Time synchronization is critical for network devices — logs, certificates, and routing protocols all rely on accurate timestamps. In the CCNA 200-301 exam, objective 4.4 requires you to configure and verify NTP (Network Time Protocol) on Cisco IOS devices. This lab walks you through setting up an NTP server and client, a common real-world task that ensures your network has a single source of truth for time.
Jump to a section
Think of an NTP server as the town clock tower in a small village. The clock tower is authoritative — it gets its time from a highly accurate source (maybe an atomic clock or GPS). Every person in the village sets their wristwatch by looking at the town clock. If your watch is off by a few minutes, you adjust it based on the clock tower. But you don't run to the clock tower every second; you check it periodically (say, every morning). NTP works similarly: the server is the authoritative time source, and clients periodically synchronize their clocks to it. The protocol uses a hierarchy — the town clock might itself sync to a regional master clock (like a Stratum 1 server). If the town clock stops working, people might compare watches among themselves (like NTP peers) to maintain reasonable accuracy until the clock tower is fixed. The key mechanism is that NTP doesn't just copy the time; it measures the network round-trip delay and adjusts the client's clock gradually to avoid sudden jumps, just as you wouldn't set your watch forward 5 minutes instantly if you know it's slow — you'd move the hands gradually to avoid confusion. This gradual adjustment is called 'slewing' and prevents disruptions to applications that rely on monotonic time.
What is NTP and Why Does It Matter?
NTP (Network Time Protocol) is a protocol used to synchronize the clocks of network devices over a packet-switched network. It uses a hierarchical system of time sources, with each level called a stratum. Stratum 0 devices are highly accurate clocks (e.g., atomic clocks, GPS receivers). Stratum 1 servers are directly connected to Stratum 0 sources. Stratum 2 servers sync with Stratum 1, and so on. Cisco routers and switches typically operate as Stratum 2-10 clients and can also act as servers for downstream devices.
On the CCNA exam, you must know how to configure a router as an NTP server (using its own clock or an upstream server) and as a client. You also need to verify synchronization with show commands.
How NTP Works Step by Step
NTP uses UDP port 123. The client sends a request packet to the server with its current timestamp (originate timestamp). The server receives it, adds its own receive timestamp, processes the request, and sends a response packet containing the originate timestamp, receive timestamp, and transmit timestamp (the time the response was sent). The client then records the time it receives the response (destination timestamp).
Using these four timestamps, the client calculates the round-trip delay and the offset between its clock and the server's clock. The formula is:
Offset = ((receive_timestamp - originate_timestamp) + (transmit_timestamp - destination_timestamp)) / 2
Delay = (destination_timestamp - originate_timestamp) - (transmit_timestamp - receive_timestamp)
The client then adjusts its clock by the offset. NTP uses a discipline algorithm to gradually slew the clock to avoid abrupt changes.
Key States, Timers, and Defaults
Stratum: Range 0-15. 0 is primary reference. 16 means unsynchronized. Default stratum on Cisco routers is 16 until they sync.
Poll interval: Default is 64 seconds (2^6). Can be configured with the ntp update-calendar command.
Synchronization status: show ntp status displays clock is synchronized, stratum, reference clock, etc.
NTP associations: show ntp associations lists configured servers/peers and their state (sys.peer, candidate, etc.).
IOS CLI Verification Commands
Router# show ntp status
Clock is synchronized, stratum 3, reference is 192.168.1.10
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**10
ntp uptime is 3600 seconds, resolution is 1000 msecRouter# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.1.10 .GPS. 1 23 64 377 1.234 0.123 0.456
+~192.168.1.11 .GPS. 1 45 64 177 1.567 -0.234 0.789* indicates the current synchronization source (sys.peer).
+ indicates a candidate.
st is stratum.
when is seconds since last packet received.
poll is poll interval in seconds.
reach is octal reachability register.
delay and offset are in milliseconds.
Interaction with Related Protocols
NTP does not directly interact with routing protocols, but accurate time is essential for: - Syslog: Timestamps for logging. - Digital certificates: Certificate validity periods. - Routing protocols like OSPF: OSPF uses timestamps in LSAs; clock skew can cause issues. - SNMP: Time-based alarms.
NTP can also be used with multicast (224.0.1.1) for automatic discovery.
Configure NTP Server
First, configure the router that will act as the NTP server. This router can either use its own calendar (clock) as the time source or sync to an upstream server. For this lab, we'll use the router's local clock as the primary source. ``` Router(config)# ntp master 5 ``` This command sets the router as an NTP master with stratum 5. The stratum value (1-15) indicates the trust level. Lower is more accurate. If you have an upstream server, you would use `ntp server <ip>` on the server router as well, but then the server becomes a client too. Optionally, set the clock manually: ``` Router# clock set 14:30:00 15 March 2025 ``` Make sure to also set the time zone and summer-time if needed: ``` Router(config)# clock timezone EST -5 Router(config)# clock summer-time EDT recurring ```
Configure NTP Client
On the client router, configure it to point to the NTP server's IP address. The client will then send NTP packets to the server to synchronize its clock. ``` Router(config)# ntp server 192.168.1.10 ``` Replace 192.168.1.10 with the actual IP of the NTP server. The client will automatically use NTP version 3 by default (can be changed with `ntp server version 4`). You can also configure multiple servers for redundancy: ``` Router(config)# ntp server 192.168.1.11 ``` The client will select the best server based on stratum, delay, and offset. To verify the client's configuration, use: ``` Router# show ntp status Router# show ntp associations ```
Configure NTP Authentication (Optional)
NTP authentication ensures that the client only syncs with trusted servers. This prevents rogue devices from injecting false time. First, enable NTP authentication globally: ``` Router(config)# ntp authenticate ``` Define an authentication key: ``` Router(config)# ntp authentication-key 1 md5 cisco123 ``` Specify which key is trusted: ``` Router(config)# ntp trusted-key 1 ``` On the server, you must also configure the same key and trust it. Then on the client, associate the key with the server: ``` Router(config)# ntp server 192.168.1.10 key 1 ``` Now the client will only accept NTP messages from that server if they contain the correct key. Verify authentication with: ``` Router# show ntp associations detail ``` Look for `authenticated = yes`.
Configure NTP Broadcast/Multicast
Instead of each client sending unicast requests, the server can broadcast NTP messages. Clients listen and sync passively. This reduces overhead in large networks. On the server, enable NTP broadcast on an interface: ``` Router(config)# interface GigabitEthernet0/0 Router(config-if)# ntp broadcast ``` By default, broadcasts are sent every 64 seconds. On the client, enable NTP broadcast client on the same interface: ``` Router(config)# interface GigabitEthernet0/0 Router(config-if)# ntp broadcast client ``` The client will listen for NTP broadcasts and sync. For multicast, use: ``` Router(config-if)# ntp multicast 224.0.1.1 Router(config-if)# ntp multicast client 224.0.1.1 ``` The multicast address 224.0.1.1 is reserved for NTP. Verify with: ``` Router# show ntp associations ``` You should see the server's address with a `~` (broadcast) or `#` (multicast) prefix.
Verify and Troubleshoot NTP
After configuration, verify synchronization. Use the following commands: ``` Router# show ntp status ``` Look for "Clock is synchronized" and the stratum level. ``` Router# show ntp associations ``` The `*` indicates the current sync source. If the clock is not synchronized, check: - Reachability: `show ntp associations` reach column should be non-zero. - Time difference: If the client's clock is too far off (more than 1000 seconds by default), NTP will not sync. You may need to manually set the clock close first: `clock set`. - Firewall: Ensure UDP port 123 is allowed between client and server. - Debug: `debug ntp packets` (use with caution in production). To see detailed association information: ``` Router# show ntp associations detail ``` This shows authentication status, reference ID, etc.
Configure NTP Peers (Optional)
NTP peers are devices that sync with each other at the same stratum level. This provides redundancy. For example, two routers can be peers; if one loses its upstream server, it can still maintain time from the peer. Configure NTP peering: ``` Router(config)# ntp peer 192.168.1.12 ``` Both routers should have the peer command pointing to each other. Peering uses a different association type. In `show ntp associations`, a peer is indicated with `=`. Peering is useful when you have multiple NTP servers that are equally accurate. They can cross-check each other and prevent drift. Note: NTP peers do not change stratum; they exchange time but do not act as servers for each other in the traditional sense.
In enterprise networks, NTP is foundational. Consider a large campus with hundreds of switches and routers. Without NTP, logs from different devices would have timestamps that are minutes or hours off, making incident correlation impossible. A typical deployment uses two or three internal NTP servers (maybe Linux servers or Cisco routers) that sync to external Stratum 1 servers (like pool.ntp.org or GPS-based appliances). All network devices point to these internal servers. This reduces external traffic and provides a consistent time source even if the internet goes down.
Another scenario: A data center with strict audit requirements. Financial transactions must have accurate timestamps. Here, NTP authentication is often mandatory to prevent time spoofing. The network team configures keys and ensures all devices use only authenticated servers.
Performance considerations: NTP traffic is minimal — a few packets per minute per client. However, in very large networks (thousands of devices), you might use NTP broadcast or multicast to reduce server load. Also, consider using local hardware clocks (like GPS) for Stratum 1 accuracy.
Misconfiguration: A common mistake is not setting the time zone or daylight saving rules. The router's clock might show UTC correctly, but logs show the wrong local time. Another issue: if the NTP server's clock is wrong (e.g., due to a dead CMOS battery), all clients will sync to the wrong time, causing widespread problems. Always verify with show ntp status and cross-check with an external source.
Finally, NTP can be used with VRF (VPN Routing and Forwarding) in MPLS networks. You must specify the VRF in the ntp server command: ntp server vrf Mgmt-intf 10.0.0.1. This is common in service provider environments.
For CCNA 200-301, exam objective 4.4 expects you to configure and verify NTP (server and client) using CLI. The exam may present a scenario with two routers and ask you to choose the correct configuration commands. Key points:
Exact commands: Know ntp master [stratum], ntp server <ip>, ntp peer <ip>, ntp authenticate, ntp authentication-key, ntp trusted-key. Also show ntp status, show ntp associations, show ntp associations detail.
Common wrong answers:
Using ntp client instead of ntp server (there is no ntp client command).
Forgetting ntp trusted-key — without it, authentication keys are ignored.
Setting stratum too high (e.g., 16) on the master — that means unsynchronized.
Confusing NTP broadcast with multicast — broadcast uses 255.255.255.255; multicast uses 224.0.1.1.
Specific values: Default stratum on a router not synced is 16. The show ntp associations output uses * for sys.peer, + for candidate, - for outlyer, ~ for broadcast. The poll interval is 64 seconds by default (2^6). The reach register is octal.
Calculation traps: None directly, but you may need to interpret the delay/offset values in milliseconds. Remember that offset can be positive or negative.
Decision rule: If a question asks to configure a router as an NTP server to provide time to other devices, use ntp master. If the router needs to get time from an external source, use ntp server. If both, you can combine them: ntp server to sync upstream, and the router automatically acts as a server for downstream clients.
Also, know that by default, NTP uses version 3. You can change to version 4 with ntp server version 4 or ntp peer version 4.
Finally, be aware of the ntp update-calendar command — it updates the hardware calendar when the clock is synchronized, so the time survives a reboot. Without it, the clock resets to a default (often 1993) after reload.
NTP uses UDP port 123.
Stratum levels: 0 (primary reference) to 15 (maximum usable), 16 = unsynchronized.
Configure NTP server: `ntp master [stratum]`.
Configure NTP client: `ntp server <ip>`.
NTP authentication requires `ntp authenticate`, `ntp authentication-key`, `ntp trusted-key`, and key association on the server command.
Verification commands: `show ntp status`, `show ntp associations`, `show ntp associations detail`.
The `*` in `show ntp associations` indicates the current synchronization source (sys.peer).
Default poll interval is 64 seconds.
NTP broadcast uses `ntp broadcast` and `ntp broadcast client` on interfaces.
NTP multicast uses address 224.0.1.1.
These come up on the exam all the time. Here's how to tell them apart.
NTP Server
Provides time to clients.
Typically has a lower stratum number.
Configured with 'ntp server' (client side) or 'ntp master' (server side).
Clients sync to the server's time.
One-way synchronization (server -> client).
NTP Peer
Exchanges time with another device at same stratum.
Both devices can adjust each other's time.
Configured with 'ntp peer' on both devices.
Used for redundancy and cross-checking.
Two-way synchronization (peer <-> peer).
Mistake
You need to configure a separate 'ntp client' command on the client router.
Correct
There is no 'ntp client' command. The client is configured with 'ntp server <ip>' which makes the router both a client (to that server) and potentially a server to others.
Candidates confuse the role with the command; the server command actually makes the router act as a client to that server.
Mistake
NTP authentication is enabled by default.
Correct
NTP authentication is disabled by default. You must manually enable it with 'ntp authenticate' and configure keys and trusted keys.
Many candidates assume security features are on by default, but NTP authentication is optional and off.
Mistake
The 'ntp master' command automatically sets the router's clock to the correct time.
Correct
The 'ntp master' command only designates the router as a time source; you still need to set the clock manually (or via an upstream server) for it to be accurate.
Candidates think 'master' implies it gets time from somewhere; it actually just advertises itself as a server.
Mistake
NTP peers are the same as NTP servers.
Correct
NTP peers are devices at the same stratum level that exchange time for mutual synchronization, whereas servers are at a lower stratum. Peers do not change stratum.
The term 'peer' is often misunderstood as just another server; the difference in stratum and behavior is subtle.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default stratum is 16, which indicates unsynchronized. When you configure `ntp server` and it successfully syncs, the stratum becomes one more than the server's stratum (e.g., if server is stratum 2, client becomes stratum 3). If you configure `ntp master`, you set the stratum manually (1-15). Exam tip: If you see stratum 16 in `show ntp status`, the clock is not synchronized.
Yes. For example, a router can use `ntp server 192.168.1.1` to sync to an upstream server, and automatically act as an NTP server for downstream devices. You do not need an additional command. The router will advertise itself as a server with a stratum one higher than its upstream. Exam tip: This is a common scenario in hierarchical networks.
NTP broadcast sends packets to the broadcast address (255.255.255.255) on a subnet, so only devices on that subnet receive them. NTP multicast uses the IP multicast address 224.0.1.1, which can span multiple subnets if routers are configured for multicast routing. Both reduce client configuration overhead. Exam tip: Know that broadcast is limited to a single subnet, while multicast can cross routers with PIM.
Use `show ntp associations detail`. Look for the line `authenticated = yes` for the association. Also, `show ntp status` will show authentication enabled if configured. If authentication fails, the association will not reach the synchronized state. Exam tip: If you see `authenticated = no` but you have configured keys, check that you used `ntp trusted-key` and that the key number matches on both sides.
The 'reach' value is an octal bitmask (8 bits) that indicates whether recent NTP packets were received. Each time a packet is expected, a shift register updates. A value of 377 (octal) means all recent 8 packets were received (11111111 binary). Lower values indicate packet loss. Exam tip: If reach is 0, no packets have been received; check connectivity and firewall rules.
Yes. Use the `ntp server vrf <vrf-name> <ip>` command. For example, if the management interface is in VRF Mgmt-intf, configure `ntp server vrf Mgmt-intf 10.0.0.1`. This ensures NTP packets use the correct routing table. Exam tip: This is a newer addition to the CCNA syllabus; be aware of the VRF option.
The client will continue using its last synchronized time for a while, but over time it will drift. If multiple servers are configured, the client will switch to another server (if available). If no servers are reachable, the clock will eventually become unsynchronized (stratum 16). Exam tip: Always configure at least two NTP servers for redundancy.
You've just covered Lab: Configure NTP Server and Client — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?