NTP Server Best practices

LoganAA · ‎01-11-2023

We are currently setting up NTP on a rather large network, 600+ Cisco Devices. We are configuring NTP on the core switch and pointing devices to that IP address. We currently have Distro switches that host isolated networks that do not live on the core switch. My question is, what is the best practice for downstream switches? Do we configure all switches to point to the core switch NTP Server? Or should switches that have gateways that do not live on the core be configured to point to the Distro Switches?

In simpler terms, should devices that do not have the core as the gateway get their time from their default gateway device?

Joseph W. Doherty · ‎01-11-2023

Cannot say what's really considered "best practice" for NTP setups, although, I believe (?) having your whole network hit a core (network) device, is probably not an ideal.

In the past, I have configured network devices to use their upstream device as their NTP source, which, of course, distributes the NTP load. At the edge, hosts could obtain NTP from their edge network device, often their gateway device. This seemed to work well.

It will be interesting to see other comments, including if anyone has used servers for NTP sources. (In the past, Windows servers were a bit "tricky" as, I recall, they didn't want to do "NTP", but their own MS time service and/or perhaps "SNTP". I further recall, there was an add-on for full NTP support. Again, this was years ago, don't know what the current MS supports, now, for NTP.)

Joseph W. Doherty · ‎01-11-2023

From what @Leo Laohoo describes, it appears his NTP topology, and what I've done, more-or-less, corresponds with the hierarchal model in @paul driver's document.

For a 600+ Cisco devices, the hierarchal model is likely your best choice.

paul driver · ‎01-11-2023

Hello
Please review attached file.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Leo Laohoo · ‎01-11-2023

Our DHCP server assigns DHCP Option 42 to all our wired and wireless clients.
Wired and wireless client's NTP source is the local distribution switch.
All our local distribution switches point to our network distribution switches.
All our network distro point to our network core switches.
All our core switches point to our dedicated NTP servers.

LoganAA · ‎01-12-2023

Thank you for all of the replies! What would the effects be of using one single device for NTP vs having the hierarchical system setup? Would there be largely noticeable offsets, or anything else that may cause issues?

Joseph W. Doherty · ‎01-12-2023

Creating the possibility of overloading the device.

If it's a network device I would be concerned about such overloading impacting the primary purpose of the network device.

If it's something like a dedicated server, and it's overloaded (less likely for a dedicated server, I believe), at worse, NTP might not be as accurate within your network as it might otherwise could be.

Leo Laohoo · ‎01-12-2023

@LoganAA wrote:
What would the effects be of using one single device for NTP vs having the hierarchical system setup?

There is only ONE (1) NTP server. If that NTP server goes offline (and not being monitored) it will affect a lot of downstream devices that are heavily reliant on accurate time.

Every DHCP server can support DHCP Option 42. There is no reason why no one can configure the DHCP scope appropriately.

NTP/SNTP is "cheap": It is not a very chatty application. However, it is still a dumb idea for NTP traffic to go from access port and traverse up the distro (and, gulp!, core network) just to reach the NTP server.

Finally, there is no more excuse not to have multiple NTP servers because the prices for dedicated GPS-based NTP appliances are now very competitive. For <US$150, I can build an GPS-based NTP server using the humble Raspberry Pi.

NOTE:
GPS-based NTP server is the best because it gets it's time source directly from GPS satellite, unlike NTP-based NTP servers (requires an internet feed) has a lower stratum value. GPS-based NTP server also have the luxury to be strutting around with "stratum 1" (extremely "trustworthy").