Summary: Ready-to-use IOS-XE NTP configuration covering server definition, source interface, authentication, and logging timestamps — copy, adjust IPs and keys, paste.
Suitable for internal networks where NTP servers are trusted and the environment is low-risk.
! Define NTP servers — first is preferred
ntp server 10.0.0.1 prefer
ntp server 10.0.0.2
! Bind NTP to a loopback so source IP is stable across interface changes
ntp source Loopback0
! Align log timestamps to NTP-synchronised time
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
Required where NTP clients must verify they are receiving time from a trusted source. Use this for production and security-sensitive environments.
! Define authentication key — use a strong shared secret
ntp authentication-key 1 md5 <NTP_KEY>
ntp authenticate
ntp trusted-key 1
! Reference the key on each server
ntp server 10.0.0.1 key 1 prefer
ntp server 10.0.0.2 key 1
ntp source Loopback0
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-timezone
⚠️ MD5 Key Storage
NTP authentication keys are stored withmd5in the configuration but IOS-XE encrypts them using type 6 or type 7 depending on platform and whetherkey config-key password-encryptis configured. Always useservice password-encryptionat minimum. Prefer type 6 encryption if the platform supports it.
show ntp status
show ntp associations detail
show clock detail
Key things to check in the output:
| Command | What to look for |
|---|---|
show ntp status |
Clock is synchronized — if unsynchronised, check reachability and key config |
show ntp associations detail |
Peer reachability, stratum of upstream server, refid (reference clock source) |
show clock detail |
Time source should show NTP — if it shows user configuration the device is not yet synchronised |
ntp source Loopback0 is strongly recommended — without it, the source IP of NTP packets changes with the egress interface, which breaks NTP authentication and complicates firewall rules.