10
broadcast message, the client
and the server start to exchange
messages to calculate the
network delay between them.
Then, only the broadcast server
sends clock synchronization
messages.
The broadcast mode has
than the client/server and
symmetric active/passive
modes because only the
clock synchronization
messages.
Multicast
A multicast
server periodically
sends clock synchronization
messages to the user-configured
multicast address. Clients listen
to the multicast messages from
servers and synchronize to the
server according to the received
messages.
A multicast client can be
multicast server, but a
multicast server cannot
be synchronized to a
multicast client.
A multicast server can
provide time
synchronization for clients
in the same subnet or in
different subnets.
The multicast mode has a
lower time accuracy than
symmetric active/passive
modes.
In this document, an "NTP server" or a "server" refers to a device that operates as an NTP server in
client/server mode. Time servers refer to all the devices that can provide time synchronization,
including NTP servers, NTP symmetric peers, broadcast servers, and multicast servers.
NTP security
To improve time synchronization security, NTP provides the access control and authentication
functions.
NTP access control
You can control NTP access by using an ACL. The access rights are in the following order, from least
restrictive to most restrictive:
• Peer—Allows time requests and NTP control queries (such as alarms, authentication status,
and time server information) and allows the local device to synchronize itself to a peer device.
• Server—Allows time requests and NTP control queries, but does not allow the local device to
synchronize itself to a peer device.
• Synchronization—Allows only time requests from a system whose address passes the access
list criteria.
• Query—Allows only NTP control queries from a peer device to the local device.
When the device receives an NTP request, it matches the request with the access rights in the order
from the least restrictive to the most restrictive: peer, server, synchronization, and query.
• If no NTP access control is configured, the peer access right applies.
• If the IP address of the peer device matches a permit statement in an ACL, the access right is
granted to the peer device. If a deny statement or no ACL is matched, no access right is
granted.
• If no ACL is specified for an access right or the ACL specified for the access right is not created,
the access right is not granted.
• If none of the ACLs specified for the access rights are created, the peer access right applies.
• If none of the ACLs specified for the access rights contain rules, no access right is granted.
This feature provides minimal security for a system running NTP. A more secure method is NTP
authentication.
To Next Page
Loading...
Need help?
General