Setting up a high availability NTP system for our network on Cisco routers

Posted on 2015-02-10
Last Modified: 2015-02-16
I have a general idea of what I want to do, but I can't quite figure out how to do it.  We have 5 Cisco routers that I would like to use as ntp servers for our network.  Currently they are configured as 1 ST5 time server, getting its time from a public ST2 ntp server.  The other 4 routers are configured at ST6 time servers, getting their time from the one getting its time from the Internet.  The problem is that if the 1 router crashes that gets its time from the ST2 ntp source, we lose our authoritative time source.

I think what I'd like to do is set 2 or 3 of the routers to get their time from different ST2 ntp servers, then have all 5 set up as peers to "negotiate" a network time for our entire network (2 Windows domains & 1300+ linux workstations and servers at multiple locations).

The idea being we could have a complete failure of our Internet feed (we have 2 links with different carriers & BGP for failover), we could still have stable time services on the network.

I think what I want to do it set up "symmetric active mode" on 2 or 3 of the routers, getting their time from an authoritative external source,, then setting up peering on all 5.  The rest of the network would get their time from all 5 routers.

Any help would be very much apprecaited.


Question by:QcHoldings
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 28

Assisted Solution

mikebernhardt earned 250 total points
ID: 40601550
I think you've basically got it. I think it's better to have 2 routers getting their time from a single outside source, have them peer to each other, and have the remaining routers peer to both of them. If you use 2 outside sources then you run the risk of those being a bit out of sync and screwing everything up. If you lose the single source, it's not like your NTP dies; if it drifts, it will all drift together, and slowly.

Author Comment

ID: 40601628
That's a great point about using a single external source, I didn't really consider that.

So let's say that R1 & R2 get their time from that single external source.  In this case, I take it that they would both become authoritative for our network.  If they're getting their time from a ST 2 source, then the command "ntp server w.x.y.z prefer" would set the ntp server to ST 3.  So for R1 and R2, I take it I would configure them as:

- R1 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server w.x.y.z prefer
ntp peer _IP_ADDR_R2

- R2 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server w.x.y.z prefer
ntp peer _IP_ADDR_R1

The question then becomes what to do about R3, R4, & R5?

Would it be something like this?  

- R3 -
clock timezone CST -6
clock summer-time CDT recurring
ntp update-calendar
ntp server _IP_ADDR_R1
ntp server _IP_ADDR_R2
ntp peer _IP_ADDR_R4
ntp peer _IP_ADDR_R5

And since we've got 2 sites, I would want to do something similar for our other site, using the same external time source.  But would we also want to do some peering from our main site (we've got an IPSec/GRE tunnel between sites, and have DCs for both domains at both sites) to the secondary site as well?

The problem is that all the documentation I've read so far is  a bit vague on HA configurations.  Most of my timesync experience was with Novell's NDS/eDir timesync back in "the day."



Accepted Solution

Stephen Berk earned 250 total points
ID: 40602462
NTP doesn't work that way. NTP on the Cisco router won't sync to an unreliable source or have the problems Mike described unless it loses sync and drifts significantly. If you don't configure multiple time sources, you run the risk of not having any reliable time source, and when your clocks do start to drift you'll have problems with time-sensitive applications like Kerberos. Configure multiple sources, and make sure you stay synched.

Use NIST servers as your source (, they are stratum-1 typically. Pick one or two routers (R1 and R2) to sync from the NIST servers. Next, have the remaining routers (R3 - R5) sync from R1 and R2. Then have your DC run the time service and sync time from R3, R4, and R5. Have your workstations poll time from the DC's. Remember, each NTP client will only sync time to one source regardless of how many sources you configure. The additional sources won't confuse your NTP client, it just provides alternate time sources for redundancy.

Don't forget to check your work. Do a "show ntp associations" and "show ntp status" to verify your settings are working as desired.

Author Closing Comment

ID: 40612394
Thanks for all the help!

Featured Post

 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
Suggested Courses
Course of the Month9 days, 12 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question