IOS-XE Authenticated NTP without configuring Client as NTP Peer

wc-memnon · ‎10-30-2025

Currently, when a Cisco IOS-XE Router is used as NTP server for a network, authenticated NTP time is only possible when NTP clients are listed as NTP Peers with the authentication key appended. Preference is to be able to do this without having to define the peers. Clients should be able to just match the authentication key and point to the router as the NTP server. Security can be enforced on the router by using access-groups to determine subnets which are allowed to receive NTP from the router.

elwin-berrar · ‎10-31-2025

Hi,

You're right, IOS-XE’s NTP implementation requires peers when using authentication, which can be inconvenient in larger deployments. The good news is that you can still enforce security and consistency without defining every client as a peer.

In practice, most setups rely on access control using ntp access-group serve-only or serve to limit responses, authentication key matching so clients can validate without being configured as peers, and ACLs to restrict which subnets are allowed to synchronize.

Configuring NTP — Cisco Nexus 5500 Series Switches (PDF)
https://pingmynetwork.com/network/ccna-200-301/network-time-protocol-ntp

Hope it helps.

paul driver · ‎10-31-2025

Hello
On a ntp client you should not need to specify it as a peer, you only do this if you wish for it to synchronise with other ntp peers, otherwise on a ntp client you just specify a ntp server

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul