Setting up a high availability NTP system for our network on Cisco routers

Posted on 2015-02-10
Last Modified: 2015-02-16
I have a general idea of what I want to do, but I can't quite figure out how to do it.  We have 5 Cisco routers that I would like to use as ntp servers for our network.  Currently they are configured as 1 ST5 time server, getting its time from a public ST2 ntp server.  The other 4 routers are configured at ST6 time servers, getting their time from the one getting its time from the Internet.  The problem is that if the 1 router crashes that gets its time from the ST2 ntp source, we lose our authoritative time source.

I think what I'd like to do is set 2 or 3 of the routers to get their time from different ST2 ntp servers, then have all 5 set up as peers to "negotiate" a network time for our entire network (2 Windows domains & 1300+ linux workstations and servers at multiple locations).

The idea being we could have a complete failure of our Internet feed (we have 2 links with different carriers & BGP for failover), we could still have stable time services on the network.

I think what I want to do it set up "symmetric active mode" on 2 or 3 of the routers, getting their time from an authoritative external source,, then setting up peering on all 5.  The rest of the network would get their time from all 5 routers.

Any help would be very much apprecaited.


Question by:QcHoldings
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 28

Assisted Solution

mikebernhardt earned 250 total points
ID: 40601550
I think you've basically got it. I think it's better to have 2 routers getting their time from a single outside source, have them peer to each other, and have the remaining routers peer to both of them. If you use 2 outside sources then you run the risk of those being a bit out of sync and screwing everything up. If you lose the single source, it's not like your NTP dies; if it drifts, it will all drift together, and slowly.

Author Comment

ID: 40601628
That's a great point about using a single external source, I didn't really consider that.

So let's say that R1 & R2 get their time from that single external source.  In this case, I take it that they would both become authoritative for our network.  If they're getting their time from a ST 2 source, then the command "ntp server w.x.y.z prefer" would set the ntp server to ST 3.  So for R1 and R2, I take it I would configure them as:

- R1 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server w.x.y.z prefer
ntp peer _IP_ADDR_R2

- R2 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server w.x.y.z prefer
ntp peer _IP_ADDR_R1

The question then becomes what to do about R3, R4, & R5?

Would it be something like this?  

- R3 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server _IP_ADDR_R1
ntp server _IP_ADDR_R2
ntp peer _IP_ADDR_R4
ntp peer _IP_ADDR_R5

And since we've got 2 sites, I would want to do something similar for our other site, using the same external time source.  But would we also want to do some peering from our main site (we've got an IPSec/GRE tunnel between sites, and have DCs for both domains at both sites) to the secondary site as well?

The problem is that all the documentation I've read so far is  a bit vague on HA configurations.  Most of my timesync experience was with Novell's NDS/eDir timesync back in "the day."



Accepted Solution

Stephen Berk earned 250 total points
ID: 40602462
NTP doesn't work that way. NTP on the Cisco router won't sync to an unreliable source or have the problems Mike described unless it loses sync and drifts significantly. If you don't configure multiple time sources, you run the risk of not having any reliable time source, and when your clocks do start to drift you'll have problems with time-sensitive applications like Kerberos. Configure multiple sources, and make sure you stay synched.

Use NIST servers as your source (, they are stratum-1 typically. Pick one or two routers (R1 and R2) to sync from the NIST servers. Next, have the remaining routers (R3 - R5) sync from R1 and R2. Then have your DC run the time service and sync time from R3, R4, and R5. Have your workstations poll time from the DC's. Remember, each NTP client will only sync time to one source regardless of how many sources you configure. The additional sources won't confuse your NTP client, it just provides alternate time sources for redundancy.

Don't forget to check your work. Do a "show ntp associations" and "show ntp status" to verify your settings are working as desired.

Author Closing Comment

ID: 40612394
Thanks for all the help!

Featured Post

Windows running painfully slow? Try these tips..

Stay away from Speed Up Computer Programs that do more harm than good.
Try these tips instead.
Step by step instructions in trouble shooting Windows Performance issues.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setting up static routes to  sonicwll 4 101
adjusting startup config 6 77
Extended ping 6 56
Unable to enable HWIC 2FE 2 31
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question