Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later

PDF

Configuring NTP servers

Updated: June 9, 2026

Want to summarize with AI?

Describes methods for configuring NTP servers.

Configure NTP servers using a configuration group

Configuring network time for your network includes these tasks:

Configure NTP servers and parameters as described in this procedure.
Configure the timezone in a System profile, in a Basic feature.

Before you begin

On the Configuration > Configuration Groups page, choose SD-WAN as the solution type.

Perform these steps to configure NTP servers and parameters.

Procedure

From the Cisco SD-WAN Manager menu, choose Configuration > Configuration Groups.

Create and configure an NTP feature in a System profile.

Configure a server.

Table 1. Server
Field	Description
Add Server
Hostname/IP address*	Enter the IP address of an NTP server, or a DNS server that knows how to reach the NTP server.
VPN to reach NTP Server*	Enter the number of the VPN that should be used to reach the NTP server, or the VPN in which the NTP server is located. If you have configured multiple NTP servers, they must all be located or be reachable in the same VPN. Range: 1 to 65525, excluding 512. For details see the VRF range behavior change described here.
Set authentication key for the server	Specify the MD5 key associated with the NTP server, to enable MD5 authentication. For the key to work, you must mark it as trusted in the Trusted Key field under Authentication.
Set NTP version*	Enter the version number of the NTP protocol software. Range: 1 to 4 Default: 4
Set interface to use to reach NTP server	Enter the name of a specific interface to use for outgoing NTP packets. The interface must be located in the same VPN as the NTP server. If it is not, the configuration is ignored.
Prefer this NTP server*	Enable this option if multiple NTP servers are at the same stratum level and you want one to be preferred. For servers at different stratum levels, Cisco Catalyst SD-WAN chooses the one at the highest stratum level.

Configure authentication.

Table 2. Authentication
Field	Description
Add Authentication Keys
Key Id*	Enter an MD5 authentication key ID. Range: 1 to 65535
MD5 Value*	Enter an MD5 authentication key. Enter either a cleartext key or an AES-encrypted key.
Trusted Key	Enter the MD5 authentication key to designate the key as trustworthy. To associate this key with a server, enter the same value that you entered for the Set authentication key for the server field under Server.

Configure advanced parameters.

Table 3. Advanced
Field	Description
Authoritative NTP Server	Choose Global from the drop-down list, and enable this option if you want to configure one or more supported routers as a primary NTP router.
Stratum	Enter the stratum value for the primary NTP router. The stratum value defines the hierarchical distance of the router from its reference clock. Valid values: Integers 1 to 15. If you do not enter a value, the system uses the router internal clock default stratum value, which is 8.
Source Interface	Enter the name of the exit interface for NTP communication. If configured, the system sends NTP traffic to this interface. For example, enter `GigabitEthernet1` or `Loopback0`.

What to do next

Refer to Deploy a Configuration Group in the Cisco Catalyst SD-WAN Configuration Groups Reference Guide.

Configure NTP servers and parameters using templates

Configure network time protocol (NTP) servers using a Cisco NTP feature template.

You can create a Cisco NTP feature template directly or through a device template.

Configuring network time for your network includes these tasks:

Configure NTP servers and parameters as described in this procedure.
Configure the timezone in a System template.

Before you begin

Perform these steps to configure NTP servers and parameters.

Procedure

From the Cisco SD-WAN Manager menu, choose Configuration > Templates.

Select Feature Templates.

Click Add Template.

Select a platform.

Click Cisco NTP.

To add an NTP server:

Click Server.

Click New Server, and configure these parameters.

Table 4. NTP server parameters
Field	Description
Hostname/IP Address*	IP address of an NTP server, or a DNS server that knows how to reach the NTP server.
Authentication Key ID*	Specify the MD5 authentication key associated with the NTP server, to enable authentication. For the key to work, you must mark it as trusted in the Trusted Keys field, under Authentication. Note From Cisco Catalyst SD-WAN Control Components Release 20.14.1, you can use CMAC-AES authentication when configuring NTP servers for Cisco SD-WAN Control Components. This requires configuration using a CLI template.
VPN ID*	Number of the VPN that should be used to reach the NTP server, or the VPN in which the NTP server is located. If you have configured multiple NTP servers, they must all be located or be reachable in the same VPN. The valid range is from 0 through 65530.
Version*	Version number of the NTP protocol software. The range is from 1 through 4. The default is 4.
Source Interface	Name of a specific interface to use for outgoing NTP packets. The interface must be located in the same VPN as the NTP server. If it is not, the configuration is ignored.
Prefer	Click On if multiple NTP servers are at the same stratum level and you want one to be preferred. For servers at different stratum levels, the software chooses the one at the highest stratum level.

You can click Add to add another server.
Click Save.

To configure the authentication keys used to authenticate NTP servers:

Click Authentication.
Click the Authentication Key tab.

Click New Authentication Key, and configure these parameters.

Table 5. NTP authentication key parameters
Field	Description
Authentication Key ID*	Authentication Key: Enter an authentication key ID. Range: 1 to 65535 Authentication Value: Enter either a cleartext key or an AES-encrypted key.
Authentication Value*	Enter an authentication key. For this key to be used, you must designate it as trusted. To associate a key with a server, enter the same value that you entered in the Authentication Key ID field under Server.

Click Add.

To configure the trusted keys used to authenticate NTP servers:

Click Authentication.
Click the Trusted Key tab.

Configure these parameters.

Table 6. Trusted key parameters
Field	Description
Trusted Keys*	Authentication key to designate the key as trustworthy. To associate this key with a server, enter the same value that you entered for the Authentication Key ID field under Server.

Configure NTP servers using CLI commands

Configure NTP servers using CLI commands in a CLI add-on profile or CLI add-on template.

Before you begin

Perform these steps to configure NTP servers.

Procedure

	1.	Create a CLI add-on profile or CLI add-on template.
	2.	Enter system configuration mode. `system`
	3.	Enter NTP configuration mode. `ntp`
	4.	Enter keys configuration mode. `keys`
	5.	Configure an authentication type to use for an NTP server. Assign a key for the authentication type, and assign one of these authentication methods: MD5, CMAC-AES-128. Using multiple instances of the authentication command, you can configure authentication for multiple NTP servers. `authentication authentication-key-id {md5 md5-authentication-key \| cmac-aes-128 cmac-authentication-key}` Note The CMAC-AES option is available from Cisco Catalyst SD-WAN Control Components Release 20.14.1.
	6.	Designate an authentication type as trusted. Optionally, you can include multiple authentication key IDs. `trusted authentication-key-id {authentication-key-id}[authentication-key-id]`
	7.	Exit keys configuration mode. `exit`
	8.	Configure an NTP server, including the VPN and version, and optionally an authentication key. You can configure multiple NTP servers. `server {server-ip \| fully-qualified-domain-name} key authentication-key vpn vpn-id version version-id exit`

Here is an example for configuring two authentication types and three NTP servers. Two servers are trusted and use an authentication key, and one server is generic. Authentication key 1001 uses MD5 and key 1002 uses CMAC-AES-128.

system ntp 
  keys 
    authentication 1001 md5 password1 
    authentication 1002 cmac-aes-128 password2
    trusted 1001 1002 
  ! 
  server 192.168.10.1 
    key 1001 
    vpn 512 
    version 4 
  exit 
  server 192.168.10.2 
    key 1002 
    vpn 512 
    version 4 
  server us.pool.ntp.org 
    vpn 512 
    version 4 
  exit 
  ! 
!

Note

The passwords above are in plain text. When using a CLI template, you can encrypt passwords.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.