nanog mailing list archives
RE: OpenNTPProject.org
From: Mike Walter <mwalter () 3z net>
Date: Tue, 18 Feb 2014 15:15:47 +0000
For knowledge on the list. We found that our Cisco Nexus 7000s had NTP enabled on our public facing VDCs, even when the command "feature ntp" was not present. I had to explicitly enter "no feature ntp" to prevent the NTP server service from existing on our public facing 7K interfaces. Thanks, Mike -----Original Message----- From: Blake Dunlap [mailto:ikiris () gmail com] Sent: Monday, February 17, 2014 11:03 AM To: nanog () nanog org Subject: Re: OpenNTPProject.org If you're trying to actually run a ntp server setup as opposed to just trusting the world, I strongly suggest reading the documentation for the service, as most people don't deploy it correctly while they think they have. At minimum, you want a cluster of 3 - 4 servers internally, configured as peers of each other, and listening to some source of time, preferably multiple like a few on the internet from the big public pool, and if you really care about time, set up a GPS receiver or two. You can definitely go farther than the above, but that's the start to doing it right. Anything short of the above is just trusting the world at large, and you'll likely happily follow along with any time skew like that thing a few months/year ago with either tick or tock. Without the above, you don't have enough sane sources to discredit bad advisers (you need 3 for a time lock). -Blake On Mon, Feb 17, 2014 at 9:38 AM, Anthony Williams <alby.williams () verizon com
wrote:
Blake: Just to make sure I've got this down, listing a device as a "peer" in the ntp.conf file will create a situation where both devices are saying, "I know what time it is" and splitting the difference? Whereas when you list a device as a "server", it's using that as the authority on the correct time? Example: -- # peer 192.168.1.1 iburst peer 192.168.1.2 iburst # server ntp.colby.edu minpoll 6 maxpoll 10 iburst server bonehed.lcs.mit.edu minpoll 6 maxpoll 10 iburst On 2/17/2014 10:28 AM, Blake Dunlap wrote:Peer means it considers the other side an equal and they will mutuallyskewtime together. If you have peer on for devices you don't consider yourtimeservers, you're opening yourself up to problems. -Blake
Current thread:
- Re: OpenNTPProject.org, (continued)
- Re: OpenNTPProject.org Pete Ashdown (Feb 16)
- Re: OpenNTPProject.org Brian Rak (Feb 16)
- RE: OpenNTPProject.org Kate Gerry (Feb 16)
- Re: OpenNTPProject.org James R Cutler (Feb 16)
- Re: OpenNTPProject.org George, Wes (Feb 17)
- Re: OpenNTPProject.org Pete Ashdown (Feb 17)
- Re: OpenNTPProject.org Blake Dunlap (Feb 17)
- Re: OpenNTPProject.org Anthony Williams (Feb 17)
- Re: OpenNTPProject.org James R Cutler (Feb 17)
- Re: OpenNTPProject.org Blake Dunlap (Feb 17)
- RE: OpenNTPProject.org Mike Walter (Feb 18)
- RE: OpenNTPProject.org Kate Gerry (Feb 16)
- Re: OpenNTPProject.org Dobbins, Roland (Feb 17)
- Re: OpenNTPProject.org Paul S. (Feb 17)
- Re: OpenNTPProject.org Harlan Stenn (Feb 17)
- Re: OpenNTPProject.org Lyndon Nerenberg (Feb 16)
- Re: OpenNTPProject.org Christopher Morrow (Feb 16)
- Re: OpenNTPProject.org Lyndon Nerenberg (Feb 16)
- Re: OpenNTPProject.org Mark Tinka (Feb 16)
- Re: OpenNTPProject.org Christopher Morrow (Feb 16)
- Re: OpenNTPProject.org Yucong Sun (Feb 17)