Configuring NTP Redundancy
Problem
You want to configure more than one NTP server for redundancy.
Solution
You can improve NTP reliability by configuring several redundant servers. The reliability is better still if the router uses different paths to reach these servers:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#clock timezone EST -5
Router(config)#clock summer-time EDT recurring
Router(config)#ntp server 172.25.1.1
Router(config)#ntp server 10.121.33.231
Router(config)#ntp peer 192.168.12.12
Router(config)#end
Router#
Discussion
The NTP algorithms have built-in sanity checks to help choose the best time source. The NTP client chooses the most accurate time source and synchronizes its internal clock to that server. The algorithm continuously performs sanity checks to ensure that it synchronizes to the best possible server. It is also common for a router to change its preferred NTP server many times during a day.
Configuring multiple time sources improves reliability as well as the accuracy of a router's clock. Although NTP is a remarkably stable protocol, device and link failures can disrupt timing services to your router. Providing the router with a choice of NTP servers ensures accurate time synchronization and provides resilience in case of failure. Be sure to choose redundant NTP servers that provide alternate network paths and hardware.
An NTP network is a hierarchy of servers and clients configured in a redundant topology. At the top level, Stratum 1 NTP servers establish peer relationships with other Stratum 1 servers and server relationships to Stratum 2 servers. In turn, Stratum 2 servers peer symmetrically with other Stratum 2 servers, receive time feeds one or more Stratum 1 servers, and act as servers for Stratum 3 devices. This pattern repeats to create an overall tree topology of Stratum levels.
Figure 14-1 shows a typical NTP hierarchal topology with fully redundant paths and devices. The goal is to design a NTP hierarchy that can withstand a failure of any single networking entity, path, or device. Designing a resilient NTP topology requires little time and effort once you plot your time sources on an existing network diagram. Large networks tend to require more thought and effort to design an overall NTP hierarchy, whereas small networks can often make do with two NTP servers.
Figure 14-1. NTP hierarchy diagram
The important thing is to design the NTP topology to use its redundancy features. Once the NTP topology is defined, configuring the routers to participate in the hierarchy is straightforward. The example above demonstrates a typical NTP configuration that incorporates redundancy features. The router configuration includes two NTP servers and an NTP peer:
Router>show ntp associations
address ref clock st when poll reach delay offset disp
*~172.25.1.1 192.5.41.40 2 57 64 377 30.0 60.32 1.2
+~10.121.33.231 192.5.41.209 2 11 64 377 30.0 -54.85 1.1
~192.168.12.12 172.25.1.1 3 4588 1024 0 4.9 58.07 16000.
*master (synced), # master (unsynced), + selected, - candidate, ~ configured
*Router>
In this case, the router configuration includes multiple NTP time sources. The output indicates that one of the time sources, 192.168.12.12, is currently unreachable. Even though one of the configured time sources is unavailable, the router is unaffected because the other NTP associations remain up, and synchronized. This means that accurate time services are uninterrupted by losing a single NTP time feed.
If your organization receives its NTP feed from the Internet, then it is highly recommended that you use at least two such NTP servers. To provide maximum stability, configure each of your servers with multiple NTP Stratum 1 servers and build a peer relationship between them. This ensures that your organization's time source remains as stable as possible.
Routers that lose connectivity to their Stratum 1 servers will rely on their own internal clocks until service is restored. Similarly, routers that are isolated from their upstream Stratum servers also rely on their own internal clocks. However, in these situations, router internal clocks will not be synchronized to one another, meaning the network clocks will drift further apart until connectivity returns. NTP generally tolerates interruptions of less than an hour quite well.