Lab 32: NTP Hierarchy with Authentication
Production networks don't point every device at the internet for time — one device syncs upstream and serves the rest internally. Build that hierarchy, then authenticate it so rogue time sources are rejected. Difficulty: Intermediate · Time: ~25 min.
Lab objectives
- Make R1 the internal NTP server (master)
- Point R2 and a switch at it as clients
- Add NTP authentication keys on both sides
- Verify sync state and stratum levels
Topology & addressing
R1 (internal time source), R2 and SW1 as clients, all IP-reachable (192.168.1.0/24 management).
Step-by-step configuration
R1: ntp master 3 | Serve time internally at stratum 3 |
Clients: ntp server 192.168.1.1 key 1 | Sync from R1, using key 1 |
ALL devices:ntp authentication-key 1 md5 TimeSecretntp authenticatentp trusted-key 1 | Same key everywhere; clients only accept authenticated sources |
Verification
show ntp status on clients — "Clock is synchronized, stratum 4" (one below R1's 3). show ntp associations shows R1 with a healthy reach. Break it: change a client's key to a wrong value — sync is refused. Accurate, authenticated time across the estate: the quiet prerequisite for every log you'll ever trust.
Next lab: labs hub · test yourself: CCNA practice test.
Frequently asked questions
What does ntp master 3 mean?
The router serves time claiming stratum 3 — clients syncing from it become stratum 4. The number positions your internal hierarchy sensibly below real reference clocks.
Why authenticate NTP?
To stop rogue time sources from skewing device clocks — which would corrupt log timelines and can break certificate validation.
Why do clients show one stratum higher than the server?
Stratum counts distance from the reference clock — each hop away adds one.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.