.
If any of the parameters on the server are changed, the parameters have to be changed on all the SNTP clients in the network as well. The authentication check fails on the clients otherwise, and the SNTP packets are dropped.
This command configures the key-id, authentication-mode, and key-value, which are required for authentication. It is executed in the global configuration context.
Syntax:
Configures a key-id, authentication-mode (MD5 only), and key-value, which are required for authentication.
The
noversion of the command deletes the authentication key.
Trusted keys are used in SNTP authentication. In unicast mode, you must associate a trusted key with a specific NTP/SNTP server. That key is used for authenticating the SNTP packet.
In unicast mode, a specific server is configured on the switch so that the SNTP client communicates with the specified server to get the date and time.
In broadcast mode, the SNTP client switch checks the size of the received packet to determine if it is authenticated. If the broadcast packet is authenticated, the key-id value is checked to see if the same key-id value is configured on the SNTP client switch. If the switch is configured with the same key-id value, and the key-id value is configured as "trusted," the authentication succeeds. Only trusted key-id value information is used for SNTP authentication. For information about configuring these modes, see Configuring unicast and broadcast mode for authentication.
If the packet contains key-id value information that is not configured on the SNTP client switch, or if the received packet contains no authentication information, it is discarded. The SNTP client switch expects packets to be authenticated if SNTP authentication is enabled.
When authentication succeeds, the time in the packet is used to update the time on the switch.
Enter the following command to configure a key-id as trusted.
Syntax:
Trusted keys are used during the authentication process. You can configure the switch with up to eight sets of key-id/key-value pairs. One specific set must selected for authentication; this is done by configuring the set as
trusted.The
key-iditself must already be configured on the switch. To enable authentication, at least onekey-idmust be configured astrusted.The
noversion of the command indicates the key is unreliable (not trusted).Default: No key is trusted by default.
For detailed information about trusted keys, see Configuring a trusted key
Syntax:
[no]
sntp server priority <1-3><ip-address|ipv6-address><[ key-id <1-4,294,967,295> ]version-num>Configures a
key-idto be associated with a specific server. The key itself must already be configured on the switch.The
noversion of the command disassociates the key from the server. This does not remove the authentication key.Default: No key is associated with any server by default.
The sntp authentication command enables SNTP client authentication on the switch. If SNTP authentication is not enabled, SNTP packets are not authenticated.
Syntax:
To enable authentication, you must configure either unicast or broadcast mode. When authentication is enabled, changing the mode from unicast to broadcast or vice versa is not allowed; you must disable authentication and then change the mode.
To set the SNTP mode or change from one mode to the other, enter the appropriate command.
Syntax:
Enables SNTP for either broadcast or unicast mode.
Default: SNTP mode is disabled by default. SNTP does not operate even if specified by the CLI
timesynccommand or by the menu interfaceTime Sync Methodparameter.
UnicastDirects the switch to poll a specific server periodically for SNTP time synchronization.
The default value between each polling request is 720 seconds, but can be configured.
At least one manually configured server IP address is required.
NOTE: At least one
key-idmust be configured astrusted, and it must be associated with one of the SNTP servers. To edit or remove the associatedkey-idinformation or SNTP server information, SNTP authentication must be disabled.
BroadcastDirects the switch to acquire its time synchronization from data broadcast by any SNTP server to the network broadcast address. The switch uses the first server detected and ignores any others. However, if the Poll Interval (configurable up to 720 seconds) expires three times without the switch detecting a time update from the original server, the switch accepts a broadcast time update from the next server it detects.
The show sntp command displays SNTP configuration information, including any SNTP authentication keys that have been configured on the switch.
SNTP configuration information
HP Switch(config)# show sntp SNTP Configuration SNTP Authentication : Enabled Time Sync Mode: Sntp SNTP Mode : Unicast Poll Interval (sec) [720] : 720 Priority SNTP Server Address Protocol Version KeyId -------- ------------------------------------ ---------------- ----- 1 10.10.10.2 3 55 2 fe80::200:24ff:fec8:4ca8 3 55
Enter the show sntp authentication command, as shown in Show sntp authentication command output.
To display the statistical information for each SNTP server, enter the show sntp statistics command.
The number of SNTP packets that have failed authentication is displayed for each SNTP server address, as shown in SNTP authentication statistical information.
You can use the include-credentials command to store security information in the running-config file. This allows you to upload the file to a TFTP server and then later download the file to the HP switches on which you want to use the same settings. For more information about the include-credentials command, see "Configuring Username and Password Security" in the Access Security Guide for your switch.
The authentication key values are shown in the output of the show running-config and show config commands only if the include-credentials command was executed.
When SNTP authentication is configured and include-credentials has not been executed, the SNTP authentication configuration is not saved.
Configuration file with SNTP authentication information
HP Switch (config) # show config Startup configuration: . . . timesync sntp sntp broadcast sntp 50 sntp authentication sntp server priority 1 10.10.10.2.3 key-id 55 sntp server priority 2 fe80::200:24ff:fec8:4ca8 4 key-id 55
|
|
|
|
|
NOTE: SNTP authentication has been enabled and a key-id of 55 has been created. |
|
|
In this Example:, the include-credentials command has not been executed and is not present in the configuration file. The configuration file is subsequently saved to a TFTP server for later use. The SNTP authentication information is not saved and is not present in the retreived configuration files, as shown in the following Example:.
Retrieved configuration file when include credentials is not configured
HP Switch (config) # copy tftp startup-config 10.2.3.44 config1 . . . Switch reboots ... . Startup configuration . . . timesync sntp sntp broadcast sntp 50 sntp server priority 1 10.10.10.2.3 sntp server priority 2 fe80::200:24ff:fec8:4ca8 4 . . .
|
|
|
|
|
NOTE: The SNTP authentication line and the Key-ids are not displayed. You must reconfigure SNTP authentication. |
|
|
If include-credentials is configured, the SNTP authentication configuration is saved in the configuration file. When the show config command is entered, all of the information that has been configured for SNTP authentication displays, including the key-values.
