Time synchronization is a silent backbone of modern networks — without it, logs become useless, authentication fails, and certificate validation breaks. The Network Time Protocol (NTP) solves this with a hierarchical stratum model that defines how far a device is from an authoritative time source. For the CCNA 200-301 exam (objective 4.4), you need to understand the stratum hierarchy, how NTP authentication works, and how to configure both on Cisco IOS devices. This chapter covers the mechanism, configuration, verification, and common exam traps.
Jump to a section
Imagine a central atomic clock at an observatory — this is the ultimate time source, Stratum 0. It broadcasts time signals that only specialized receivers can decode directly. Now picture a university campus that connects to that observatory via a dedicated radio link; their master clock (Stratum 1) receives the signal and adjusts itself to within microseconds. The university's clock then serves time to department buildings (Stratum 2) over Ethernet, each building's clock syncing to the master. Those department clocks in turn serve time to floor switches (Stratum 3), and those switches serve time to desktop computers (Stratum 4). Each hop adds a small delay and potential jitter, so the stratum number increases with distance from the source. If the university's master clock loses its radio link, it can still operate using its internal oscillator but will slowly drift — it then considers itself Stratum 16 (unsynchronized). Authentication works like a secret handshake: each clock shares a pre-agreed key, and when a department clock requests the time, it includes a cryptographic digest of the request using that key. The master clock verifies the digest before sending the time, ensuring no rogue device can impersonate the time source. Without authentication, an attacker could send fake time updates, causing log inconsistencies or even breaking Kerberos authentication.
What is NTP and Why Stratum?
NTP is a protocol designed to synchronize clocks of computer systems over packet-switched networks. The core challenge is that network delays are variable, so simply measuring round-trip time and halving it isn't enough — NTP uses sophisticated algorithms to filter out jitter and estimate the true offset. The stratum level indicates the distance from the reference clock. Stratum 0 is the reference clock itself (atomic clock, GPS receiver). Stratum 1 servers are directly connected to Stratum 0 devices. Stratum 2 servers sync to Stratum 1, and so on. Stratum 16 indicates an unsynchronized device. The maximum usable stratum is 15; anything beyond is considered unreliable.
How NTP Works Step by Step
NTP clients send NTP packets to servers using UDP port 123. The exchange involves four timestamps: T1 (client send time), T2 (server receive time), T3 (server transmit time), and T4 (client receive time). The client calculates the round-trip delay (RTT) as (T4 - T1) - (T3 - T2) and the offset as ((T2 - T1) + (T3 - T4)) / 2. The client then adjusts its clock gradually (slewing) to avoid abrupt changes, unless the offset is large, in which case it steps the clock. Cisco devices default to using NTP version 4.
NTP Modes of Operation
Client/Server: The client sends a request, the server responds. This is the most common mode for CCNA.
Symmetric Active: Two devices peer with each other; both can synchronize to each other. Used for redundancy.
Broadcast: Server sends unsolicited updates to a broadcast address; clients listen passively.
NTP Authentication
NTP authentication ensures that a device only synchronizes to trusted time sources. It uses a Message Digest (MD5) or SHA hash. The server and client share a key (a string) identified by a key number. The client sends a request with an authentication field containing the key ID and a hash of the packet (including the timestamp). The server verifies the hash using the same key and responds only if the hash matches. Without authentication, an attacker could spoof NTP packets and cause a denial of service or time manipulation.
Defaults and Timers
Poll interval: Default is 64 seconds (min 16, max 1024). Cisco uses ntp update-calendar to update the hardware calendar from the NTP software clock.
Stratum: Cisco devices default to Stratum 16 when not synchronized. When configured as an NTP master (using ntp master [stratum]), they can act as a time source for other devices.
Authentication: Disabled by default. Keys are configured globally and then associated with a peer/server.
IOS CLI Commands and Verification
Configure NTP server on a Cisco device:
! Set the time zone (optional but recommended)
clock timezone EST -5
clock summer-time EDT recurring
! Configure NTP server
ntp server 192.168.1.10
! Enable authentication
ntp authenticate
ntp authentication-key 1 md5 MySecretKey
ntp trusted-key 1
! Associate key with server
ntp server 192.168.1.10 key 1Verification commands:
show ntp status
show ntp associations
show ntp associations detailExample output of show ntp status:
Clock is synchronized, stratum 3, reference is 192.168.1.10
nominal freq is 250.0000 Hz, actual freq is 249.9990 Hz, precision is 2**18
reference time is D8A4B3C4.12345678 (12:34:56.789 EST Mon Mar 1 2021)
clock offset is 0.1234 msec, root delay is 12.34 msec
root dispersion is 10.56 msec, peer dispersion is 5.67 msecInteraction with Related Protocols
NTP is critical for accurate logging (syslog), authentication (Kerberos, 802.1X), and certificate validation. If a device's time is off by more than 5 minutes, many security protocols will fail. NTP does not depend on any other protocol but relies on IP connectivity and UDP.
Configure NTP Server Reference
Identify your authoritative time source. In a lab, you can use a public NTP server (e.g., pool.ntp.org) or configure a Cisco device as a master using `ntp master [stratum]`. For example, `ntp master 4` makes the device a Stratum 4 source. In production, you typically point to internal Stratum 1 or 2 servers. On the client, use `ntp server <ip-address>` to specify the server.
Enable NTP Authentication Globally
First, enable NTP authentication with `ntp authenticate`. Then define an authentication key using `ntp authentication-key <key-number> md5 <key-string>`. The key number is an integer, and the key string is the shared secret. For example: `ntp authentication-key 1 md5 MyKey`. Mark the key as trusted using `ntp trusted-key <key-number>`. Only trusted keys are accepted.
Associate Authentication Key with Server
When configuring the NTP server, add the `key` keyword to specify which authentication key to use. For example: `ntp server 192.168.1.10 key 1`. This tells the client to send authenticated requests using key 1. The server must have the same key configured and must trust it. If the key does not match, the client will not synchronize.
Verify NTP Status and Associations
Use `show ntp status` to check if the device is synchronized, its stratum level, and the reference clock. Use `show ntp associations` to see all configured servers/peers and their status (synchronized, reachable, etc.). The output shows a character indicating the synchronization source: '*' means the device is synchronized to that server, '+' means candidate, '-' means outlyer. Use `show ntp associations detail` for more detail, including authentication status.
Troubleshoot Authentication Mismatch
If authentication fails, the client will show 'unsynchronized' in `show ntp status` and the association may show 'auth failed'. Check that the key string matches exactly on both sides. Use `debug ntp authentication` to see authentication errors. Also ensure the key is trusted on both sides. Common mistake: forgetting to issue `ntp trusted-key` on the client.
Secure NTP with Access Control
Use an ACL to restrict which devices can query or synchronize to your NTP server. For example: `access-list 10 permit 192.168.1.0 0.0.0.255` then `ntp access-group serve-only 10`. This allows only clients from that subnet to get time. Other options: `peer`, `serve`, `query-only`. This prevents unauthorized devices from using your NTP server or launching amplification attacks.
In a typical enterprise network, NTP is deployed hierarchically to reduce load on external servers and provide resilience. For example, a large bank might have two Stratum 1 servers (GPS receivers) in different data centers. Core switches and routers are configured as Stratum 2 clients to these servers. Distribution switches then point to the core devices, and access switches point to distribution switches. This creates a tree that limits the number of direct connections to the Stratum 1 servers. Authentication is mandatory to prevent time spoofing, which could disrupt trading systems that rely on precise timestamps. Misconfiguration often occurs when engineers forget to configure ntp trusted-key on clients — the device will never synchronize, yet show ntp associations might show the server as reachable, leading to confusion. Another common issue is using the wrong key number; both sides must use the same key ID. In large networks, NTP can cause significant traffic if poll intervals are too short — Cisco defaults to 64 seconds, but for thousands of devices, you might increase the interval using ntp server [ip] minpoll 6 maxpoll 10 (where the value is a power of 2 in seconds). When a device loses all NTP servers, it will eventually mark itself as Stratum 16. If the device's clock drifts significantly, it may cause certificate validation failures for HTTPS and 802.1X. Network engineers should monitor NTP using SNMP or syslog alerts for 'NTP clock sync lost' messages.
For CCNA 200-301 objective 4.4, you must know: (1) The stratum hierarchy (0-15 usable, 16 = unsynchronized). (2) How to configure NTP client/server with and without authentication. (3) Verification commands: show ntp status, show ntp associations. (4) The purpose of ntp authenticate, ntp authentication-key, ntp trusted-key. Common wrong answers: Candidates often think NTP uses TCP (it's UDP port 123). They confuse the ntp master command with ntp server — ntp master makes the device a server, ntp server makes it a client. Another trap: assuming authentication is required for NTP to work (it's optional). On the exam, you might see a scenario where a device is not synchronizing; the answer often involves missing ntp trusted-key. Also, remember that ntp update-calendar is needed to sync the hardware calendar from the software clock; otherwise, the hardware clock may still be wrong after reboot. Calculation traps are rare for NTP, but you might be asked to determine the stratum of a device given its reference. For example, if a device syncs to a Stratum 2 server, its stratum is 3. Decision rule: When a question shows an NTP configuration with authentication but the device remains unsynchronized, look for missing ntp trusted-key or mismatched key strings. If the question shows show ntp associations with a '*' next to an IP, that device is synchronized to that server.
NTP uses UDP port 123.
Stratum 0 is the reference clock; Stratum 1 is directly connected; Stratum 16 means unsynchronized.
`ntp server <ip>` configures the device as a client.
`ntp master <stratum>` configures the device as a server.
NTP authentication requires `ntp authenticate`, `ntp authentication-key`, and `ntp trusted-key`.
`show ntp status` shows synchronization state and stratum.
`show ntp associations` shows '*' for the synchronized server.
These come up on the exam all the time. Here's how to tell them apart.
NTP
Uses complex algorithms for accuracy (e.g., filtering, jitter estimation).
Supports multiple servers and selects the best one.
Default poll interval 64 seconds, adjustable.
Full authentication support (MD5/SHA).
Used in production networks requiring millisecond accuracy.
SNTP
Simplified version of NTP, less accurate.
Typically uses only one server; no selection algorithm.
Fixed poll interval, often 64 seconds.
May lack authentication or have limited support.
Used in devices with low processing power or minimal requirements.
Mistake
NTP uses TCP port 123.
Correct
NTP uses UDP port 123. TCP would add unnecessary overhead and retransmission delays.
Many protocols use TCP, but NTP is designed for speed and uses UDP.
Mistake
NTP authentication is required for synchronization.
Correct
Authentication is optional. If no authentication is configured, the device will still synchronize.
Candidates assume security is always needed, but NTP works without it.
Mistake
The `ntp master` command makes the device a client.
Correct
`ntp master` makes the device act as an NTP server, providing time to others. To make a device a client, use `ntp server`.
The word 'master' sounds like 'client' to some, but it's the opposite.
Mistake
A device synchronized to a Stratum 3 server will have stratum 4.
Correct
Correct, but candidates often think it stays at 3. The stratum increases by 1 at each hop.
They forget that the stratum is the distance from the reference, not the server's stratum.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default poll interval is 64 seconds (2^6). You can adjust it using the `minpoll` and `maxpoll` options on the `ntp server` command, where the value is a power of 2 in seconds. For example, `ntp server 10.1.1.1 minpoll 4 maxpoll 6` sets the poll interval between 16 and 64 seconds.
Use the `ntp master [stratum]` command. For example, `ntp master 5` makes the router a Stratum 5 server. The router will then respond to NTP requests from clients. If you want the router to also synchronize to an upstream server, configure both `ntp server` and `ntp master`.
The asterisk indicates the server that the device is currently synchronized to. A plus sign (+) indicates a candidate server, a minus (-) indicates an outlyer, and a tilde (~) indicates a server that is not reachable.
No. The `ntp authenticate` command globally enables NTP authentication. Without it, the device will not attempt to authenticate any NTP packets, even if keys are configured.
`ntp server` configures the device as a client to the specified server. `ntp peer` configures symmetric active mode, where both devices can synchronize to each other. Peer mode is used for redundancy between two NTP servers.
Stratum 16 indicates that the device is unsynchronized. When the device cannot reach any NTP server, it marks its own stratum as 16. It will continue to use its internal clock but with degraded accuracy.
Use `show ntp associations detail` to see authentication status. Look for 'authenticated' in the output. You can also use `debug ntp authentication` to see authentication success or failure messages.
You've just covered NTP Stratum Hierarchy and Auth — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?