Solved

Setting up a high availability NTP system for our network on Cisco routers

Posted on 2015-02-10
4
134 Views
Last Modified: 2015-02-16
I have a general idea of what I want to do, but I can't quite figure out how to do it.  We have 5 Cisco routers that I would like to use as ntp servers for our network.  Currently they are configured as 1 ST5 time server, getting its time from a public ST2 ntp server.  The other 4 routers are configured at ST6 time servers, getting their time from the one getting its time from the Internet.  The problem is that if the 1 router crashes that gets its time from the ST2 ntp source, we lose our authoritative time source.

I think what I'd like to do is set 2 or 3 of the routers to get their time from different ST2 ntp servers, then have all 5 set up as peers to "negotiate" a network time for our entire network (2 Windows domains & 1300+ linux workstations and servers at multiple locations).

The idea being we could have a complete failure of our Internet feed (we have 2 links with different carriers & BGP for failover), we could still have stable time services on the network.

I think what I want to do it set up "symmetric active mode" on 2 or 3 of the routers, getting their time from an authoritative external source,, then setting up peering on all 5.  The rest of the network would get their time from all 5 routers.

Any help would be very much apprecaited.

Thanks!

Mark
0
Comment
Question by:QcHoldings
  • 2
4 Comments
 
LVL 28

Assisted Solution

by:mikebernhardt
mikebernhardt earned 250 total points
ID: 40601550
I think you've basically got it. I think it's better to have 2 routers getting their time from a single outside source, have them peer to each other, and have the remaining routers peer to both of them. If you use 2 outside sources then you run the risk of those being a bit out of sync and screwing everything up. If you lose the single source, it's not like your NTP dies; if it drifts, it will all drift together, and slowly.
0
 

Author Comment

by:QcHoldings
ID: 40601628
That's a great point about using a single external source, I didn't really consider that.

So let's say that R1 & R2 get their time from that single external source.  In this case, I take it that they would both become authoritative for our network.  If they're getting their time from a ST 2 source, then the command "ntp server w.x.y.z prefer" would set the ntp server to ST 3.  So for R1 and R2, I take it I would configure them as:

- R1 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server w.x.y.z prefer
ntp peer _IP_ADDR_R2

- R2 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server w.x.y.z prefer
ntp peer _IP_ADDR_R1

The question then becomes what to do about R3, R4, & R5?

Would it be something like this?  

- R3 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server _IP_ADDR_R1
ntp server _IP_ADDR_R2
ntp peer _IP_ADDR_R4
ntp peer _IP_ADDR_R5

And since we've got 2 sites, I would want to do something similar for our other site, using the same external time source.  But would we also want to do some peering from our main site (we've got an IPSec/GRE tunnel between sites, and have DCs for both domains at both sites) to the secondary site as well?

The problem is that all the documentation I've read so far is  a bit vague on HA configurations.  Most of my timesync experience was with Novell's NDS/eDir timesync back in "the day."

Thanks!

Mark
0
 
LVL 3

Accepted Solution

by:
Stephen Berk earned 250 total points
ID: 40602462
NTP doesn't work that way. NTP on the Cisco router won't sync to an unreliable source or have the problems Mike described unless it loses sync and drifts significantly. If you don't configure multiple time sources, you run the risk of not having any reliable time source, and when your clocks do start to drift you'll have problems with time-sensitive applications like Kerberos. Configure multiple sources, and make sure you stay synched.

Use NIST servers as your source (http://tf.nist.gov/tf-cgi/servers.cgi), they are stratum-1 typically. Pick one or two routers (R1 and R2) to sync from the NIST servers. Next, have the remaining routers (R3 - R5) sync from R1 and R2. Then have your DC run the time service and sync time from R3, R4, and R5. Have your workstations poll time from the DC's. Remember, each NTP client will only sync time to one source regardless of how many sources you configure. The additional sources won't confuse your NTP client, it just provides alternate time sources for redundancy.

Don't forget to check your work. Do a "show ntp associations" and "show ntp status" to verify your settings are working as desired.
0
 

Author Closing Comment

by:QcHoldings
ID: 40612394
Thanks for all the help!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Switch Speed 2 59
pfSense IP Helper 4 92
What is the Router Login page for Comcast? 10.0.0.1? 7 24
Network Config 9 59
I wrote an article (http://www.experts-exchange.com/articles/2245/Anti-rootkit-software.html) some time ago with a reference to nLite  (http://www.nliteos.com/)slipstreaming software.  I recently changed that link to point to NTLite (https://www.ntl…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now