updating NTP server settings on a router

[Scuba27]

I need to update the NTP settings on a number of routers and switches.

Some of the switches and servers contain the NTP setting "ntp-clock-period XXXXXX"

Is this required as all I am doing is keying in the command "No ntp peer XXXXXX" then "ntp server XXXXX"

Also one of the switches has the following entry under NTP "set summertime enable" is this required also/

I await your reply.

Regards.

 

[Minue]

Hello
The "ntp-clock-period" is create automatically.So your'e passing from a NTP peer to a NTP server.There's a sottile diference,but everyting should be ok.As far as "set summertime enable" goes this seems to be a Switch that is using the CATOS.If this switch is in an State that uses daylight saving time,you should leave it.

Regards

 

[Scuba27]

Would anyone know is it best practice to point a number of routers or switches to an ntp server or should I point one router or switch at the ntp server and the rest set up as ntp peers to the router or switch that is pointing to the ntp server?

Many thanks.

 

[Minue]

Hello
The client that I am working with now,has 2500 devices pointing to the same NTP server without any problems.The NTP peer stuff is a bit useless in my view.Just don't see the benefits in most networks.

Regards

 

[burtsbees]

I have my edge router pointing at an NTP server out in Innernets Land, and my LAN devices as peers off of it. This way, all my routers and switches on the inside can NTP Authenticate with eachother with an MD5 keyring.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Minue]

Hi Burt
I am still not convinced.You could have made the edge router a NTP master,and then make the LAN devices use this as their server.No need for NTP authentication because the inside router and switches aren't seen by the Internet.

Regards

 

[burtsbees]

Just an extra precaution. For private addressing across a WAN, people aren't supposed to see you, but there exists MD5 authentication for router updates. Why?
Plus, I don't trust my inside

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Minue]

Hello Burt
"MD5 authentication for router updates" was developed for edge routers.But it can be use on the inside for untrusted employee's.(New security implementations are saying not to trust the inside network.)
But as far as NTP peer goes the RFC give it to us and never told use were it's best use.So lot's of us just use it because it's there.In small networks it's an over-kill.
A good example of NTP peer usage and (what's also recommended by NTP experts) is to have 3 internal servers,these server should be synchronized to 3 different outside sources.The inside NTP severs should peer with each other,in case any of them lose their contact with their outside time source,then they will use their peer as the new source.To finish things up point your inside devices at your 3 servers.So my friend Burt,you now have the scope on the usage of NTP peers.
Regards