NTP Config Generator

Target platform:

The selected platform controls source directives, access rules, and validation warnings.

Time sources:

Examples: 0.pool.ntp.org,pool,iburst or ntp1.example.internal,server,iburst,prefer.

Samples stay local and replace the current form.

Serve LAN clients

Off creates a client-only config. On emits client access rules for the networks below.

Allowed client networks:

Use narrow internal CIDRs unless this host is meant to be a public NTP server.

Source interface:

Example: Loopback0 or Vlan44.

Management VRF:

Leave blank when the NTP sources are reachable in the default routing table.

NTP version:

Accepted range is 1-4; version 4 is the normal default.

chrony drift file:

Default works for common RHEL-style chrony deployments.

makestep:

Use 1.0 3 to step large startup offsets only during initial updates.

Add rtcsync

Keeps the hardware clock synchronized when supported by the OS.

Add NTS to chrony sources

Use only when every selected source supports Network Time Security.

ntpd drift file:

Default matches common classic ntpd packaging.

Cisco authentication key ID:

Leave blank to omit Cisco symmetric authentication stanzas.

Cisco authentication secret:

No spaces or newlines. The generated Cisco config will include the literal secret.

Add local fallback clock

Off is safest. On emits chrony local, ntpd orphan, or Cisco ntp master fallback syntax.

Fallback stratum:

Accepted range is 1-15; use fallback only for isolated networks.

Include config comments

Adds short file headers and section labels to the generated artifact.

Fix required before using this config

{{ error }}

Review before deployment

{{ warning }}

{{ result.configText || '# Fix validation errors to generate NTP config.' }}

Source	Mode	Options	Emitted line	Note	Copy
No source rows parsed yet Enter one NTP server, pool, or peer row to populate the source ledger.
{{ row.source }}	{{ row.mode }}	{{ row.options }}	{{ row.emitted }}	{{ row.note }}

Severity	Check	Detail	Recommendation	Copy
{{ row.severity }}	{{ row.check }}	{{ row.detail }}	{{ row.recommendation }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Clock drift usually becomes visible only after something else breaks. A log entry appears before the request that caused it, a certificate is judged not yet valid, a Kerberos ticket fails, or a database cluster has to compare writes from machines that disagree about time. The fix is not just choosing a famous server name. The whole time path has to match the operating system, routing table, firewall, daemon, and risk of the service depending on it.

Network Time Protocol, usually shortened to NTP, lets a system compare its local clock with one or more time sources and adjust gradually toward Coordinated Universal Time. Replies are useful because they include timing information that lets the client estimate offset, delay, and jitter, not because one received timestamp is blindly trusted. A good configuration creates candidate associations, controls who may ask the host for time, and avoids fallback rules that can make a failed upstream source look healthy.

Source: A hostname or IP address that can provide time, usually reached over UDP port 123.
Pool: A DNS name that can return changing sets of servers, useful for diversity when the client can reach public or internal pool names.
Peer: A symmetric relationship where two NTP systems can exchange time with each other instead of a simple client-to-server pull.
Stratum: A hop count from a reference clock. Lower stratum is closer to the reference source, but route quality and jitter still matter.

Time design changes with the role of the machine. A workstation or small VM often needs a client-only setup. A Linux host serving a subnet needs explicit client networks, firewall alignment, monitoring, and enough upstream diversity to survive one bad source. Routers and switches often need a stable source interface, and management traffic may need a VRF so replies use the expected routing table. Public pool names are convenient for many clients, while critical environments often prefer internal relays, source diversity by network path, or carefully operated private sources.

NTP time hierarchy from UTC reference to upstream sources, a disciplined local clock, and optional downstream clients.

The common mistake is treating generated text as proof that time is synchronized. It is only a proposed plan. DNS, routing, UDP port 123, daemon support, authentication keys, Network Time Security support, and device syntax all have to work on the real system. After deployment, status output should show a selected source, reachability, offset, delay, jitter, stratum, and any authentication state before the clock is trusted.

How to Use This Tool:

Choose the platform first because the same source list becomes different syntax for chrony, ntpd, systemd-timesyncd, and Cisco profiles.

Choose Target platform. Use chrony for chronyd-style Linux hosts, ntpd for classic ntp.conf, systemd-timesyncd for a small client-only host, or a Cisco profile when the output should be device commands.
Enter Time sources with one source per line. Put the hostname or IP address first, then a mode such as server, pool, or peer, followed by supported tokens such as iburst, prefer, version=4, key=10, source=Loopback0, vrf=Mgmt-vrf, or nts.
Turn on Serve LAN clients only when a Linux host should answer downstream clients. Add narrow IPv4 values in Allowed client networks, such as 10.44.0.0/16 or 10.44.0.0 255.255.0.0.
all is accepted for chrony with a warning and is not emitted as an ntpd client-network rule. Use it only for an intentional public service with firewall review.
Set Source interface and Management VRF for Cisco profiles when the device should source NTP from a loopback, SVI, or management routing table. Leave Management VRF blank when the sources are reachable through the default routing table.
Open Advanced for NTP version, drift files, chrony makestep, rtcsync, Network Time Security, Cisco authentication, Add local fallback clock, Fallback stratum, and generated comments.
Version is normalized to 1 through 4, and fallback stratum is normalized to 1 through 15.
Read the summary and Validation Review. Fix Error rows for missing sources, invalid targets, empty client networks, malformed masks, or Cisco authentication secrets that contain whitespace. Treat Warning rows as deployment-review prompts.
Compare Source Ledger with NTP Config before copying. The ledger shows the parsed source, mode, source options, emitted line, and notes, so platform-specific omissions are visible before deployment.

Interpreting Results:

The generated config is usable only when the summary has no blocking errors. A badge such as 3 sources means three rows were parsed, not that those sources are reachable, healthy, or selected by the daemon. Use the warning count and ledger details to decide what needs review before deployment.

How to interpret NTP config generator output cues
Output cue	Meaning	Follow-up
`Needs review`	At least one error blocks safe output.	Open `Validation Review`, fix the named source, network, or authentication field, then recheck the summary.
`validated`	No blocking errors were found in the entered values.	Still confirm source reachability, daemon support, and platform syntax on the real host or device.
`warnings`	The config can be produced, but a token, broad access rule, NTS choice, fallback clock, hostname, or Cisco detail needs approval.	Compare each warning with `Source Ledger` and remove unsupported tokens before applying the config.
`Source Ledger`	Shows how each row became a platform-specific source line or client-access line.	Use it to catch rows where a mode changed, an option was ignored, or a Cisco hostname should become an IP address.
`client config` or `serves clients`	Identifies whether Linux output is client-only or includes downstream client access rules.	Verify firewall policy before serving clients; leave client-only output unchanged when no downstream clients are intended.

The false-confidence risk is copying clean-looking text and skipping live verification. After applying the config, use platform status output such as chrony source tracking, ntpd peer status, systemd-timesyncd status, or Cisco NTP status and associations to confirm the selected source, offset, delay, jitter, reachability, and authentication behavior.

Technical Details:

NTPv4 describes client/server, symmetric peer, and broadcast-style relationships. Most ordinary hosts use client/server mode: a client sends request packets, servers reply, and the local clock discipline estimates offset from the timestamp exchange. Peer mode is a different association, because both systems can exchange time, so it belongs in controlled designs where both sides are known and monitored.

A configuration file names candidate associations and local policy; it does not prove that a source will be selected. The running daemon or network device still resolves names, reaches sources, rejects falsetickers, compares measurements, and adjusts the clock. Stratum is only distance from a reference clock. Offset, delay, jitter, reach, and root distance are better evidence that the running clock is behaving after startup.

Rule Core:

NTP configuration generation rules by platform family
Area	chrony	ntpd	systemd-timesyncd	Cisco profiles
Sources	Emits `server`, `pool`, or `peer` lines with chrony-supported options.	Emits `server`, `pool`, or `peer` lines with classic `ntp.conf` options.	Emits a `[Time]` section with `NTP=` from all source targets and `FallbackNTP=` from later targets.	Emits `ntp server` or `ntp peer` commands; pool rows are warned because concrete servers are expected.
Client access	Uses `allow` for entered client networks, including deliberate `allow all`.	Uses default `restrict` lines and optional IPv4 client-network restrictions.	Client-only; no downstream service rules are emitted.	Source association commands only; access-group policy is left for device-specific review.
State and startup	Supports `driftfile`, optional `makestep`, and optional `rtcsync`.	Supports `driftfile` and conservative restriction defaults.	Uses the systemd time-sync client format without drift-file or serving directives.	Adds `ntp source` when a source interface is supplied.
Authentication	Can append `nts` to source lines when NTS-capable sources are selected.	Does not emit NTS syntax.	Does not emit per-source authentication syntax.	Emits `ntp authenticate`, `ntp authentication-key`, `ntp trusted-key`, and per-source `key` references when key data is complete.
Fallback clock	Uses `local stratum N`.	Uses `tos orphan N`.	No local fallback clock directive is emitted.	Uses `ntp master N`.

Fallback clock directives deserve extra care. They can keep an isolated network on one shared time base when upstream sources disappear, but they can also hide an outage if the fallback looks too attractive. A high fallback stratum such as 10 makes real upstream sources win whenever they return.

Source Option Map:

NTP source option support and review behavior
Option or value	Meaning	Review behavior
`iburst`, `burst`	Request faster initial or recovery polling where the platform supports those options.	Useful for chrony and ntpd; warned and not emitted for systemd-timesyncd and Cisco profiles.
`prefer`	Marks a candidate as preferred when more than one valid source is available.	Emitted for Linux source lines and Cisco source commands.
`nts`	Requests Network Time Security for chrony source lines.	Produces a warning when the global NTS switch is on because every chosen source must support NTS key establishment.
`version=`, `key=`	Set an NTP version or reference a configured authentication key where supported.	Version is constrained to `1` through `4`; Cisco key stanzas require both a key ID and a local secret.
`source=`, `vrf=`	Select source-interface and management-VRF behavior for Cisco-style source commands.	Warned and not emitted for Linux profiles, where those device-specific tokens do not apply.
`all` in client networks	Represents broad chrony client access.	Accepted with a warning for chrony; not emitted as an ntpd client-network rule because explicit internal IPv4 CIDRs are safer.

Validation Boundaries:

Validation boundaries for generated NTP configuration
Check	Blocking condition	Review condition
Source target	A source is not a valid hostname, IPv4 address, or IPv6 address.	Cisco profiles warn on hostnames because many device bootstraps work better with literal reachable server addresses.
Client networks	`Serve LAN clients` is on with no network, malformed CIDR, bad IPv4 mask, or unsupported network text.	`all` is broad and should be reserved for an intentional public chrony service.
Numeric ranges	NTP version and fallback stratum are normalized instead of blocking output.	Version stays within `1` to `4`; fallback stratum stays within `1` to `15`.
Cisco authentication	A local authentication secret containing whitespace blocks output.	A key ID without a local secret warns that the key definition must already exist on the device.
Security options	NTS and local fallback do not create direct syntax errors by themselves.	NTS must match source support; fallback must be reviewed so it does not mask upstream failure.

Security and Accuracy Notes:

The config text is created in the browser from the values you enter. It does not test DNS, reachability, installed daemon versions, firewall rules, NTS certificate trust, or whether a Cisco VRF exists.

Entering a Cisco authentication secret puts that literal secret in the generated Cisco config. The JSON output omits the secret, but copied or downloaded config text can still expose it.
Serving LAN clients changes the host from a time client into part of the time service. Review client networks, firewall rules, rate limits, and monitoring before deploying that mode.
Network Time Security requires compatible sources, certificate trust, and reachability for the NTS key-establishment service. Adding nts to an ordinary source line does not make the source support it.
Public NTP pool names are useful for many clients, but high-impact environments should use a time design that matches business risk, network control, and source reliability requirements.

Advanced Tips:

Use Linux sample to start a chrony relay, then replace the pool names and Allowed client networks with the site's actual upstreams and internal CIDRs.
Keep Add local fallback clock off for normal internet-connected clients. If an isolated site needs it, use a high Fallback stratum and monitor for upstream recovery.
Turn on Add NTS to chrony sources only when every selected chrony source supports Network Time Security. Ordinary NTP pool names may not support NTS.
For Cisco profiles, prefer literal server addresses when the device may boot before DNS or management VRF reachability is proven.
Use Source Ledger to review unsupported tokens before change approval. A warning may still produce config text, but the omitted option can change the behavior you expected.

Worked Examples:

These cases show how the same source plan changes when platform syntax, serving scope, or validation errors change.

Linux relay for one subnet

For a chrony relay, choose chrony, enter 0.pool.ntp.org,pool,iburst, 1.pool.ntp.org,pool,iburst, and ntp1.example.internal,server,iburst,prefer, then turn on Serve LAN clients with 10.44.0.0/16. Source Ledger should show the source lines plus allow 10.44.0.0/16, and Validation Review should have no client-network error.

Client-only systemd host

Select systemd-timesyncd when a host only needs a compact [Time] file. Source rows with iburst or prefer still produce warnings because those per-source options are not emitted. The useful output is the host list in NTP=, with secondary targets repeated as FallbackNTP=.

Cisco management VRF

For a device reached through management routing, choose a Cisco profile, use concrete addresses such as 10.44.10.10,server,prefer and 10.44.10.11,server, set Source interface to Loopback0, and set Management VRF to Mgmt-vrf. NTP Config should include VRF-aware ntp server lines and a global ntp source. A key ID without a secret means the key definition must already exist on the device.

URL entered as a source

A URL-style source value fails because an NTP source target is a hostname or IP address, not a URL. Start the row with time.example.com,server instead. If a Cisco profile then warns about the hostname, replace it with a reachable IP address when DNS may not be available during bootstrap.

FAQ:

Should I choose chrony, ntpd, or systemd-timesyncd?

Choose the profile installed on the target host. chrony is common on modern Linux systems, ntpd matches classic ntp.conf deployments, and systemd-timesyncd fits simple client-only hosts that do not serve downstream clients.

Why did one of my source options disappear?

Options are emitted only when the selected platform supports them. Check Source Ledger for the emitted line and Validation Review for warnings about tokens such as source=, vrf=, nts, iburst, or maxsources.

When should I serve LAN clients?

Enable Serve LAN clients only when the Linux host should answer NTP requests from other machines. Add specific internal IPv4 networks and confirm firewall policy before using the generated access rules.

Is a local fallback clock safe?

A fallback clock can help an isolated site keep shared internal time, but it can also mask failed upstream sources. Keep the fallback stratum high and verify that real sources are selected when they are reachable.

Why is the Cisco authentication warning still present?

A key ID without a local secret means the generated source lines can reference a key, but the key definition must already exist on the device. Enter the secret only when the generated config should include the literal key stanza.

Does a clean config mean the clock is synchronized?

No. Clean output means the entered values passed local checks. After deployment, verify the selected source, reach, offset, delay, jitter, stratum, and authentication state with the target platform's own status commands.

Glossary:

Source: An NTP server, pool name, or peer used as a candidate time reference.
Pool: A DNS name that can return changing NTP servers for source diversity.
Peer: A symmetric NTP association where two systems can exchange time with each other.
Stratum: A hop count from a reference clock, not a complete measure of time quality.
Offset: The estimated time difference between the local clock and a source.
Drift: The local clock's frequency tendency, learned over time and stored by many NTP daemons.
NTS: Network Time Security, a TLS-based key-establishment and authenticated NTP mechanism for supported client-server sources.
VRF: Virtual Routing and Forwarding, a separate routing table often used for management traffic on network devices.

References:

RFC 5905: Network Time Protocol Version 4, RFC Editor, June 2010.
RFC 8915: Network Time Security for NTP, RFC Editor, September 2020.
chrony.conf(5) Manual Page, chrony project.
NTP Configuration File User's Manual, NTP Project.
timesyncd.conf, systemd.
System Management Configuration Guide, Cisco IOS XE 17.x - Network Time Protocol, Cisco.
NTP Commands on Cisco IOS XR Software, Cisco.
How do I use pool.ntp.org?, NTP Pool Project.
How to synchronize time with NTP in Linux, Simplified Guide.