NTP Server & Clients

First determine what device(s) you want to be the NTP Master for your network. Commonly this is your core switches. In this example we’re running a couple of 4500-X’s in VSS.

ntp logging
ntp authentication-key 123 md5 SeCrEtKeY
ntp authenticate
ntp trusted-key 123
ntp master 2
ntp update-calendar
ntp server
ntp server

Let’s dive into what these commands do.

ntp logging – Logs NTP events
ntp authentication-key 123 md5 SeCrEtKeY – This sets a key string [SeCrEtKeY] to a key variable [123]. Every client will require this password to get time.
ntp authenticate –¬†This enables authentication to the NTP server.
ntp trusted-key – Tells the server what key to use. Yes, you can use multiple keys for multiple host groups.
ntp master 2 – This sets the stratum level for our configured NTP server.
ntp update-calendar – Periodically sends calendar info along with the time.
ntp server – This sets the NTP server our switch will pull time from. We need an NTP source to pull from so we can provide accurate time to our clients.
ntp server – A redundant NTP server to pull time from.

On the client side our configuration will look like this-

ntp authentication-key 123 md5 SeCrEtKeY
ntp authenticate
ntp trusted-key 123
ntp source Vlan255
ntp server key 123 prefer

If we had two switches that were not in VSS, we would just add another ntp server to the client config. NTP traffic is minimal so load balancing between the two switches would not be necessary. You should keep the NTP traffic on your management VLAN since it is not encrypted. There are many other nerd knobs to turn for NTP so check the configuration guide for your version of IOS.

Leave a Reply