Cisco Network Time Protocol (NTP)
Cisco Network Time Protocol (NTP)
Cisco Network Time Protocol (NTP)
Search …
Lesson Contents
Unit 1: Switching
1. Con guration Unit 2: Routing
1.1. Router con guration Unit 3: Wireless
1.2. Switch Con guration Unit 4: Multicast
1.3. Multicast and Broadcast
Unit 5: Network Architecture
1.4. Authentication
Unit 6: Services
1.5. Access-Control
6.1 NTP
A good example of a NTP server is ntp.pool.org. This is a cluster of NTP servers that
many servers and network devices use to synchronize their clocks.
NTP uses a concept called “stratum” that de nes how many NTP hops away a device is
from an authorative time source. For example, a device with stratum 1 is a very accurate
device and might have an atomic clock attached to it. Another NTP server that is using
this stratum 1 server to sync its own time would be a stratum 2 device because it’s one
NTP hop further away from the source. When you con gure multiple NTP servers, the
client will prefer the NTP server with the lowest stratum value.
The symmetric active mode is used between NTP devices to synchronize with each other,
it’s used as a backup mechanism when they are unable to reach the (external) NTP
server.
In the remaining of this tutorial I will demonstrate how to con gure NTP on a Cisco
router and switches.
1. Configuration
This is the topology I will use:
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 1/15
9/8/2020 Cisco Network Time Protocol (NTP)
The router on the top is called “CoreRouter” and its the edge of my network. It is
connected to the Internet and will use one of the NTP servers from pool.ntp.org to
synchronize its clock. The network also has two internal switches that require
synchronized clocks. Both switches will become NTP clients of the CoreRouter, thus
making the CoreRouter a NTP server.
I will use Google DNS for this. Our next step is to con gure the NTP server:
That was easy enough, just one command and we will synchronize our clock with the
public server. We can verify our work like this:
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 2/15
9/8/2020 Cisco Network Time Protocol (NTP)
Above we see the show ntp associations command that tells us if our clock is
synchronized or not. The ~ in front of the IP address tells us that we con gured this
server but we are not synchronized yet. You can see this because there is no * in front of
the IP address and the “st” eld (stratum) is currently 16.
There is one more command that gives us more information about the NTP
con guration:
The router tells us that we are unsynchronized and that there is no reference clock…we
will just wait a couple of minutes and take a look at these commands again:
A few minutes later and the output has changed. The * in front of the IP address tells us
that we have synchronized and the stratum is 2…that means that this NTP server is
pretty close to a reliable time source. The “poll” eld tells us that we will try to
synchronize the time every 64 seconds. Let’s check the other command that we just saw:
Our clock has been synchronized and our own stratum is 3, that makes sense since the
public stratum server has a stratum of 2 and we are one “hop” away from it.
NTP synchronization can be very slow so you have to be patient when your
clocks are not synchronized. One way to speed it up a bit is to adjust your
clock manually so it is closer to the current time.
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 3/15
9/8/2020 Cisco Network Time Protocol (NTP)
Cisco routers have two di erent clocks, they have a software clock and a hardware clock
and they operate separately from each other. Here’s how to see both clocks:
CoreRouter#show clock
12:41:25.197 UTC Mon Jul 7 2014
CoreRouter#show calendar
12:43:24 UTC Mon Jul 7 2014
The show clock command shows me the software clock while the show calendar
command gives me the hardware clock. The two clocks are not in sync so this is
something we should x, you can do it like this:
CoreRouter#(config)ntp update-calendar
The ntp update-calendar command will update the hardware clock with the time of the
software clock, here’s the result:
CoreRouter#show clock
12:42:31.853 UTC Mon Jul 7 2014
CoreRouter#show calendar
12:42:30 UTC Mon Jul 7 2014
That’s all I wanted to con gure on the CoreRouter for now. We still have to con gure two
switches to synchronize their clocks.
Once again it might take a few minutes to synchronize but this is what you will see:
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 4/15
9/8/2020 Cisco Network Time Protocol (NTP)
The clock of SW1 has been synchronized and its stratum is 4. This makes sense since it’s
one “hop” further away from its NTP server (CoreRouter). Let’s do the same for SW2:
Let’s be patient for a few more minutes and this is what we’ll get:
SW1 and SW2 are now using CoreRouter to synchronize their clocks. Let’s also con gure
them to use each other for synchronization. This is the symmetric active mode I
mentioned before, basically the two switches will “help” each other to synchronize…this
might be useful in case the CoreRouter fails some day:
After waiting a few minutes you’ll see that SW1 and SW2 have synchronized with each
other:
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 5/15
9/8/2020 Cisco Network Time Protocol (NTP)
Con gurations
Want to take a look for yourself? Here you will nd the nal con guration of each device.
CoreRouter
hostname CoreRouter
!
interface FastEthernet0/0
ip address 192.168.123.3 255.255.255.0
!
ip name-server 8.8.8.8
!
ntp server pool.ntp.org
ntp update-calendar
!
end
SW1
hostname SW1
!
interface FastEthernet0/24
ip address 192.168.123.1 255.255.255.0
!
ntp server 192.168.123.3
ntp peer 192.168.123.2
!
end
SW2
hostname SW2
!
interface FastEthernet0/24
ip address 192.168.123.2 255.255.255.0
!
ntp server 192.168.123.3
ntp peer 192.168.123.1
!
end
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 6/15
9/8/2020 Cisco Network Time Protocol (NTP)
Are we done? Not quite yet…there are a few more things we can do with NTP. The
CoreRouter and the two switches use unicast (UDP port 123) for synchronization but you
can also use multicast or broadcast. Let me give you an example…
I’ll con gure SW1 to use multicast address 239.1.1.1 and SW2 will send NTP updates
through broadcast:
SW1(config)#interface vlan 10
SW1(config-if)#ntp multicast 239.1.1.1
SW2(config-if)#interface vlan 20
SW2(config-if)#ntp broadcast
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 7/15
9/8/2020 Cisco Network Time Protocol (NTP)
You can see that it has synchronized itself and it shows the IP address of SW1. Let’s see if
we can get broadcast to work on R6:
Con gurations
Want to take a look for yourself? Here you will nd the startup con guration of each
device.
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 8/15
9/8/2020 Cisco Network Time Protocol (NTP)
R5
hostname R5
!
interface FastEthernet0/0
ntp multicast client 239.1.1.1
!
end
R6
hostname R6
!
interface FastEthernet0/0
ntp broadcast client
!
end
SW1
hostname SW1
!
interface FastEthernet0/24
ip address 192.168.123.1 255.255.255.0
!
interface vlan 10
ntp multicast 239.1.1.1
!
end
SW2
hostname SW2
!
interface FastEthernet0/24
ip address 192.168.123.2 255.255.255.0
!
interface vlan 20
ntp broadcast
!
end
You now know how to con gure NTP but there is one more important topic to cover…
security! Right now our routers will accept any source as the NTP server and they will
serve any NTP client that requests updates. To protect our network, we will have to
con gure authentication and access-control. Let’s start with authentication.
1.4. Authentication
When we enable authentication, all NTP packets that can update the clock have to be
authenticated. The packets will be authenticated using HMAC MD5 which carries a key
number.
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 9/15
9/8/2020 Cisco Network Time Protocol (NTP)
I want to make sure that SW1 and SW2 will authenticate the CoreRouter so they don’t
just accept any NTP updates from a device that has IP address 192.168.123.3 con gured.
We’ll con gure the router rst:
CoreRouter(config)#ntp authenticate
CoreRouter(config)#ntp trusted-key 1
CoreRouter(config)#ntp trusted-key 2
CoreRouter(config)#ntp authentication-key 1 md5 NETWORKLESSONS1
CoreRouter(config)#ntp authentication-key 2 md5 NETWORKLESSONS2
Each switch will use a di erent key for authentication. The ntp authentication-key
command is required to set the key number and the password. The ntp trusted-key
command is a bit weird, if you don’t use it then the key that you con gured will not be
activated so don’t forget it.
SW1(config)#ntp authenticate
SW1(config)#ntp authentication-key 1 md5 NETWORKLESSONS1
SW1(config)#ntp trusted-key 1
SW1(config)#ntp server 192.168.123.3 key 1
SW2(config)#ntp authenticate
SW2(config)#ntp authentication-key 2 md5 NETWORKLESSONS2
SW2(config)#ntp trusted-key 2
SW2(config)#ntp server 192.168.123.3 key 2
The con guration on the switches is similar but the di erence is that we also speci ed
the key for the NTP server. SW1 and SW2 will only use 192.168.123.3 to synchronize their
clocks if the MD5 signature is correct.
Earlier we con gured SW1 and SW2 to use each other as peers and of course we can also
use authentication for this. It looks like this:
The con guration is similar, con gure a key and make it trusted. We change the NTP
peer command to that it requires authentication.
Authentication is great but there is still one security problem to tackle. A NTP server will
serve updates to any NTP client and a NTP client will accept any IP address as the NTP
server. To solve this we can implement some access-list…let’s take a look!
1.5. Access-Control
First I will con gure the CoreRouter so it only accepts one IP address as its NTP server.
This is tricky since the IP address might change in the future, if you implement this on a
production network you’ll have to make sure that you add all the possible IP address in
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 10/15
9/8/2020 Cisco Network Time Protocol (NTP)
the access-list:
The IP address above is what pool.ntp.org resolves to for me. The ntp access-group
peer command is used to activate the access-list. SW1 and SW2 are the NTP clients for
the CoreRouter but right now everyone can use our router as the NTP server. Let’s x
this so only SW1 and SW2 are allowed as NTP clients:
Problem solved, only SW1 and SW2 are now accepted as NTP clients. Our CoreRouter is
now protected but let’s make some changes on SW1 and SW2 as well:
The con guration above allows SW1 and SW2 to use CoreRouter and each other as NTP
server, no other sources are allowed.
In my example I used a public server for NTP (pool.ntp.org) but you can also
con gure a router or switch as the NTP master and set a stratum number
yourself. If you do this you’ll need the NTP master command and your device
will synchronize its own clock using the 127.127.7.1 or 127.127.1.1 IP address.
Make sure you permit this IP address in your access-list!
After we con gured authentication we can verify if its working or not, here’s an example
for SW1:
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 11/15
9/8/2020 Cisco Network Time Protocol (NTP)
That’s all there is to it. Hopefully this NTP tutorial is helpful for you to understand and
con gure NTP in your network.
Con gurations
Want to take a look for yourself? Here you will nd the startup con guration of each
device.
CoreRouter
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 12/15
9/8/2020 Cisco Network Time Protocol (NTP)
hostname CoreRouter
!
interface FastEthernet0/0
ip address 192.168.123.3 255.255.255.0
!
ip name-server 8.8.8.8
ntp server pool.ntp.org
ntp update-calendar
ntp authenticate
ntp trusted-key 1
ntp trusted-key 2
ntp authentication-key 1 md5 NETWORKLESSONS1
ntp authentication-key 2 md5 NETWORKLESSONS2
!
access-list 1 permit 146.185.130.223
ntp access-group peer 1
ntp access-group serve-only 12
access-list 12 permit 192.168.123.1
access-list 12 permit 192.168.123.2
!
end
SW1
hostname SW1
!
interface FastEthernet0/24
ip address 192.168.123.1 255.255.255.0
!
ntp authenticate
ntp authentication-key 1 md5 NETWORKLESSONS1
ntp trusted-key 1
ntp server 192.168.123.3 key 1
!
ntp authentication-key 12 md5 NETWORKLESSONS12
ntp trusted-key 12
ntp peer 192.168.123.2 key 12
!
access-list 3 permit 192.168.123.2
access-list 3 permit 192.168.123.3
ntp access-group peer 3
!
end
SW2
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 13/15
9/8/2020 Cisco Network Time Protocol (NTP)
hostname SW2
!
interface FastEthernet0/24
ip address 192.168.123.2 255.255.255.0
!
ntp authenticate
ntp authentication-key 2 md5 NETWORKLESSONS2
ntp trusted-key 2
ntp server 192.168.123.3 key 2
!
ntp authentication-key 12 md5 NETWORKLESSONS12
ntp trusted-key 12
ntp peer 192.168.123.1 key 12
!
access-list 3 permit 192.168.123.1
access-list 3 permit 192.168.123.3
ntp access-group peer 3
!
end
If you enjoyed reading this, please share it with your friends / colleagues or leave a
comment if you have any questions!
« Previous Lesson
Cisco Stackwise
Next Lesson
NTPv4 »
Tags: Network Services, NTP
Forum Replies
lagapides
Hello Guy!
The rst complete speci cation of NTP, that is, Version 1, appeared in 1988 (RFC 1059) which provided simple symmetric and client server mode
operation.
Version 2 appeared in 1989 (RFC 1119) and added symmetric key authentication using DES-CBC.
Version 3, which is the version that is most used today was rst described in 1992 (RFC 1305) and has been systematically improved over the years. It
introduced formal correctness principles, revised algorithms and broadcast mode . This is the default version that is available in most Cisco devices using
azmuddincisco
Hello Laz,
A few questions.
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 14/15
9/8/2020 Cisco Network Time Protocol (NTP)
1. Let’s say I have a router that is con gured to receive the ntp information from a ntp server located in the internet. I have also con gured the time
locally by using clock set command. Which time will have more preference? In another words, which time the router will use?
2. What is the command to change time-zone in a router?
3. Let’s say a router is con gured to sync its time from a ntp server and the ntp server is feeding UTC time to the router. However, I like the router to
show EST time in the clock or let’s say in syslog message
... Continue reading in our forum
lagapides
Hello AZM
**Question 1**
When NTP is con gured on a device, there is what is called a poll interval. This interval is dynamic and as client and server become better synced, and
there aren’t any dropped packets, this interval increases to a maximum of 1024 seconds. If you change the time using the clock set command, the time
you set will become the new time. However, when the poll interval is exhausted, the device will re-sync with the NTP server. So any changes you make
manually will be over-ridden at the next poll interval.
**Question 2**
To change the ti
ReneMolenaar
Hi Sreenath,
NTP and PTP have some similarities. NTP is the most common protocol to sync clocks on your network, that’s what you will mostly see on networks
nowadays. We use it to sync the clock on network devices but also computers/servers etc. NTP uses software timestamping and supports millisecond
synchronization.
PTP is similar to NTP but uses hardware timestamping and o ers nanosecond or picosecond-level synchronization.
For 99% of the devices, NTP is good enough but if you have devices where millisecond-level synchronization is not good enough, PTP is an
ReneMolenaar
Hello Kevin,
NTP authentication can be confusing. With your con guration, no authentication occurs because the client isn’t con gured for authentication. I did a
quick lab with your con guration.
The server will send “regular” NTP packets without an MD5 hash. Once you change the ntp server command on the client, it works.
Before:
https://www.cloudshark.org/captures/c40ea3a2748b
After:
https://www.cloudshark.org/captures/e016b1c2e8a8
Once the client wants to use authentication, the server responds with the same MD5
https://networklessons.com/cisco/ccnp-encor-350-401/cisco-network-time-protocol-ntp 15/15