Solved: Cisco 6880's - NTP Master

Thomas Yarger · ‎12-28-2016

All,

I have a customer who wants to turn their 6880's (VSS pair) into the master NTP server for all their network devices, end users and servers (including domain controllers). The 6880's act as their core network and there thinking is if the core goes down they have bigger problems than NTP.

Personally, I don't necessarily agree with this. My main concern is if there is a failure of one of the pairs, what happens from a configuration perspective?

Are there any problems with this? Any recommendations or best practices?

Thanks for the input!

Paul Chapman · ‎12-28-2016

Hi Thomas -

Based on my experience, using the main network core or internet edge device as the primary NTP server is usually a reasonably good practice. Most Catalyst switches can handle a few hundred NTP clients. If you expect to have 1000's of clients, then you will probably want a dedicated NTP server.

Generally, you don't have to worry about the Windows environment because AD will only have 1 client connection to the NTP source (PDC Emulator FSMO Role holder). All other domain members will pull from the AD hierarchy.

For Cisco UC applications the NTP source must be stratum 6 (maybe 7) or higher. As long as your core is getting it's time from a stratum 5 or higher source (most internet sources are stratum 1 or 2), then you have no problem with your UC servers.

Since you're running VSS, if one of the chassis fails, then the other will take over all the L3 interfaces. NTP will continue working as expected.

My recommendations alter a bit for Nexus and FHRP configurations. 1) I've found that the default control plane protection mechanism on Nexus 5500 series will start dropping NTP traffic around 50 clients. 2) Using a FHRP VIP (HSRP or VRRP) as an NTP source will give unpredictable results, so always use the actual host IPs.

PSC

View solution in original post

Paul Chapman · ‎12-28-2016

Hi Thomas -

Based on my experience, using the main network core or internet edge device as the primary NTP server is usually a reasonably good practice. Most Catalyst switches can handle a few hundred NTP clients. If you expect to have 1000's of clients, then you will probably want a dedicated NTP server.

Generally, you don't have to worry about the Windows environment because AD will only have 1 client connection to the NTP source (PDC Emulator FSMO Role holder). All other domain members will pull from the AD hierarchy.

For Cisco UC applications the NTP source must be stratum 6 (maybe 7) or higher. As long as your core is getting it's time from a stratum 5 or higher source (most internet sources are stratum 1 or 2), then you have no problem with your UC servers.

Since you're running VSS, if one of the chassis fails, then the other will take over all the L3 interfaces. NTP will continue working as expected.

My recommendations alter a bit for Nexus and FHRP configurations. 1) I've found that the default control plane protection mechanism on Nexus 5500 series will start dropping NTP traffic around 50 clients. 2) Using a FHRP VIP (HSRP or VRRP) as an NTP source will give unpredictable results, so always use the actual host IPs.

PSC

Thomas Yarger · ‎12-28-2016

Thanks Paul! A lot of good information. Best.

Reza Sharifi · ‎12-28-2016

Hi,

I think a better solution is to make a server (domain controller) NTP server, point it to an external site (http://www.pool.ntp.org/en/) and have all your network equipment point to that server. This way you don't even need to expose the core switches to the outside. You can even have a backup server (backup domain controller) as your second NTP server in case the primary fails.

HTH

Thomas Yarger · ‎12-28-2016

Thanks Reza. I appreciate your input!