External NTP server

shibindong · ‎07-21-2008

we are going to deploy Symmetricom's SyncServer S200 in our network, and I have a few questions:

1. for other routers/switches need to request the time from S200, I just use command "ntp server x.x.x.x", in which x.x.x.x is the IP of the S200, right?

2. It looks that I don't need to configure "NTP master" command on the router, because routers need to get the time from external source, what is the conqusence if I configure "NTP master 2" on the router?

3. For high availablity, do we need to buy 1 more S200 servers and on the routers, configure:"ntp server x.x.x.x prefer" and "ntp server y.y.y.y", in which y.y.y.y is the IP of the second S200, so that x.x.x.x is the primary NTP server, and y.y.y.y is the second NTP server?

4. what if the time is different on x.x.x.x and y.y.y.y? which one we should trust? or we need to buy 1 more S200 to prevent this situation happen?

michaelchoo · ‎07-22-2008

I have a stupid question: why can't you use public NTP servers?

1. Yes

2. Not sure, but if what you want is simply to get the router to sync its clock with external time source, "ntp server " is enough

3. Short answer: yes. "ntp server prefer" for primary and "ntp server " for secondary NTP servers.

Is NTP really that critical to you to warrant multiple GPS time server investments? Again, my first question, why can't you use public NTP servers? Your SyncServer will have to sync up with another upper stratum NTP server anyway, so might as well use one of many lower-stratum public NTP servers.

4. Well, I'm not familiar with this type of product, but I'd hazard a guess that you'd have to sync up with some public NTP servers. In this case, you'd just have to make sure that they sync up to multiple Stratum 2 (or even Stratum 1) NTP servers.

shibindong · ‎07-22-2008

thanks michael. the reason of not using public NTP servers, i guess, secuirty? does that make sense?

michaelchoo · ‎07-22-2008

Not really. What security concern do you have? "Punching hole" thru firewall for NTP is not exactly high risk. If you're really concerned, just configure NTP on a couple of your servers in the DMZ, then allow only those servers to sync up with Internet NTP servers thru the firewall. Easy, cheap, reliable.

Which NTP software to use? Lots of cheap choices out there. You can use Windows' built-in W32Time service (you can configure this to behave like a standard NTP server), Linux has its own NTP Daemon, or you can also use Tardis. Tardis is excellent. The only "drawback" is it only runs under Windows. Although Cisco routers can be configured as NTP server as well, I wouldn't recommend it if you're concerned about security. If someone can actually break in via the "NTP hole" thru the firewall into your NTP server, and if you use Cisco router, the impact will be greater than if you use a dedicated server in the DMZ.

Jerry Ye · ‎07-22-2008

Agree with Michael. The risk is really low on punching holes in your FW for NTP traffic. You can point your servers to some well known public NTP servers like tick.usno.navy.mil or tock.usno.navy.mil.

HTH,

jerry

Jerry Ye · ‎07-22-2008

BTW, if your routers are not acting like another NTP servers, you can use the commands "ntp peer x.x.x.x prefer" and "ntp peer y.y.y.y" instead.

HTH,

jerry