Configure NTP on Cisco

Configure Cisco NTP

For demonstration purpose, let us consider the topology below to explain NTP configuration on Cisco router and switch. NTP runs on port UDP 123 (both source and destination port being UDP 123). NTP synchronization is basically incremental, that means, you will not see the time to sync to happen in the next second after NTP configuration. You need to wait for atleast 15 minutes.

NTP uses a concept called “stratum” that defines how many NTP hops away a device is from an authorative time source. For example, a device with stratum 1 is a very accurate device and might have an atomic clock attached to it. Another NTP server that is using this stratum 1 server to sync its own time would be a stratum 2 device because it’s one NTP hop further away from the source. When you configure multiple NTP servers, the client will prefer the NTP server with the lowest stratum value.


Configure Cisco NTP

In both the scenarios, you need to configure clock source for router that is acting as NTP master so that other NTP clients can sync time with master.

R1(config)# clock timezone GMT 3

R1(config)# clock set 18:05:20 12 July 2019


Scenario 1: NTP without Authentication

To configure R1 as NTP master, only single command is required on R1.

R1(config)# ntp master


To configure SW1 as NTP client, issue command pointing to NTP server

All in One WordPress Hosting
HostGator $2.75 per month
24/7/365 Technical Support, Free Site Building Tools, 4500 Website Templates, Free Shopping Cart Software, Ideal for WordPress, 45 Day Money Back Guarantee
Starts at 30$ per month
All in One WordPress Hosting
High optimized WordPress hosting, secure firewall, HTTPS, Backup, hack-fix guarantee and many others at 30$ per month

SW1(config)# ntp server


Scenario 2: NTP with Authentication

To configure R1 as NTP master

R1(config)# ntp master

R2(config)# ntp authentication-key 45 md5 itadminguide

R2(config)# ntp trusted-key 45


To configure SW1 as NTP client

SW1(config)# ntp authentication-key 45 md5 itadminguide

SW1(config)# ntp trusted-key 45

SW1(config)# ntp authenticate

I have seen some guys issue #ntp authenticate on NTP master devices. This is wrong. #ntp authenticate command must be issued on NTP client devices only.


Troubleshooting Commands

#show ntp statusGeneral NTP status on the Cisco device
#show ntp associationsSummary of all NTP association of Cisco device. If you notice that means, Cisco device syncs with its own internal clock.
#show ntp associations detailDetailed information of Cisco device with all time sources associated.
#debug ntp packetIdentify if NTP traffic flows
#debug ntp authenticationDebug NTP association
#show clockView software clock
#show calendarView hardware clock
#ntp update-calendarUpdate the hardware clock with the time of the software clock