For knowledge on the list. We found that our Cisco Nexus 7000s had NTP enabled on our public facing VDCs, even when the command "feature ntp" was not present. I had to explicitly enter "no feature ntp" to prevent the NTP server service from existing on our public facing 7K interfaces. Thanks, Mike -----Original Message----- From: Blake Dunlap [mailto:ikiris@gmail.com] Sent: Monday, February 17, 2014 11:03 AM To: nanog@nanog.org Subject: Re: OpenNTPProject.org If you're trying to actually run a ntp server setup as opposed to just trusting the world, I strongly suggest reading the documentation for the service, as most people don't deploy it correctly while they think they have. At minimum, you want a cluster of 3 - 4 servers internally, configured as peers of each other, and listening to some source of time, preferably multiple like a few on the internet from the big public pool, and if you really care about time, set up a GPS receiver or two. You can definitely go farther than the above, but that's the start to doing it right. Anything short of the above is just trusting the world at large, and you'll likely happily follow along with any time skew like that thing a few months/year ago with either tick or tock. Without the above, you don't have enough sane sources to discredit bad advisers (you need 3 for a time lock). -Blake On Mon, Feb 17, 2014 at 9:38 AM, Anthony Williams <alby.williams@verizon.com
wrote:
Blake:
Just to make sure I've got this down, listing a device as a "peer" in the ntp.conf file will create a situation where both devices are saying, "I know what time it is" and splitting the difference? Whereas when you list a device as a "server", it's using that as the authority on the correct time?
Example: --
# peer 192.168.1.1 iburst peer 192.168.1.2 iburst
# server ntp.colby.edu minpoll 6 maxpoll 10 iburst server bonehed.lcs.mit.edu minpoll 6 maxpoll 10 iburst
On 2/17/2014 10:28 AM, Blake Dunlap wrote:
Peer means it considers the other side an equal and they will mutually skew time together. If you have peer on for devices you don't consider your time servers, you're opening yourself up to problems.
-Blake