Mike Walter mwalter at
Tue Feb 18 15:15:47 UTC 2014

For knowledge on the list.  We found that our Cisco Nexus 7000s had NTP enabled on our public facing VDCs, even when the command "feature ntp" was not present.  I had to explicitly enter "no feature ntp" to prevent the NTP server service from existing on our public facing 7K interfaces.



-----Original Message-----
From: Blake Dunlap [mailto:ikiris at] 
Sent: Monday, February 17, 2014 11:03 AM
To: nanog at
Subject: Re:

If you're trying to actually run a ntp server setup as opposed to just
trusting the world, I strongly suggest reading the documentation for the
service, as most people don't deploy it correctly while they think they

At minimum, you want a cluster of 3 - 4 servers internally, configured as
peers of each other, and listening to some source of time, preferably
multiple like a few on the internet from the big public pool, and if you
really care about time, set up a GPS receiver or two.

You can definitely go farther than the above, but that's the start to doing
it right. Anything short of the above is just trusting the world at large,
and you'll likely happily follow along with any time skew like that thing a
few months/year ago with either tick or tock.

Without the above, you don't have enough sane sources to discredit bad
advisers (you need 3 for a time lock).


On Mon, Feb 17, 2014 at 9:38 AM, Anthony Williams <alby.williams at
> wrote:

> Blake:
>  Just to make sure I've got this down, listing a device as a "peer" in
> the ntp.conf file will create a situation where both devices are saying,
> "I know what time it is" and splitting the difference?  Whereas when you
> list a device as a "server", it's using that as the authority on the
> correct time?
> Example:
> --
> #
> peer iburst
> peer iburst
> #
> server           minpoll 6 maxpoll 10 iburst
> server     minpoll 6 maxpoll 10 iburst
> On 2/17/2014 10:28 AM, Blake Dunlap wrote:
> > Peer means it considers the other side an equal and they will mutually
> skew
> > time together. If you have peer on for devices you don't consider your
> time
> > servers, you're opening yourself up to problems.
> >
> > -Blake

More information about the NANOG mailing list