Unanswered Question
Mar 25th, 2009


Is it possible to make a Router as an NTP Server.

My requirement is to allow Windows Domain controller to connect to NTP Server to synchronise the time and then all other server will point to Domain Controller.

Looking for a best options

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Mohamad Qayoom Wed, 03/25/2009 - 10:03

What kind of router are you using? We have our Catalyst 6513 set up as NTP server. Tehse are some of the commands:

ntp authenticate

ntp clock-period xxxxx

ntp master

ntp peer



Richard Burts Wed, 03/25/2009 - 10:15


It is certainly possible to configure your router to act as an NTP server for the devices in the Windows network. The best solution for this is to configure the router to learn NTP time from one of the available NTP servers in the Internet. If the router has learned authoritative time from an Internet NTP server then it will automatically act as an NTP server for the devices in your network.

If, for some reason, you do not configure your router to learn NTP time from an Internet NTP server, then you would use the ntp master command on your router to have it act as an NTP server for your network. Based on your description you do not need the ntp authenticate command and you should not configure the ntp clock-period command as suggested by Mohamad. The ntp peer command which he suggests is the command to have your router learn NTP time from an NTP server and the is one of the available public NTP servers so it would be good to use this in your router.

note: if you learn time from an Internet NTP server you do not need the ntp master command. You would need the ntp master command only if your router is not learning time from any other source. I suggest that you just use this and be done with it:

ntp peer



lamav Wed, 03/25/2009 - 10:19


As usual, very informative and complete.

Rated it.


ronald.ramzy Wed, 03/25/2009 - 13:06

Do I need to open any ports on the ASA Firewall to allow traffic from Windows Domain Controller to the router and vice-versa


Thats the setup I have.

Leo Laohoo Wed, 03/25/2009 - 14:42

Hi Ronald,

I agree with Rick. NTP "clock-period" is auto-generated by the appliance so I always remove this from my config documents.

You can go to the NTP website (http://support.ntp.org/bin/view/Servers/WebHome) and choose from the list of Public Pool, Primary or Secondary and drill down to your region.

Again with Rick, I'd avoid using "NTP Master" if you have your NTP is authoritative.

ronald.ramzy Sun, 03/29/2009 - 23:42


In my scenario.

The Router will learn NTP time from one of the available NTP servers in the Internet.

I have only configured the router with "ntp peer"

The output are :-

sh ntp associations

address ref clock st when poll reach delay offset disp

*~ .ACTS. 1 10 64 175 259.0 3.67 2.1

* master (synced), # master (unsynced), + selected, - candidate, ~ configured

Do I need to add any security parameter to it, or any missing config

Leo Laohoo Mon, 03/30/2009 - 02:49

Hi Ronald,

Do you see the "*" symbol? It means that that IP Address you've provided is now the "master" time. The third column shows that this is an authoritative time, the "1", means that this is the highest.

To verify, do a "show clock". If your time does not have a "." symbol in the beginning, then it means that your appliance is synchronized to a clock source.

ronald.ramzy Mon, 03/30/2009 - 12:44


If you have noticed I have just entered basic reqd command for NTP, is there any security issues with this.

Bit concern about security, any suggestions

Leo Laohoo Mon, 03/30/2009 - 14:46

NTP has an option to use either authentication-key or trust-key.

You can also put an ACL.

Richard Burts Mon, 03/30/2009 - 17:48


What you have configured is typically enough when you learn time from one of the public Internet NTP servers. You might configure some authentication or access lists as suggested by Leo for NTP within your own network. But it is not common to do that with the public Internet NTP servers.

Most people regard the security risk in doing NTP with public Internet NTP servers as slight risk. If you are concerned about that risk the alternative is to purchase some device with atomic clodk and to generate your own authoritative time without using the public Internet NTP servers.




This Discussion