25-12z peer: full access. This level of right permits the peer devices to perform synchronization andcontrol query to the local device and also permits the local device to synchronize its clock to that ofa peer device.From the highest NTP service access-control right to the lowest one are peer, server,synchronization, and query. When a device receives an NTP request, it will perform anaccess-control right match and will use the first matched right.Configuration PrerequisitesPrior to configuring the NTP service access-control right to the local device, you need to create andconfigure an ACL associated with the access-control right. For the configuration of ACL, refer to ACLConfiguration in the Security Volume.Configuration ProcedureFollow these steps to configure the NTP service access-control right to the local device:To do… Use the command… RemarksEnter system view system-view —Configure the NTP serviceaccess-control right for a peerdevice to access the local devicentp-service access { peer |query | server |synchronization } acl-numberRequiredpeer by defaultThe access-control right mechanism provides only a minimum degree of security protection for thesystem running NTP. A more secure method is identity authentication.Configuring NTP AuthenticationThe NTP authentication feature should be enabled for a system running NTP in a network where thereis a high security demand. This feature enhances the network security by means of client-server keyauthentication, which prohibits a client from synchronizing with a device that has failed authentication.Configuration PrerequisitesThe configuration of NTP authentication involves configuration tasks to be implemented on the clientand on the server.When configuring the NTP authentication feature, pay attention to the following principles:z For all synchronization modes, when you enable the NTP authentication feature, you shouldconfigure an authentication key and specify it as a trusted key. Namely, the ntp-serviceauthentication enable command must work together with the ntp-service authentication-keyidcommand and the ntp-service reliable authentication-keyid command. Otherwise, the NTPauthentication function cannot be normally enabled.z For the client/server mode or symmetric mode, you need to associate the specified authenticationkey on the client (symmetric-active peer if in the symmetric peer mode) with the corresponding