cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9528
Views
11
Helpful
9
Replies

NTP Design Consideration

emcueto08
Level 1
Level 1

Hey Guys,

Good day.

Just want to know if we could you Cisco Catalyst 6500 as the NTP server for the whole network? Meaning all the network devices including servers, workstations and terminals will be sync its clock to C6500. It is a large enterprise network.

Could you also give us a documentation regarding the "Best Practices in Implementing NTP" with Cisco devices.

We may need to have the document presented to our client for validation if using C6500 as NTP server for a large enterprise network is GOOD or NOT.

Hope to have your reply as soon as possible as the presentation will be next week.

Thanks,

Gin

9 Replies 9

sean_evershed
Level 7
Level 7

A 6500 is rock solid device so it is a good choice for the master clock.

See below a white paper for NTP

http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml

Your next important choice is where the 6500 will synch it's time from. The white paper offers advice on how to do this.

Don't forget to rate all posts that are helpful.

Hi Sean,

If the 6500 will be the only NTP Master in the network without any peers to sync-in either from the internet or local, will this be still a good implementation for the 6500 to provide the clock for the workstations and servers? Also, the NTP configuration has the for "maximum association". Thus, this implies that we may need to consider the nodes associating with the core switch? Client may be having thousands of nodes.

Thanks,

Gin

Hi Sean,

If the 6500 will be the only NTP Master in the network without any peers to sync-in either from the internet or local, will this be still a good implementation for the 6500 to provide the clock for the workstations and servers? Also, the NTP configuration has the for "maximum association". Thus, this implies that we may need to consider the nodes associating with the core switch? Client may be having thousands of nodes.

Thanks,

Gin

Get one dedicated NTP server.  A dedicated NTP server is a device that has a built-in GPS and NOT a server that requires internet access.  Connect the NTP server to a switch and get your core switch, a 6500 perhaps, synchronize to it.  All the rest of your switches then synchronize to your 6500.

You don't need a pair of NTP server because if the sole NTP server is out of service, the entire network can still get the correct time (a few seconds off won't be critical) until you get the NTP server repaired or replace.

If you don't want to purchase a dedicated NTP server then you need to somehow allow your core router/switch to go out and synchronize with a dedicated NTP server. 

Hi leolaohoo,

With this

"If you don't want to purchase a dedicated NTP server then you need to somehow allow your core router/switch to go out and synchronize with a dedicated NTP server."

Suppose I do have an ISR 3900 G2 internet router and i can sync its clock to the internet? Will it be advisable for 3900 to provide NTP for thousands of nodes? Meaning not just network devices but also WORKSTATIONS and SERVERS? This is main concern for the client.

Thanks,

Gin

You need to think about how your NTP architecture is going to work.

It sounds like your firewall rules allow outbound NTP traffic if you want clients to associate with your Internet router.   

This implies therefore that you can also synch the 6500 behind the firewall against an atomic clock on the Internet.

As I stated before I would choose the 6500 as the NTP master due to it's high availability features.

If you are running Microsoft AD in your environment you would then synch your domain controllers to the NTP master. The workstations then synch their time against the domain controllers and not the NTP master.

Hi Sean,

Does a 6500 can host NTP for thousands of workstations and servers syncing from time to time even though it has a max number of associations in its configuration? Can this be a final setup?

This is the scenario, if Cisco 6500 can provide NTP for all nodes (switches, routers, firewalls, servers and workstations) and be the final working configuration (and has verified and proven that device will not hang-up due to many sessions of NTP), then the client will not purchase any server just for NTP application.

If using a Cisco 6500 as NTP server for just an interim solution and not advisable to be the NTP server for a Large Enterprise Network, then we need provide option as to what server they can use to get NTP sync from the internet or may push then to buy a separate server for the NTP.

Thanks,

Gin

Suppose I do have an ISR 3900 G2 internet router and i can sync its clock to the internet? Will it be advisable for 3900 to provide NTP for thousands of nodes?

Yes, it will work.  NTP/SNTP is "cheap" in bandwidth.

Meaning not just network devices but also WORKSTATIONS and SERVERS? This is main concern for the client.

I may not want to do it that way myself.


If you take the core-distribution-access architecture and apply it here.  Meaning, the core (3900) sync's to the internet.  The distribution then syncs with the 3900.  Your access switches then syncs to the distro.  Your workstations will sync to the default gateway.

Gin

I am a bit late to this discussion, and perhaps there are some aspects that I do not adequately understand. But here is my advice.

I believe that a 6500 could function to provide NTP time to the entire network. But I do not think that it is the best way to do it. As others have commented, NTP does not use much bandwidth, so the traffic load on the 6500 would not be great. But consider that the 6500 does most of the forwarding in hardware, but things like NTP requests and responses are handled in the 6500 CPU. I do not think that you have indicated what supervisor is in your 6500. But most of them do not have especially strong CPU. So the generally accepted Best Practice for this is not to have a single device serving as Master to the entire network, but the Best Practice is usually to establish a hierarchy of devices to offer NTP.  Assuming that you have some network device (router or layer 3 switch) that can learn NTP time from an authoritative server (which might be stratum 1) so it makes your device stratum 2. Then your 6500 could learn time from that device, which makes it stratum 3. Then other routers and switches in the network could learn NTP time from the 6500, which makes them stratum 4. Then the clients could learn NTP time from the stratum 4 devices. Using this model the work of distributing time is distributed over the network and no single device has a significant load servicing the NTP requests.

I believe that this represents the Best Practice for using NTP.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco