cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

176
Views
0
Helpful
3
Replies
Highlighted
Beginner

NTP Server Option for Switch and Router

Hi there,

 

           I'm asking for your opinions on NTP server for cisco switch or router. My coworker recommended me to setup NTP server on domain controller (DC), but I'm thinking to put time.google.com(external source) as my NTP server directly on switch or router. Will my way cause any potential issues, especially security? Which one is better from these two, or maybe a third option even better? Thank you

 

Best,

PP

3 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advocate

Re: NTP Server Option for Switch and Router

Hi,

My recommendation to configure NTP server on your Server as DC or other. Why? Because NTP is not a secure protocol as other and many attacks are noticed as DOS, Vulnerabilities, etc. 

here I found a best guide for the same as: https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!

View solution in original post

Beginner

Re: NTP Server Option for Switch and Router

Whatever source(s) you setup should be consistent across your estate - otherwise your logs may not quite match up whilst troubleshooting.

 

Example when I arrived in my current role there was an unholy mix of approximately 20 separate external NTP sources being used directly by switches, routers, servers,... The time dispersion was visible to the naked eye and hovered between 1 & 5 seconds across the estate. 

 

I have slimmed that down to a pool of 4 routers as internal sources and those 4 routers are being fed from 2 GNSS time sources, with a backup of 2 external sources. Time dispersion now impossible to see but the reporting suggests everything is now agreeing on time within less than 1ms.

 

If running your own GNSS source is out of budget (they're freely available for ~$500) - my advice would be consistency. Either use your router as the root source internally (fed from NTP service(s) of your choice from the internet) or use the DC as the internal root source (again fed from NTP service(s) of your choice from the internet)

View solution in original post

VIP Advisor

Re: NTP Server Option for Switch and Router

Hello

You can have your own master ntp server(s) say on your core network that downstream to your distribution layer that intrun support your access layer peer which and lastly your end hosts peer to.

 

Usually your ntp design would relate to your current network topology( tier system - client/server)

public time servers stratum 1 <-->server teir 2 peer stratum 2 peer<--> server core ntp master stratum 3 peer<-->server distribution peer<-->server access-layer peer<-->hosts

As for security of ntp can be implemented with MD5 authentication, key strings access control lists etc,


Have a looks a the attach documentation for a possible best practice of NTP in a Cisco environment its quite an old doc but I would say its still valid for design purposes  <---Cisco NTP best practice



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

3 REPLIES 3
VIP Advocate

Re: NTP Server Option for Switch and Router

Hi,

My recommendation to configure NTP server on your Server as DC or other. Why? Because NTP is not a secure protocol as other and many attacks are noticed as DOS, Vulnerabilities, etc. 

here I found a best guide for the same as: https://insights.sei.cmu.edu/sei_blog/2017/04/best-practices-for-ntp-services.html

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution If this comment will make help you!

View solution in original post

Beginner

Re: NTP Server Option for Switch and Router

Whatever source(s) you setup should be consistent across your estate - otherwise your logs may not quite match up whilst troubleshooting.

 

Example when I arrived in my current role there was an unholy mix of approximately 20 separate external NTP sources being used directly by switches, routers, servers,... The time dispersion was visible to the naked eye and hovered between 1 & 5 seconds across the estate. 

 

I have slimmed that down to a pool of 4 routers as internal sources and those 4 routers are being fed from 2 GNSS time sources, with a backup of 2 external sources. Time dispersion now impossible to see but the reporting suggests everything is now agreeing on time within less than 1ms.

 

If running your own GNSS source is out of budget (they're freely available for ~$500) - my advice would be consistency. Either use your router as the root source internally (fed from NTP service(s) of your choice from the internet) or use the DC as the internal root source (again fed from NTP service(s) of your choice from the internet)

View solution in original post

VIP Advisor

Re: NTP Server Option for Switch and Router

Hello

You can have your own master ntp server(s) say on your core network that downstream to your distribution layer that intrun support your access layer peer which and lastly your end hosts peer to.

 

Usually your ntp design would relate to your current network topology( tier system - client/server)

public time servers stratum 1 <-->server teir 2 peer stratum 2 peer<--> server core ntp master stratum 3 peer<-->server distribution peer<-->server access-layer peer<-->hosts

As for security of ntp can be implemented with MD5 authentication, key strings access control lists etc,


Have a looks a the attach documentation for a possible best practice of NTP in a Cisco environment its quite an old doc but I would say its still valid for design purposes  <---Cisco NTP best practice



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future

View solution in original post

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards