First determine what device(s) you want to be the NTP Master for your network. Commonly this is your core switches. In this example we’re running a couple of 4500-X’s in VSS.
ntp logging ntp authentication-key 123 md5 SeCrEtKeY ntp authenticate ntp trusted-key 123 ntp master 2 ntp update-calendar ntp server 18.104.22.168 ntp server 22.214.171.124
Let’s dive into what these commands do.
ntp logging – Logs NTP events
ntp authentication-key 123 md5 SeCrEtKeY – This sets a key string [SeCrEtKeY] to a key variable . Every client will require this password to get time.
ntp authenticate – This enables authentication to the NTP server.
ntp trusted-key – Tells the server what key to use. Yes, you can use multiple keys for multiple host groups.
ntp master 2 – This sets the stratum level for our configured NTP server.
ntp update-calendar – Periodically sends calendar info along with the time.
ntp server 126.96.36.199 – This sets the NTP server our switch will pull time from. We need an NTP source to pull from so we can provide accurate time to our clients.
ntp server 188.8.131.52 – A redundant NTP server to pull time from.
On the client side our configuration will look like this-
ntp authentication-key 123 md5 SeCrEtKeY ntp authenticate ntp trusted-key 123 ntp source Vlan255 ntp server 10.8.255.1 key 123 prefer
If we had two switches that were not in VSS, we would just add another ntp server to the client config. NTP traffic is minimal so load balancing between the two switches would not be necessary. You should keep the NTP traffic on your management VLAN since it is not encrypted. There are many other nerd knobs to turn for NTP so check the configuration guide for your version of IOS.