diff --git a/doc/ntp/images/ntp_config_flow.png b/doc/ntp/images/ntp_config_flow.png
new file mode 100644
index 0000000000..2325839263
Binary files /dev/null and b/doc/ntp/images/ntp_config_flow.png differ
diff --git a/doc/ntp/images/ntp_show_configuration_flow.png b/doc/ntp/images/ntp_show_configuration_flow.png
new file mode 100644
index 0000000000..6c221cc3ab
Binary files /dev/null and b/doc/ntp/images/ntp_show_configuration_flow.png differ
diff --git a/doc/ntp/images/ntp_show_status_flow.png b/doc/ntp/images/ntp_show_status_flow.png
new file mode 100644
index 0000000000..202560f6ef
Binary files /dev/null and b/doc/ntp/images/ntp_show_status_flow.png differ
diff --git a/doc/ntp/images/ntp_system_chart.png b/doc/ntp/images/ntp_system_chart.png
new file mode 100644
index 0000000000..4d86a68c42
Binary files /dev/null and b/doc/ntp/images/ntp_system_chart.png differ
diff --git a/doc/ntp/ntp-design.md b/doc/ntp/ntp-design.md
new file mode 100644
index 0000000000..9cfdac5b2d
--- /dev/null
+++ b/doc/ntp/ntp-design.md
@@ -0,0 +1,898 @@
+
+# SONiC Network Time Protocol (NTP) client configuration
+
+## High Level Design document
+
+## Table of contents
+- [Revision](#revision)
+- [About this manual](#about-this-manual)
+- [Scope](#scope)
+- [1 Introduction](#1-introduction)
+ - [1.1 Feature overview](#11-feature-overview)
+ - [1.2 Requirements](#12-requirements)
+- [2 Design](#2-design)
+ - [2.1 Overview](#21-overview)
+ - [2.2 NTP daemon configuration](#22-ntp-daemon-configuration)
+ - [2.3 Configuration agent](#23-configuration-agent)
+ - [2.4 DB schema](#24-db-schema)
+ - [2.5 Flows](#25-flows)
+ - [2.6 CLI](#26-cli)
+ - [2.6.2.1 Config command group](#2621-config-command-group)
+ - [2.6.2.2 Show command group](#2622-show-command-group)
+ - [2.7 YANG model](#27-yang-model)
+ - [2.8 Warm/Fast boot](#28-warmfast-boot)
+- [3 Test plan](#3-test-plan)
+ - [3.1 Unit tests via VS](#31-unit-tests-via-vs)
+
+# Revision
+| Rev | Date | Author | Description |
+|:---:|:----------:|:-----------------:|:----------------|
+| 0.1 | 01/02/2023 | Yevhen Fastiuk 🇺🇦 | Initial version |
+
+# About this manual
+This document provides general information about NTP implementation in SONiC and NTP CLI.
+It describes high-level behavior, internal definition, design of the commands, syntax, and output definition.
+
+# Scope
+This document describes the high level design of NTP client feature in SONiC.
+The scope that document is to cover definition, design, and implementation of SONiC NTP, and NTP CLI.
+That functionality is standard for ntpd so we can support it in SONiC.
+The document covers the next CLI:
+1. Show NTP state and configuration
+2. Configure NTP client by adding NTP servers and pools
+3. Enable NTP server
+4. Configure NTP authentication
+
+**In scope:**
+- NTP client configuration (connect to NTP servers and/or pools).
+
+**Out of scope:**
+- NTP server role configuration (run a NTP server, be a peer).
+
+
+## Abbreviations
+| Term | Meaning |
+|:------|:------------------------------------------|
+| SONiC | Software for Open Networking in the Cloud |
+| NTP | Network Time Protocol |
+| IP | Internet Protocol |
+| UDP | User Datagram Protocol |
+| TCP | Transmission Control Protocol |
+| DB | Database |
+| VRF | Virtual Routing and Forwarding |
+| CLI | Сommand-line Interface |
+| YANG | Yet Another Next Generation |
+
+
+## List of figures
+- [Figure 1: NTP system chart diagram](#figure-1-ntp-system-chart-diagram)
+- [Figure 2: NTP config flow](#figure-2-ntp-config-flow)
+- [Figure 3: NTP show status sequence](#figure-3-ntp-status-sequence)
+- [Figure 4: NTP show configuration](#figure-4-ntp-show-configuration)
+
+
+## List of tables
+- [Table 1: Event logging](#table-1-event-logging)
+- [Table 2: NTP configuration](#table-2-ntp-daemon-configuration)
+- [Table 3: NTP parameters](#table-3-ntp-parameters)
+
+# 1 Introduction
+
+## 1.1 Feature overview
+NTP is a feature which allows user to synchronize system clock between computer systems over packet-switched.
+NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC).
+That HLD presents the ability to configure NTP on SONiC systems.
+
+As part of this feature, we would like to be able to configure NTP client using remote NTP servers, so we will be able to synchronize the time.
+Also, we will be able to retrieve all information related to the NTP global configuration and it’s servers, such as ip address, state, authentication key, etc.
+
+Here is the representation of SONiC platform using NTP feature:
+
+
+
+###### Figure 1: NTP system chart diagram
+
+## 1.2 Requirements
+
+
+### 1.2.1 Functionality
+
+**This feature will support the following functionality:**
+1. Show NTP configuration
+2. Enable/disable NTP functionality
+3. Enable/disable NTP authentication
+4. Enable/disable NTP DHCP client
+5. Configure NTP VRF
+6. Configure NTP servers
+7. Configure per-server configuration
+8. Manage NTP authentication keys
+
+
+### 1.2.2 Command interface
+
+**This feature will support the following commands:**
+1. config: global NTP configuration
+ 1. Enable/disable NTP functionality
+ 2. Enable/disable NTP authentication
+ 3. Enable/disable NTP DHCP client
+ 4. Set NTP VRF
+2. config: add/delete NTP server configuration
+ 1. Enable/disable server
+ 2. Configure server association type
+ 3. Modify server's NTP communication protocol version
+ 4. Assign authentication key
+ 5. Turn on/off aggressive mode (iburst)
+3. config: NTP authentication keys management
+ 1. Change key type
+ 2. Trustiness enable/disable
+4. show: display NTP status
+5. show: display NTP configuration
+6. show: display NTP authentication keys inventory
+
+
+### 1.2.3 Error handling
+
+**This feature will provide error handling for the next situations:**
+1. Invalid object reference
+2. Invalid options/parameters
+
+
+### 1.2.4 Event logging
+
+**This feature will provide event logging for the next situations:**
+1. NTP state change
+2. NTP authentication change
+3. NTP DHCP client change
+3. NTP server add/change config
+4. Authentication keys management
+5. Show NTP status
+
+
+###### Table 1: Event logging
+
+| Event | Severity |
+|:----------------------------------------|:--------:|
+| NTP state change: success | NOTICE |
+| NTP state change: failed | ERROR |
+| NTP authentication change: success | NOTICE |
+| NTP authentication change: failed | ERROR |
+| NTP DHCP change: success | NOTICE |
+| NTP DHCP change: failed | ERROR |
+| NTP add/change server: success | NOTICE |
+| NTP add/change server: failed | ERROR |
+| Authentication keys management: success | NOTICE |
+| Authentication keys management: failed | ERROR |
+| Show NTP status: failed | ERROR |
+
+# 2 Design
+
+## 2.1 Overview
+As you can see on the [system chart](#figure-1-ntp-system-chart-diagram), we can configure feature by setting data through the SONiC database.
+`hostcfgd` will listen for the configuration changes in corresponding table and will restart `ntp-config` service, which reads config from the database and configures the NTP by generating `ntp.conf` and `ntp.keys` file (if necessary).
+
+## 2.2 NTP daemon configuration
+The various modes are determined by the command keyword and the type of the required IP address.
+Addresses are classed by type as (s) a remote server or peer (IPv4 class A, B and C), (b) the broadcast address of a local interface, (m) a multicast address (IPv4 class D), or (r) a reference clock address (127.127.x.x).
+
+
+###### Table 2: NTP daemon configuration
+| Parameter | Default | Description |
+|:-----------|:--------|:------------|
+| server | none | For type s and r addresses, this command mobilizes a persistent client mode association with the specified remote server or local radio clock. In this mode the local clock can synchronized to the remote server, but the remote server can never be synchronized to the local clock. This command should not be used for type b or m addresses. |
+| pool | none | For type s addresses, this command mobilizes a persistent client mode association with a number of remote servers. In this mode the local clock can synchronized to the remote server, but the remote server can never be synchronized to the local clock. |
+| key (ntpd) | none | All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified key identifier with values from 1 to 65535, inclusive. The default is to include no encryption field. |
+| version | 4 | Specifies the version number to be used for outgoing NTP packets. Versions 1-4 are the choices, with version 4 the default. |
+| iburst | none | When the server is unreachable, send a burst of eight packets instead of the usual one. The packet spacing is normally 2 s; however, the spacing between the first two packets can be changed with the calldelay command to allow additional time for a modem or ISDN call to complete. This is designed to speed the initial synchronization acquisition with the server command and s addresses and when ntpd is started with the -q option. |
+| keys | none | Specifies the complete path and location of the MD5 key file containing the keys and key identifiers used by ntpd, ntpq and ntpdc when operating with symmetric key cryptography. This is the same operation as the -k command line option. |
+| trustedkey | none | Specifies the key identifiers which are trusted for the purposes of authenticating peers with symmetric key cryptography, as well as keys used by the ntpq and ntpdc programs. The authentication procedures require that both the local and remote servers share the same key and key identifier for this purpose, although different keys can be used with different servers. The key arguments are 32-bit unsigned integers with values from 1 to 65535. |
+| keyno | none | Positive integer (between 1 and 65535). |
+| type | none | Message digest or cipher algorithm. |
+| key (keys) | none | The key itself. The key may be printable ASCII excluding "#" or hex encoded. Keys longer than 20 characters are assumed to be hex. The max length of a (de-hexified) key is 32 bytes. If you want to use an ASCII key longer than 20 bytes, you must hexify it. Note that the keys used by the ntpq(1) programs are checked against passwords entered by hand, so it is generally appropriate to specify these keys in ASCII format. |
+
+**MAN page:**
+[ntp.conf](
+ https://manpages.debian.org/bullseye/ntp/ntp.conf.5.en.html
+ "Network Time Protocol (NTP) daemon configuration file format"
+)
+[ntp_auth](
+ https://linux.die.net/man/5/ntp_auth
+ "NTP Authentication Options"
+)
+
+## 2.3 Configuration agent
+
+
+### 2.3.1 Overview
+Configuration management of `ntpd` is done by `ntp-config` service.
+The service is triggered by CLI once data is validated and pushed to Config DB.
+
+The `ntp-config` service performs the next actions:
+1. Renders `ntp.conf.j2` and `ntp.keys.j2` templates with `sonic-cfggen` to generate a new `ntpd` config file
+2. Restarts `ntp` service which triggers `ntpd` to load a new config file
+
+
+### 2.3.2 NTP parameters
+
+**NTP will have the next parameter mapping:**
+
+
+###### Table 3: NTP parameters
+| SONiC | ntp.conf,
ntp.keys | Config DB Schema |
+|:---------------|:-----------------------|:-----------------------------------|
+| state (global) | N/A | NTP\|global\|state:\ |
+| authentication | trustedkey, keys | NTP\|global\|authentication:\|
+| vrf | N/A | NTP\|global\|vrf:\ |
+| server | server, pool | NTP_SERVER\|\ |
+| state (server) | N/A | NTP_SERVER\|\\|state:\ |
+| type | server, pool | NTP_SERVER\|\\|association_type:\ |
+| version | version | NTP_SERVER\|\\|version:\ |
+| aggressive | iburst | NTP_SERVER\|\\|iburst:\ |
+| key (server) | key | NTP_SERVER\|\\|key:\ |
+| key (auth) | keyno | NTP_KEY\|\\|value:\ |
+| type (auth) | type | NTP_KEY\|\\|type:\ |
+| trusted | trustedkey | NTP_KEY\|\\|trusted:\ |
+
+
+### 2.3.3 NTP configuration
+NTP global configuration offers `state`, `authentication`, `vrf` parameters for flexible configuration of NTP client.
+For the server the next configuration options are supported: `state`, `type`, `version`, `key`.
+And finally NTP key management supports the next options: `value`, `type`, `trusted`.
+
+**Note:**
+1. The destination might be not reachable over the specified `vrf`/`host`: no way to check - user's responsibility
+2. Feature should handle automatically OOB VRF changes.
+
+
+#### 2.3.3.1 Server configurations: `add/del/change`
+Here is a part of `ntp.conf` template that can be used to generate configured NTP servers:
+
+**Example:**
+```jinja
+{# Getting NTP global configuration -#}
+{% set global = (NTP | d({})).get('global', {}) -%}
+
+{# Adding NTP servers. We need to know if we have some pools, to set proper
+config -#}
+{% set is_pools = False %}
+{% for server in NTP_SERVER if NTP_SERVER[server].state != 'disabled' and
+ NTP_SERVER[server].resolve_as and
+ NTP_SERVER[server].association_type -%}
+ {% set config = NTP_SERVER[server] -%}
+ {# Server options -#}
+ {% set soptions = '' -%}
+ {# Server access control options -#}
+ {% set aoptions = '' -%}
+
+ {# Authentication key -#}
+ {% if config.key -%}
+ {% set soptions = soptions ~ ' key ' ~ config.key -%}
+ {% endif -%}
+
+ {# Aggressive polling -#}
+ {% if config.iburst -%}
+ {% set soptions = soptions ~ ' iburst' -%}
+ {% endif -%}
+
+ {# Protocol version -#}
+ {% if config.version -%}
+ {% set soptions = soptions ~ ' version ' ~ config.version -%}
+ {% endif -%}
+
+ {# Check if there are any pool configured. BTW it doesn't matter what was
+ configured as "resolve_as" for pools. If they were configured with FQDN they
+ must remain like that -#}
+ {% set config_as = config.resolve_as -%}
+ {% if config.association_type == 'pool' -%}
+ {% set is_pools = True -%}
+ {% set config_as = server -%}
+ {% else -%}
+ {% set aoptions = aoptions ~ ' nopeer' -%}
+ {% endif -%}
+
+{{ config.association_type }} {{ config_as }}{{ soptions }}
+{% if global.server_role == 'disabled' %}
+restrict {{ config_as }} kod nomodify notrap noquery{{ aoptions }}
+{% endif %}
+
+{% endfor -%}
+```
+
+
+#### 2.3.3.2 Global config: `change`
+The next part of `ntp.conf` template can be used to manage ntp authentication:
+
+**Example:**
+```jinja
+{% set trusted_keys_arr = [] -%}
+{% for key in NTP_KEY -%}
+ {% set keydata = NTP_KEY[key] -%}
+ {% if keydata.trusted == 'yes' -%}
+ {% set trusted_keys_arr = trusted_keys_arr.append(key) -%}
+ {% endif -%}
+{% endfor %}
+
+{% if global.authentication == 'enabled' %}
+keys /etc/ntp.keys
+{% if trusted_keys_arr != [] %}
+trustedkey {{ trusted_keys_arr|join(' ') }}
+{% endif %}
+{% endif %}
+```
+
+And for handling VRF, DHCP, and NTP feature state we need to modify `ntp-sytemd-wrapper`:
+```bash
+if [ -r /etc/default/ntp ]; then
+ . /etc/default/ntp
+fi
+
+dhcp=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["dhcp"]' 2> /dev/null)
+if [ -e /run/ntp.conf.dhcp ] && [ "$dhcp" = "enabled" ]; then
+ NTPD_OPTS="$NTPD_OPTS -c /run/ntp.conf.dhcp"
+fi
+
+ntpEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["state"]' 2> /dev/null)
+if [ "$ntpEnabled" = "disabled" ]
+then
+ logger -p INFO -t "ntpd" "Stopping NTP daemon"
+ start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE
+ exit 0
+fi
+
+# when mgmt vrf is configured, ntp starts in mgmt vrf by default unless user configures otherwise
+vrfEnabled=$(/usr/local/bin/sonic-cfggen -d -v 'MGMT_VRF_CONFIG["vrf_global"]["mgmtVrfEnabled"]' 2> /dev/null)
+vrfConfigured=$(/usr/local/bin/sonic-cfggen -d -v 'NTP["global"]["vrf"]' 2> /dev/null)
+if [ "$vrfEnabled" = "true" ]
+then
+ if [ "$vrfConfigured" = "default" ]
+ then
+ logger -p INFO -t "ntpd" "Starting NTP server in default-vrf for default set as NTP vrf" "ntpd"
+ start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
+ else
+ logger -p INFO -t "ntpd" "Starting NTP server in mgmt-vrf"
+ ip vrf exec mgmt start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
+ fi
+else
+ logger -p INFO -t "ntpd" "Starting NTP server in default-vrf"
+ start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -p $PIDFILE $NTPD_OPTS
+fi
+```
+
+
+#### 2.3.3.3 NTP authentication keys management: `add/del`
+And finally authentication keys file `ntp.keys` template is here:
+
+```jinja
+{# We can connect only to the servers we trust. Determine those servers -#}
+{% set trusted_arr = [] -%}
+{% for server in NTP_SERVER if NTP_SERVER[server].trusted == 'yes' and
+ NTP_SERVER[server].resolve_as -%}
+ {% set _ = trusted_arr.append(NTP_SERVER[server].resolve_as) -%}
+{% endfor -%}
+
+{# Define authentication keys inventory -#}
+{% set trusted_str = ' ' ~ trusted_arr|join(',') -%}
+{% for keyid in NTP_KEY if NTP_KEY[keyid].type and NTP_KEY[keyid].value %}
+{{ keyid }} {{ NTP_KEY[keyid].type }} {{ NTP_KEY[keyid].value }}{{trusted_str}}
+{% endfor -%}
+
+```
+
+## 2.4 DB schema
+
+
+### 2.4.1 Config DB
+To configure the feature we are going to use three Config DB tables:
+- NTP
+- NTP_SERVER
+- NTP_KEY
+
+`NTP` table is used to store NTP global configuration.
+`NTP_SERVER` table contains configured remote NTP servers and theis approprite configuration.
+`NTP_KEY` table holds NTP authentication keys inventory.
+
+
+### 2.4.2 Data sample
+
+**Config DB:**
+```
+redis-cli -n 4 HGETALL 'NTP|global'
+1) "state"
+2) "enabled"
+3) "authentication"
+4) "enabled"
+5) "vrf"
+6) "default"
+
+redis-cli -n 4 HGETALL 'NTP_SERVER|1.1.1.1'
+1) "state"
+2) "disabled"
+3) "version"
+4) "4"
+5) "key"
+6) "42"
+5) "iburst"
+6) "on"
+7) "association_type"
+8) "server"
+
+redis-cli -n 4 HGETALL 'NTP_SERVER|somehost'
+1) "state"
+2) "enabled"
+3) "version"
+4) "3"
+5) "iburst"
+6) "on"
+7) "association_type"
+8) "pool"
+
+redis-cli -n 4 HGETALL 'NTP_KEY|1'
+1) "type"
+2) "md5"
+3) "value"
+4) "mypassword"
+5) "trusted"
+6) "yes"
+
+redis-cli -n 4 HGETALL 'NTP|42'
+1) "type"
+2) "sha1"
+3) "value"
+4) "theanswer"
+5) "trusted"
+6) "no"
+```
+
+
+### 2.4.3 Configuration sample
+
+**NTP Config DB configuration:**
+```json
+{
+ "NTP": {
+ "global": {
+ "state": "enabled",
+ "authentication": "enabled",
+ "vrf": "mgmt"
+ }
+ },
+ "NTP_SERVER": {
+ "1.1.1.1": {
+ "state": "disabled",
+ "version": "4",
+ "key": "42",
+ "iburst": "on",
+ "association_type": "server"
+ },
+ "somehost": {
+ "state": "enabled",
+ "version": "3",
+ "iburst": "on",
+ "association_type": "pool"
+ }
+ },
+ "NTP_KEY": {
+ "1": {
+ "type": "md5",
+ "value": "mypassword",
+ "trusted": "yes"
+ },
+ "42": {
+ "type": "sha1",
+ "value": "theanswer",
+ "trusted": "no"
+ }
+ }
+}
+```
+
+
+### 2.4.4 Configuration migration
+No special handling is required
+
+## 2.5 Flows
+
+
+### 2.5.1 NTP config flow
+
+
+###### Figure 2: NTP config flow
+
+
+### 2.5.2 NTP show status sequence
+
+
+###### Figure 3: NTP show status sequence
+
+
+### 2.5.2 NTP show configuration
+
+
+###### Figure 4: NTP show configuration
+
+## 2.6 CLI
+
+
+### 2.6.1 Command structure
+
+**User interface**:
+```
+config
+\-- ntp
+ |-- state
+ |-- authentication
+ |-- dhcp
+ |-- vrf
+ |-- server
+ | |-- add SRV_OPTS
+ | |-- del
+ | \- state
+ \- key
+ |-- add KEY_OPTS
+ \- del
+
+show
+\-- ntp
+ |-- global
+ |-- server
+ \- key
+```
+
+**Options:**
+
+General:
+1. ``, `` - state string: `enum: enabled, disabled`
+3. `` - OOB VRF device: `enum: default, mgmt`
+3. `` - NTP server: `host: ipv4, ipv6, hostname`
+4. `` - Authentication key ID: `integer: 1-65535`
+
+_SRV_OPTS_:
+1. `-t|--type` - NTP server association type: `enum: server, pool`
+2. `-k|--key` - NTP authentication key ID: `integer: 1-65535`
+3. `-v|--version` - NTP protocol version `integer: 3-4`
+4. `-a|--aggressive` - NTP enable aggresive polling
+
+_KEY_OPTS_:
+1. `-t|--type` - NTP key type: `enum: md5, sha1`
+3. `-s|--trusted` - NTP key trustiness: `enum: yes, no`
+
+
+### 2.6.2 Usage examples
+
+#### 2.6.2.1 Config command group
+
+**The following command enabled/disables NTP feature:**
+```bash
+config ntp state enabled
+config ntp state disabled
+```
+
+**The following command enabled/disables NTP authentication:**
+```bash
+config ntp authentication enabled
+config ntp authentication disabled
+```
+
+**The following command enabled/disables NTP DHCP client:**
+```bash
+config ntp dhcp enabled
+config ntp dhcp disabled
+```
+
+**The following command eonfigures NTP VRF:**
+```bash
+config ntp vrf default
+config ntp vrf mgmt
+```
+
+**The following command adds/deletes NTP server:**
+```bash
+config ntp server add 0.ua.pool.ntp.org \
+ --type server \
+ --key 42 \
+ --version 4
+config ntp server del 0.ua.pool.ntp.org
+```
+
+**The following command enabled/disables specific NTP server:**
+```bash
+config ntp server 0.ua.pool.ntp.org state enabled
+config ntp server 0.ua.pool.ntp.org state disabled
+```
+
+**The following command adds/removes NTP authentication key:**
+```bash
+config ntp key add 42 theanswer \
+ --type sha1 \
+ --trusted yes
+config ntp key del 42
+```
+
+#### 2.6.2.2 Show command group
+
+**The following command shows NTP state:**
+```
+root@sonic:/home/admin# show ntp
+MGMT_VRF_CONFIG is not present.
+synchronised to NTP server (10.10.10.2) at stratum 5
+ time correct to within 287 ms
+ polling server every 64 s
+ remote refid st t when poll reach delay offset jitter
+==============================================================================
++10.10.10.1 162.159.200.123 4 u 53 64 377 0.134 +240.45 10.868
+*10.10.10.2 162.159.200.123 4 u 43 64 377 0.110 +231.47 5.604
+```
+
+**The following command shows NTP global config:**
+```
+root@sonic:/home/admin# show ntp global
+State: enabled
+Authentication: enabled
+VRF: default
+```
+
+**The following command shows NTP servers:**
+```
+root@sonic:/home/admin# show ntp server
+SERVER STATE TYPE KEY VERSION
+------------------- -------- ------ --- -------
+time.cloudflare.com enabled server 4
+2001:4860:4806:: enabled server 3
+216.239.35.4 disabled server 42 4
+pool.ntp.org disabled pool 4
+```
+
+**The following command shows NTP keys:**
+```
+root@sonic:/home/admin# show ntp key
+KEY ID TYPE VALUE TRUSTED
+------ ---- ---------- -------
+1 md5 mypass yes
+2 sha1 thebestntp no
+42 md5 theanswer yes
+```
+
+## 2.7 YANG model
+An existing YANG model `sonic-ntp.yang` will be extended in order to provide support for configuring global NTP and NTP servers.
+
+**Skeleton code:**
+```yang
+module sonic-ntp {
+
+ yang-version 1.1;
+
+ namespace "http://github.com/sonic-net/sonic-ntp";
+ prefix ntp;
+
+ import ietf-inet-types {
+ prefix inet;
+ }
+
+ import sonic-port {
+ prefix port;
+ }
+
+ import sonic-mgmt_vrf {
+ prefix mvrf;
+ }
+
+ import sonic-portchannel {
+ prefix lag;
+ }
+
+ import sonic-loopback-interface {
+ prefix lo;
+ }
+
+ import sonic-mgmt_port {
+ prefix mprt;
+ }
+
+ description
+ "NTP yang Module for SONiC OS";
+
+ revision 2021-04-07 {
+ description
+ "First revision";
+ }
+
+ typedef state {
+ description "State of the config";
+ type enumeration {
+ enum enabled;
+ enum disabled;
+ }
+ }
+
+ typedef yes-no {
+ description "Yes/No configuration";
+ type enumeration {
+ enum yes;
+ enum no;
+ }
+ }
+
+ typedef on-off {
+ description "On/Off configuration";
+ type enumeration {
+ enum yes;
+ enum no;
+ }
+ }
+
+ typedef ntp-key-type {
+ description "NTP key encrypt type";
+ type enumeration {
+ enum md5;
+ enum sda1;
+ }
+ }
+
+ typedef association-type {
+ description "NTP server association type";
+ type enumeration {
+ enum server;
+ enum peer;
+ enum pool;
+ }
+ }
+
+ container sonic-ntp {
+
+ container NTP {
+
+ container global {
+
+ description "Global NTP part of config_db.json";
+
+ leaf-list src_intf {
+ type union {
+ type leafref {
+ path /port:sonic-port/port:PORT/port:PORT_LIST/port:name;
+ }
+ type leafref {
+ path /lag:sonic-portchannel/lag:PORTCHANNEL/lag:PORTCHANNEL_LIST/lag:name;
+ }
+ type leafref {
+ path /lo:sonic-loopback-interface/lo:LOOPBACK_INTERFACE/lo:LOOPBACK_INTERFACE_LIST/lo:name;
+ }
+ type leafref {
+ path /mprt:sonic-mgmt_port/mprt:MGMT_PORT/mprt:MGMT_PORT_LIST/mprt:name;
+ }
+ }
+
+ }
+
+ leaf vrf {
+ must "(current() != 'mgmt') or (/mvrf:sonic-mgmt_vrf/mvrf:MGMT_VRF_CONFIG/mvrf:vrf_global/mvrf:mgmtVrfEnabled = 'true')" {
+ error-message "Must condition not satisfied. Try enable Management VRF.";
+ }
+
+ type string {
+ pattern "mgmt|default";
+ }
+
+ description
+ "NTP can be enabled only in one VRF at time. In this revision, it is either default VRF or Management VRF.";
+ }
+
+ leaf state {
+ type state;
+ default enabled;
+ description "NTP feature state";
+ }
+
+ leaf authentication {
+ type state;
+ default disabled;
+ description "NTP authentication state";
+ }
+
+ leaf server_role {
+ type state;
+ default enabled;
+ description "NTP server functionality state";
+ }
+
+ } /* end of container global */
+
+ } /* end of container NTP */
+
+ container NTP_SERVER {
+
+ description "NTP SERVER part of config_db.json";
+
+ list NTP_SERVER_LIST {
+ max-elements 10;
+
+ key "server_address";
+
+ leaf server_address {
+ type inet:host;
+ }
+
+ leaf state {
+ type state;
+ default enabled;
+ description "NTP server state";
+ }
+
+ leaf key {
+ type uint16;
+ description "NTP server key";
+ }
+
+ leaf trusted {
+ type yes-no;
+ default no;
+ }
+
+ leaf version {
+ type uint8 {
+ range "3..4" {
+ error-message "Failed NTP version";
+ }
+ }
+ default 4;
+ }
+
+ leaf association-type {
+ type association-type;
+ default server;
+ }
+
+ leaf iburst {
+ type on-off;
+ default off;
+ }
+ } /* end of list NTP_SERVER_LIST */
+
+ } /* end of container NTP_SERVER */
+
+ container NTP_KEY {
+
+ description "NTP authentication keys configuration";
+
+ list NTP_KEYS_LIST {
+ description "TBD";
+ key "id";
+
+ leaf id {
+ type uint16;
+ }
+
+ leaf type {
+ type ntp-key-type;
+ }
+
+ leaf value {
+ type string;
+ }
+
+ leaf trusted {
+ type yes-no;
+ default no;
+ }
+ } /* end of list NTP_KEYS_LIST */
+
+ } /* end of container NTP_KEY */
+
+ } /* end of container sonic-ntp */
+
+} /* end of module sonic-ntp */
+```
+
+## 2.8 Warm/Fast boot
+No special handling is required
+
+# 3 Test plan
+
+## 3.1 Unit tests via VS
+NTP basic configuration test:
+1. Verify ntp.conf after NTP server creation/removal or global configuration change.
+
+NTP extended configuration test:
+1. Disable NTP functionality
+2. Change system time
+3. Add new NTP server
+4. Enable NTP functionality
+5. Make sure system time was updated