canttalkeating
asked on
Using a Cisco Switch as the NTP Master time source for a PDC
Hi all,
We have a closed network (no connectivity to the internet) and we have a Core router setup as the NTP Master for the rest of the network.
All network devices are getting the time synced as intended but we are having issues getting the Primary Domain Controller (PDC) registering to it as a valid NTP time source.
The problem we have is that we are affected by IOS bug CSCed13703 which rejects the PDC as an NTP associated device. Short of changing the IOS on the Router which is the main router feeding 30 other sites I would like to point the PDC at a different switch (an NTP Client switch) as it’s NTP source, rather than it going to the actual NTP Master.
I have changed the values in the PDC to point to a different switch (3750) that has it’s time synced with the NTP master, but the PDC doesn’t want to know. I assume it will only accept the time from an official NTP Master .
Could any of you fine people advise if what I am trying to do is possible and if so how I would go about it. I was thinking of setting the 3750 with the NTP Master command also, but I don’t want to confuse the other cisco devices in the network
Thanks in advance
David
We have a closed network (no connectivity to the internet) and we have a Core router setup as the NTP Master for the rest of the network.
All network devices are getting the time synced as intended but we are having issues getting the Primary Domain Controller (PDC) registering to it as a valid NTP time source.
The problem we have is that we are affected by IOS bug CSCed13703 which rejects the PDC as an NTP associated device. Short of changing the IOS on the Router which is the main router feeding 30 other sites I would like to point the PDC at a different switch (an NTP Client switch) as it’s NTP source, rather than it going to the actual NTP Master.
I have changed the values in the PDC to point to a different switch (3750) that has it’s time synced with the NTP master, but the PDC doesn’t want to know. I assume it will only accept the time from an official NTP Master .
Could any of you fine people advise if what I am trying to do is possible and if so how I would go about it. I was thinking of setting the 3750 with the NTP Master command also, but I don’t want to confuse the other cisco devices in the network
Thanks in advance
David
This is maybe not the answer you're looking for, but for isolated networks you can use a GPS clock to serve as a time source for both network gear and servers.
http://www.symmetricom.com/products/gps-solutions/telecom-primary-reference-sources/
http://www.symmetricom.com/products/gps-solutions/telecom-primary-reference-sources/
What we have done in our network is to turn on NTP broadcast on all of our LANs:
interface vlan1
ntp broadcast
Then use a free NTP client like K9NT on your PDC and it will listen to the broadcasts. This method works extremely well, assuming that the time being broadcast is acceptable to you.
interface vlan1
ntp broadcast
Then use a free NTP client like K9NT on your PDC and it will listen to the broadcasts. This method works extremely well, assuming that the time being broadcast is acceptable to you.
If security concerns allow that, I would recommend to let all the systems (DC's included) sync themselves to free available sources on the internet. That would minimize redundancy problems.
If there are security concerns, I would recommend to use a dedicated NTP server appliance (usually a preconfigured Linux box wit a built in radio controlled clock listening to GPS, DCF77, etc.).
You might find my article on NTP useful.
If you think about a dedicated NTP server box, I have experiences with Meinberg M300 boxes (available for GPS, DCF77 and other time sources) as redundancy cluster (of two boxes) which worked very well (firmware 6.14.12 or above recommended).
If there are security concerns, I would recommend to use a dedicated NTP server appliance (usually a preconfigured Linux box wit a built in radio controlled clock listening to GPS, DCF77, etc.).
You might find my article on NTP useful.
If you think about a dedicated NTP server box, I have experiences with Meinberg M300 boxes (available for GPS, DCF77 and other time sources) as redundancy cluster (of two boxes) which worked very well (firmware 6.14.12 or above recommended).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for sharing. Indeed stratum has been the common hop issue...security wise we even run a dedicated ntp v3 above even for closed network.
ASKER
This has been proven to be the correct answer in this scenario and continues to work.
NTP: Common issues and troubleshooting
https://supportforums.cisco.com/docs/DOC-1263
As alternative to w32time PDC/DC time server you can take a look at 3rd party NTP/SNTP time server software such as NTS: http://nts.softros.com/server.html
It can be installed to PDC machine and host ntp/sntp/ntsv2 services for all or only "white listed" networks (can be configured). That's it, no matter which client connects to server, joined to domain, stand alone, joined to another domain, hardware equipment etc., access is regulated only to IPs/networks