Mental model
When you’re investigating an incident at 3 AM, you need to correlate logs across a firewall, a switch, a server, and a load balancer. If those devices’ clocks are off by even 30 seconds, you can’t tell which event caused which. Worse, certificate expiry checks fail, scheduled jobs misfire, and Kerberos refuses to authenticate (it requires ≤5 minute clock skew).
NTP solves this by giving every device on the network the same time, accurate to milliseconds. Set it up once, forget about it for years — until something breaks because someone disabled it.
The stratum hierarchy
NTP organizes time sources in a tree. Each level is called a stratum:
| Stratum | What’s there | Examples |
|---|---|---|
| 0 | Reference clock | Atomic clock, GPS receiver |
| 1 | Server directly synced to stratum 0 | time.nist.gov, pool.ntp.org mirrors |
| 2 | Server synced to a stratum 1 server | Your enterprise NTP server, ISP’s NTP |
| 3 | Synced to a stratum 2 | Your branch router |
| … | each step adds one | |
| 16 | Unsynchronized | Default state until first sync |
The lower the number, the closer to the reference clock and the more authoritative. Network gear typically ends up at stratum 3 or 4.
Commands
Configure a Cisco router as NTP client
R1(config)# ntp server pool.ntp.org ! use public pool
R1(config)# ntp server 10.0.99.1 ! or an internal NTP server
R1(config)# ntp server 10.0.99.2 prefer ! mark one as preferred
! Specify which interface NTP source IP should use
R1(config)# ntp source GigabitEthernet0/0
! Set timezone (optional, but recommended for human-readable logs)
R1(config)# clock timezone EST -5
R1(config)# clock summer-time EDT recurring
Configure a router as an NTP server for downstream devices
R1(config)# ntp master 3 ! announce ourselves as stratum 3
Use this on a central / core router that syncs externally and serves time to internal devices. Don’t run ntp master on every router — pick a few centralized ones.
Verify
R1# show ntp status
R1# show ntp associations
R1# show clock
R1# show clock detail
show ntp associations shows every NTP server you’re peering with, which one is selected, and the current stratum / offset / delay.
The little asterisk in the output matters:
R1# show ntp associations
address ref clock st when poll reach delay offset disp
*~10.0.99.1 .GPS. 1 27 64 377 1.2 -0.05 0.9
~10.0.99.2 10.0.99.1 2 35 128 377 1.4 0.12 1.1
*= selected (this is the one we’re using right now)+= candidate (eligible but not selected)~= static configuration (you configured it manually)#= symmetric peer
Authentication (mostly for sensitive networks)
NTP traffic isn’t authenticated by default — an attacker on the path could feed you bad time. For sensitive deployments:
R1(config)# ntp authenticate
R1(config)# ntp authentication-key 1 md5 supersecret
R1(config)# ntp trusted-key 1
R1(config)# ntp server 10.0.99.1 key 1
The server side needs the matching key. Use NTP authentication on internet-facing routers and security-critical servers.
Common mistakes
-
No NTP at all. Devices boot to 1993 (or whatever their default is). Logs are useless. Certificates fail. This still happens in 2026 — check
show clockon every device after setup. -
One NTP server only. If it’s unreachable, your clocks slowly drift. Always configure 2-3 servers.
-
NTP source-IP doesn’t match access lists. You configure
ntp server 10.0.99.1, but the router’s outgoing IP for NTP traffic is on a different interface and gets filtered by an ACL. Setntp source <interface>explicitly. -
Running
ntp masteron every router. Now every router claims to be a time source. They peer with each other. Stratum levels oscillate. Pick 2 central NTP servers, point everyone else at those. -
Forgetting timezone. Router shows time in UTC by default. Operators see UTC in logs and miscorrelate with their local-time wall clock. Set
clock timezonefor sanity. -
Daylight saving without
clock summer-time. Logs jump an hour twice a year. Configure summer-time once and the router handles DST automatically. -
Trusting the local clock when NTP fails. After a long power outage, a router’s local clock can be wildly off. Don’t trust
show clockuntilshow ntp statusconfirms synchronization.
Lab to try tonight
- On a Cisco router with internet access, run
show clock. Note how wrong it is. - Configure
ntp server pool.ntp.org. Wait 2-5 minutes. - Run
show ntp statusandshow ntp associations. Look forClock is synchronizedand an*next to your server. - Run
show clockagain. Time should now be correct (to UTC by default). - Set timezone:
clock timezone EST -5(or your zone). Verifyshow clockupdates. - Configure a second router with
ntp server <first-router-IP>. Confirm it picks up time from your first router (stratum +1). - Bonus: enable NTP authentication between the two routers and verify it still works.
Cheat strip
| Concept | Plain English |
|---|---|
| NTP | Synchronizes clocks across devices |
| Stratum | Distance from reference clock. 0 = atomic. 16 = unsynced. |
ntp server X | Tell me to use X as a time source |
ntp master N | Announce myself as a stratum-N server |
* in associations | Currently selected upstream server |
clock timezone | Display time in local zone (sanity) |
clock summer-time | Handle DST automatically |
| Authentication | NTP can use MD5/HMAC keys for sensitive environments |
| Port | UDP/123 |