Building network automation solutions

9 module online course

Start now!

Cisco IOS NTP Essentials

A while ago I've been involved in an interesting discussion focusing on NTP authentication and whether you can actually implement it reliably on Cisco IOS. What I got out of it (apart from a working example :) was the feeling that NTP and it's implementation in Cisco IOS was under-understood and under-documented, so I planned to write an article about it.

However, as I did my research, I figured out there's so much I didn't know about NTP (do you know what's the essential difference between a peer and a server?) that I decided to write It’s Good to be on Time article – you’ll find it somewhere in this list.


  1. This is part of the problem with NTP. It's way more complicated then it needs to be. You shouldn't have to understand so much of it to use it on your routers. Take a look at openntpd. It's free and runs on bsd or linux. I run it on my dns servers. My routers are pointed at it.
  2. Thanks very much for doing this Ivan.
  3. Ivan,

    This is the basic NTP configuration I use on 'my' routers at work:
    access-list 50 remark NTP Access - apply with:
    access-list 50 remark __ntp access-group peer 50
    access-list 50 remark
    access-list 50 remark Permit only (hostname snipped)
    access-list 50 permit
    access-list 50 remark
    access-list 50 remark Deny everyone else
    access-list 50 deny any
    access-list 50 remark

    ntp source loopback 0
    ntp access-group peer 50
    ntp server prefer

    If I don't put in the access-group stuff, then the router will respond to port scans on UDP 123.
Add comment