Imagine every router and switch in your network having a different time — logs become useless for troubleshooting, digital certificates fail, and routing protocols that rely on timestamps behave erratically. That's why NTP (Network Time Protocol) is a foundational IP service on the CCNA 200-301 exam (objective 4.4). This chapter covers how NTP synchronizes clocks across a network, how to configure Cisco devices as NTP clients and servers, and how to verify time synchronization — a skill that separates professional engineers from hobbyists.
Jump to a section
Imagine a small town in the 1800s. The town has a central clock tower — a highly accurate mechanical clock that is set by the town's astronomer who checks the stars every morning. Every citizen carries a pocket watch. Each day, the citizens walk to the town square, look at the clock tower, and adjust their pocket watches to match. The clock tower is the 'authoritative time source' — the stratum 0 device. The citizens are NTP clients. Now, some citizens are too busy to visit the square every day, so they rely on their neighbor, who does visit the square, to tell them the time. But the neighbor's pocket watch might be a few seconds off, and the neighbor might take a few seconds to walk over and relay the time. This introduces delay. The neighbor is a stratum 1 or 2 NTP server — he is synchronized to the clock tower but adds a small error. In NTP terms, this error is the 'stratum level' and the delay is 'network latency'. The NTP protocol measures the round-trip time (the time it takes for you to ask 'what time is it?' and hear the reply) and calculates the offset to adjust your clock gradually — not by jumping, but by slewing the time (speeding up or slowing down your clock's ticks). If the pocket watch is wildly off (more than 1000 seconds), the citizen might just reset it to the exact time — that's an NTP 'step' adjustment. But if it's close, the citizen adjusts it slowly over several minutes — that's 'slewing'. This mechanism ensures that logs from different devices (different pocket watches) are consistent, and that time-sensitive operations like Kerberos authentication (which requires clocks to be within 5 minutes of each other) work correctly.
What is NTP and Why Does It Matter?
Network Time Protocol (NTP) is defined in RFC 5905. It synchronizes clocks of network devices to a common time source, typically Coordinated Universal Time (UTC). On the CCNA exam, NTP is tested under IP Services (4.4). You need to know how to configure NTP client and server roles, understand stratum levels, and verify synchronization.
Why does it matter? Without NTP:
Syslog timestamps are useless for correlating events across devices.
Digital certificates (used in HTTPS, IPsec, etc.) rely on accurate time to validate validity periods.
Some routing protocols (e.g., OSPF) use timestamps for certain features.
AAA protocols like TACACS+ and RADIUS may fail if clocks are too far apart.
How NTP Works: The Mechanism
NTP uses UDP port 123. The protocol operates in a client-server or peer-to-peer hierarchy. The key concepts are:
Stratum: The distance from the reference clock. Stratum 0 is the reference clock (atomic clock, GPS). Stratum 1 is directly synchronized to stratum 0. Stratum 2 is synchronized to stratum 1, and so on. The maximum stratum is 15. Stratum 16 indicates unsynchronized.
Clock synchronization algorithm: NTP calculates the offset and round-trip delay between client and server using timestamps. The client sends a packet with its own timestamp (T1). The server receives it at T2, sends a reply with T2 and its own timestamp T3. The client receives the reply at T4. The offset is calculated as ((T2 - T1) + (T3 - T4)) / 2. The delay is (T4 - T1) - (T3 - T2). The client then adjusts its clock by the offset, but it does so gradually (slewing) unless the offset is large (over 1000 seconds), in which case it steps.
NTP associations: A client can be configured with multiple NTP servers. The client selects the best server based on synchronization distance and stratum.
Authentication: NTP supports MD5-based authentication to prevent time spoofing. The CCNA exam expects you to know how to configure authentication keys.
NTP Hierarchy and Stratum Levels
Stratum 0: High-precision time sources (atomic clocks, GPS receivers). These are not directly connected to the network; they connect to a stratum 1 server via a special cable.
Stratum 1: Servers directly synchronized to stratum 0. They are the primary time servers.
Stratum 2: Servers synchronized to stratum 1.
Stratum 3-15: Further down the hierarchy.
Stratum 16: Unsynchronized.
A Cisco device can be configured as an NTP server (providing time to other devices) or client (receiving time from a server). By default, a Cisco device acts as an NTP client if you configure the ntp server command. It will also act as a server for any NTP clients that send requests to it, as long as it is synchronized.
Key Defaults and Timers
NTP uses UDP port 123.
Default polling interval: 64 seconds (minimum), can be up to 1024 seconds.
Synchronization is achieved when the device's clock is within 128 ms of the server (by default).
The ntp update-calendar command syncs the hardware calendar with the NTP software clock.
NTP authentication is disabled by default.
IOS CLI Configuration and Verification
Basic NTP Client Configuration:
! Configure an NTP server
ntp server 192.168.1.10
! Optionally set the device as an NTP server for others
ntp master 3 ! This makes the device a server with stratum 3 (if it loses its upstream server, it will still serve time as stratum 3)Verify NTP status:
show ntp statusExample output:
Clock is synchronized, stratum 2, reference is 192.168.1.10
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**19
reference time is D2E3A4B5.6C7D8E9 (12:34:56.789 UTC Mon Mar 1 2021)
clock offset is 0.5234 msec, root delay is 1.23 msec
root dispersion is 3.45 msec, peer dispersion is 1.23 msecShow NTP associations:
show ntp associationsExample output:
address ref clock st when poll reach delay offset disp
*~192.168.1.10 .GPS. 1 32 64 377 0.523 0.234 0.789
+~192.168.1.11 .GPS. 1 64 64 377 1.234 0.567 1.234* indicates the current synchronization source.
+ indicates a candidate source.
~ indicates the server is reachable.
st is stratum.
when is seconds since last packet received.
poll is polling interval (seconds).
reach is reachability register (377 = 8 consecutive successful polls).
delay, offset, disp are in milliseconds.
Show NTP associations detail:
show ntp associations detailThis shows more detail, including authentication status.
Configure NTP Authentication:
! Define an authentication key
ntp authentication-key 1 md5 MySecretKey
! Specify which key is trusted
ntp trusted-key 1
! Enable NTP authentication
ntp authenticate
! On the server side, also configure the same key
! The server must have the same key defined and trusted.Set the device as an NTP server (if it loses its upstream):
ntp master 2 ! Stratum 2This command makes the device act as an NTP server even if it is not synchronized to an external source. The stratum number you specify is the stratum it will advertise (the device's own stratum becomes that number, not the usual stratum+1). Use with caution to avoid creating a false time source.
Interaction with Other Protocols
Syslog: NTP ensures timestamps in syslog messages are consistent across devices, allowing correlation of events.
Digital Certificates: Certificate validation requires accurate time; NTP prevents certificate errors.
Routing Protocols: Some protocols like OSPF use timestamps for certain features; NTP helps maintain consistency.
AAA: RADIUS and TACACS+ may rely on time for accounting logs.
Exam Tip: Trap Patterns
Stratum levels: Remember that stratum 0 is the reference, stratum 1 is a direct client of stratum 0. A Cisco device configured with ntp server becomes a client; it does not automatically become a server for others unless you also configure ntp master or have it synchronized and allow NTP service (enabled by default).
The `ntp master` command: Candidates often think this command must be used on an NTP server. Actually, it is used on a device that will act as a server when it has no upstream server (e.g., as a backup). If you have a real NTP server, you don't need ntp master on the client.
Authentication: Many candidates forget that authentication must be enabled with ntp authenticate and that the key must be trusted. Simply defining a key is not enough.
Multiple servers: The device selects the best server; not all configured servers are used. You can force a preferred server with ntp server ... prefer.
Verification Commands Summary
show ntp status – synchronization state, stratum, reference.
show ntp associations – list of servers, status, offset.
show ntp associations detail – detailed info including authentication.
show clock – current time.
debug ntp all – use with caution; shows NTP packets.
Configure NTP Client
To configure a Cisco device as an NTP client, use the `ntp server` command followed by the IP address of the NTP server. You can configure multiple servers for redundancy; the device will select the best one based on stratum and synchronization distance. For example: ``` ntp server 192.168.1.10 ``` You can also specify a preferred server with the `prefer` keyword: ``` ntp server 192.168.1.10 prefer ``` If the device itself should act as a server for other devices, it will do so automatically once it is synchronized. No additional command is needed unless you want the device to act as a server even when unsynchronized (use `ntp master`).
Verify NTP Synchronization
After configuring the NTP server, verify that the device is synchronized. Use `show ntp status` to check if the clock is synchronized, the stratum level, and the reference server. For example: ``` show ntp status ``` Look for "Clock is synchronized" in the output. If it says "Clock is unsynchronized", the device cannot reach any NTP server or the server's time is too far off. Also use `show ntp associations` to see the list of servers and which one is currently selected (marked with `*`).
Configure NTP Authentication
To secure NTP exchanges, configure authentication. First, define an authentication key: ``` ntp authentication-key 1 md5 MySecretPassword ``` Then, specify that key as trusted: ``` ntp trusted-key 1 ``` Finally, enable NTP authentication globally: ``` ntp authenticate ``` Both client and server must have the same key configured. Without the `ntp authenticate` command, authentication is not enforced even if keys are defined.
Configure NTP Server Role
If you want a Cisco device to act as an NTP server for other devices, you generally don't need to do anything extra — it will automatically serve NTP to clients once it is synchronized. However, if you want the device to act as a time source even when it loses its upstream server (e.g., for a small network without external time access), use the `ntp master` command: ``` ntp master 3 ``` This command sets the device's stratum to 3. Be careful: if this device later synchronizes to an external server, it will use that server's stratum; the `ntp master` command only takes effect if the device is not synchronized to any server.
Troubleshoot NTP Issues
Common troubleshooting steps: 1. Check connectivity: Ensure UDP port 123 is not blocked by ACLs or firewalls. Use `ping` to the NTP server. 2. Verify NTP configuration: Use `show running-config | include ntp` to see all NTP commands. 3. Check NTP status: `show ntp status` and `show ntp associations`. If the association shows `reach` as 0, the server is unreachable. 4. Check time difference: If the device's clock is more than 1000 seconds off, NTP will step the time (a one-time jump). If it's less, it will slew. You can see the offset in `show ntp associations`. 5. Use debug: `debug ntp all` shows NTP packets. Use sparingly on production devices. 6. Ensure the NTP server is configured correctly and is synchronized itself.
Set Time Zone and Calendar
NTP synchronizes the software clock, but you may need to set the time zone and update the hardware calendar. Use `clock timezone` to set the time zone: ``` clock timezone EST -5 ``` To synchronize the hardware calendar with the NTP-adjusted software clock, use: ``` ntp update-calendar ``` This is important because the hardware calendar is used when the device reboots. Without this command, the device would lose the correct time after a restart until NTP resynchronizes.
In an enterprise network, NTP is often deployed with a hierarchy: one or two internal NTP servers synchronize to external public NTP servers (e.g., pool.ntp.org) or to GPS-based stratum 1 devices. All other network devices (routers, switches, firewalls) then point to these internal servers. This design reduces external traffic and provides a consistent time source even if internet connectivity is lost.
Scenario 1: Core Network with Redundant NTP Servers
A large campus network might have two NTP servers, each synchronized to different external sources. All access switches and routers are configured with both servers as NTP clients. The prefer keyword can be used to prefer one server, but usually the NTP algorithm automatically selects the best. This setup ensures high availability: if one server fails, clients automatically switch to the other.
Scenario 2: Remote Branch with Limited WAN Bandwidth
In a branch office, the WAN link may be slow or unreliable. Configuring NTP to poll less frequently (using ntp server ... maxpoll 10) can reduce traffic. However, the default polling interval is already adaptive. Another approach is to configure the branch router as an NTP server for local devices, and have it sync to the head office NTP server over the WAN. This reduces the number of devices polling over the WAN.
Scenario 3: Secure Environment with NTP Authentication
In a financial or government network, NTP authentication is mandatory to prevent time spoofing attacks. All devices are configured with the same authentication key, and the key is stored securely. The NTP servers are configured to only respond to authenticated requests. This prevents a rogue device from injecting false time and causing log inconsistencies or authentication failures.
Common Misconfigurations and Their Effects
Forgetting ntp update-calendar: After a reboot, the device's clock is incorrect until NTP resynchronizes, which can take minutes. During that time, logs have wrong timestamps and certificates may be rejected.
Using ntp master on a client that also has an upstream server: This can cause the device to advertise a lower stratum than it should, potentially becoming a preferred server for other devices even though its time is less accurate.
Blocking UDP 123 on firewalls: NTP traffic is often blocked inadvertently. Always ensure firewall rules permit NTP traffic from clients to servers.
Authentication mismatch: If the client and server have different keys or the key is not trusted, authentication fails and the client will not synchronize. The show ntp associations detail command shows authentication status.
Performance Considerations
NTP uses very little bandwidth (one packet every 64 seconds per server). The main consideration is accuracy: the closer the client is to the server (in terms of network delay), the more accurate the synchronization. For critical applications, use local stratum 1 or 2 servers.
The CCNA 200-301 exam objective 4.4 (Configure and verify NTP) typically tests the following:
Configuration: Given a scenario, configure a device as an NTP client with a specific server IP. Sometimes authentication is required. You must know the exact commands: ntp server, ntp authentication-key, ntp trusted-key, ntp authenticate.
Verification: You may be shown output from show ntp status or show ntp associations and asked to interpret the state (synchronized or not, stratum, reference).
Troubleshooting: Identify why a device is not synchronizing (e.g., wrong server IP, authentication failure, firewall blocking).
Common Wrong Answers and Traps
Stratum confusion: Candidates often think a device configured with ntp server becomes a stratum 1 server. Actually, it becomes a client; its stratum is one more than the server's stratum. If the server is stratum 2, the client is stratum 3.
Forgetting authentication: A common question: "An engineer configured ntp authentication-key 1 md5 cisco and ntp trusted-key 1, but the device is not synchronizing. What is missing?" The answer: ntp authenticate must be enabled globally. Many candidates think defining the key and trusting it is enough.
The `ntp master` command: Some candidates think you must configure ntp master on every NTP server. Actually, ntp master is only needed if the device should act as a server even when it has no upstream source. If a device is synchronized to an external server, it automatically becomes a server for others.
Multiple servers: A question may show show ntp associations with multiple servers, one marked with * and one with +. The candidate might think both are used equally. The * indicates the current synchronization source; the + is a candidate that is not currently used.
Specific Values and Commands to Memorize
NTP uses UDP port 123.
Default polling interval: 64 seconds (min), 1024 seconds (max).
show ntp status output: look for "Clock is synchronized" or "unsynchronized".
show ntp associations output: the * indicates the current sync source.
ntp update-calendar syncs hardware clock.
ntp master [stratum] sets the stratum for the device when it has no upstream server.
Decision Rule for Scenario Questions
If a question asks why a device is not synchronizing, follow this logic: 1. Is the NTP server reachable? (ping, ACL check) 2. Is NTP authentication configured correctly? (keys, trusted, enabled) 3. Is the client's clock too far off? (more than 1000 seconds offset may cause stepping, but still syncs) 4. Is the server itself synchronized? (if server is stratum 16, it won't sync clients)
Elimination Strategy: On multiple-choice questions, eliminate answers that mention non-existent commands (e.g., ntp enable) or incorrect port numbers (e.g., UDP 161).
NTP uses UDP port 123 for time synchronization.
Stratum levels: 0 (reference), 1-15 (synchronized), 16 (unsynchronized).
Configuration commands: `ntp server`, `ntp authentication-key`, `ntp trusted-key`, `ntp authenticate`.
Verification commands: `show ntp status`, `show ntp associations`, `show ntp associations detail`.
The `*` in `show ntp associations` indicates the current synchronization source.
`ntp master` sets the device as a server with a specified stratum when no upstream server is available.
`ntp update-calendar` syncs the hardware calendar with the software clock.
These come up on the exam all the time. Here's how to tell them apart.
NTP Client
Synchronizes its clock to a server.
Uses `ntp server` command.
Stratum is one higher than its server.
Does not require `ntp master`.
Can act as a server for others if synchronized.
NTP Server
Provides time to clients.
Can be a dedicated server or a device with `ntp master`.
Stratum is typically lower than clients.
May require `ntp master` if no upstream.
Must be synchronized to a reliable source.
Mistake
A device configured with `ntp server` becomes an NTP server.
Correct
The `ntp server` command configures the device as an NTP client. It will synchronize to the specified server. It can also act as a server for other devices if it is synchronized, but no special command is needed for that.
Candidates confuse the role of `ntp server` with `ntp master`.
Mistake
NTP authentication is enabled by just defining a key and trusting it.
Correct
You must also issue the `ntp authenticate` command to enable authentication globally. Without it, authentication is not enforced.
Candidates assume that defining a key automatically enables authentication.
Mistake
The `ntp master` command is required on all NTP servers.
Correct
`ntp master` is only needed if the device should act as a server when it has no upstream NTP source. If the device is synchronized to an external server, it automatically serves time to clients.
Candidates think `ntp master` is the command to make a device a server.
Mistake
If multiple NTP servers are configured, the device uses all of them equally.
Correct
The device selects the best server based on stratum and synchronization distance. Only one server is used for synchronization at a time (the one marked with `*` in `show ntp associations`).
Candidates assume load balancing or failover works like other protocols.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NTP uses UDP port 123. Both client and server use this port. In Cisco IOS, you do not need to configure the port; it is built-in. When troubleshooting, ensure that access control lists (ACLs) and firewalls permit UDP 123 traffic between devices.
`ntp server` configures the device as a client that synchronizes to a server. `ntp peer` configures a symmetric active peer relationship where both devices can synchronize to each other. In CCNA, you only need to know `ntp server`. Peering is used for redundancy in more complex deployments.
If the switch is synchronized to an NTP server (via `ntp server`), it will automatically act as an NTP server for other devices that point to it. No additional command is needed. However, if you want the switch to act as a server even when it loses its upstream source, use `ntp master [stratum]`.
Stratum 16 indicates that the device is unsynchronized. It means the device has not successfully synchronized to any NTP server. A device with stratum 16 cannot provide time to other devices. You will see this in `show ntp status` if synchronization fails.
Possible reasons: (1) The NTP server is unreachable (check ping, ACLs). (2) The server is not synchronized itself (check its stratum). (3) NTP authentication is misconfigured (keys, trusted, enable). (4) The client's clock is too far off (more than 1000 seconds) – NTP can still sync, but it may take longer. Use `show ntp associations` to see if the server is reachable (reach column).
This command updates the hardware calendar (the battery-backed clock) with the NTP-synchronized software clock. Without it, the hardware calendar may have a different time, and after a reboot, the device will use the hardware calendar until NTP resynchronizes, causing a period of incorrect time.
NTP uses a gradual adjustment called 'slewing' if the offset is less than 1000 seconds. It speeds up or slows down the clock by a small amount each second until the offset is eliminated. If the offset is greater than 1000 seconds, NTP will 'step' the time (a sudden jump). You can see the offset in `show ntp associations`.
You've just covered NTP and Time Synchronization — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?