NTP Server vs. NTP peer

jschweng · ‎07-11-2012

On a csico 3750 switch I have

ntp server < IP of stratum 1 Time Server>

I want the swit to sync to the to time server and provide time to peers on my network.

Do I have to be configured for

ntp peer < IP of stratum 1 Time Server>

for that to work?

Edison Ortiz · ‎07-11-2012

No, the ntp server command will do the job.

smehrnia · ‎07-11-2012

Hi,

you dont need to peer with the startum 1.

you have to issue the following commands:

ntp server x.x.x.x

clock calendar-valid

ntp master [desired startum for this device]

ntp source [source interface]

optional security for clients:

Authentication:

ntp authentication key 1 md5 [password]

ntp authenticate

to configure a set of ntp clients just to be authorized to receive info from ntp server (server security):

ntp access-group serve-only 20

access-list 20 permit x.x.x.x

access-list 20 permit y.y.y.y

in case of Authentication, on Clients:

ntp authentication-key 1 md5 [same password]

ntp authenticate

ntp trusted-key 1

ntp server [ntp server source ip] source [ip permited in acl]

Hope it Helps,

Soroush.

Hope it Helps!

Soroush.

Richard Burts · ‎07-12-2012

I do not agree with the suggestion from Soroush. that you configure the switch as ntp master. It is not needed and has possibility of introducing inaccurate time into the network.

I do agree with Edison that you do not need to configure ntp peer. Once a Cisco IOS device has learned authoritative time from an authoritative server then the IOS device will offer NTP time to any device that requests it and you do not need any additional configuration to accomplish this.

HTH

Rick

HTH

Rick

smehrnia · ‎07-12-2012

thx for the lesson Rick, but in case our device loses connectivity with outside server, it would no longer update clients, right?

Hope it Helps!

Soroush.

Richard Burts · ‎07-12-2012

Soroush

The internal clock of a Cisco router or switch does not have the precision or accuracy that is generally desired in NTP. That is the reason why it is considered a best practice to have the Cisco learn NTP time from an authoritative server. The beginning of your post advocates not using the stratum 1 server and just making the switch an NTP master. And in general I do not agree with this approach.

What we usually suggest to our customers is that the Cisco should be configured to use more than one NTP server that is authoritative. And we suggest that there should be more than one Cisco checking for NTP time from outside. This approach usually provides enough redundancy so that some device in the network is able to offer authoritative time.

But you are correct that if you configure the Cisco to learn time from outside and do not configure ntp master that if the Cisco loses its outside time source then it will no longer offer NTP time to inside clients. That is why we suggest a strategy for NTP with redundancy.

There is one point of view that says that if we have had authoritative NTP time and have lost it that it is better to not offer inaccurate time and to just let each device run its own clock until we re-gain authoritative time. And there is the point of view which you suggest which is that you may want the Cisco to offer NTP time, whether it is accurate or not. In that case configuring ntp master with a high spectrum number will achieve that.

HTH

Rick

HTH

Rick

smehrnia · ‎07-12-2012

ThanX rick

Soroush.

Hope it Helps!

Soroush.

Leo Laohoo · ‎07-13-2012

I do not agree with the suggestion ... that you configure the switch as ntp master.

Agree.