Configuring Stratum 2 NTP Server Hierarchy in Air-Gapped Networks


5 views

When building an isolated NTP hierarchy without internet connectivity, we often encounter stratum propagation issues. The key symptom appears when intermediary servers (like RackCard23) fail to properly advertise their stratum level downstream, causing clients to reject synchronization attempts.

The existing setup shows several configuration gaps:

# Problematic RackCard23 config snippet:
server 10.1.3.10 iburst minpoll 4 maxpoll 4 prefer
fudge   127.127.1.0 stratum 2
fudge   127.127.0.1 stratum 2
broadcast 10.1.4.255

To properly establish a stratum 2 server:

  1. Remove redundant fudge statements
  2. Enable proper server mode
  3. Configure restrict policies correctly

Here's the working configuration for RackCard23:

# /etc/ntp.conf for RackCard23
server 10.1.3.10 iburst minpoll 4 maxpoll 4 prefer

# Local clock as backup (stratum 5)
server 127.127.1.0
fudge 127.127.1.0 stratum 5

# Enable server functionality
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict 10.1.3.0 mask 255.255.255.0
restrict 10.1.4.0 mask 255.255.255.0

# Log and drift settings
logfile /var/log/ntpd.log
driftfile /var/lib/ntp/drift

After implementation, verify with these commands:

# On RackCard23:
ntpq -pn
ntpdc -c sysinfo

# On downstream clients:
ntpdate -dv 10.1.4.23
ntptrace -n 10.1.4.23

If clients still report "strata too high":

  • Verify firewall rules allow UDP 123
  • Check server's system clock is sane
  • Ensure ntpd service is running with correct permissions
  • Monitor /var/log/messages for NTP errors

For faster synchronization in air-gapped networks:

# Add to all client configurations:
tinker panic 0
tos maxclock 5
tos minclock 3

When implementing NTP in isolated networks without internet connectivity, we face unique synchronization challenges. The requirement to maintain a hierarchical structure while ensuring all nodes stay synchronized demands careful configuration.

Your architecture shows a Windows NTP server (Moon) at stratum 1, with Linux clients forming subsequent layers. The key issue appears when RackCard23 (stratum 2) fails to properly serve time to downstream clients RackCard21/22.

The ntp.conf on RackCard23 contains several problematic elements:

# Incorrect fudge statements
fudge   127.127.1.0 stratum 2
fudge   127.127.0.1 stratum 2

# Ineffective broadcast configuration
broadcast 10.1.4.255

Here's the corrected configuration for RackCard23:

server 10.1.3.10 iburst minpoll 4 maxpoll 4 prefer

# Local clock as backup with higher stratum
server 127.127.1.0
fudge 127.127.1.0 stratum 10

# Enable NTP server functionality
restrict 10.1.4.0 mask 255.255.255.0 nomodify notrap

# Important for server operation
tos minclock 3 maxclock 6

The client machines (RackCard21/22) should use this optimized configuration:

server 10.1.4.23 iburst minpoll 4 maxpoll 4 prefer

# Local reference as last resort
server 127.127.1.0
fudge 127.127.1.0 stratum 12

# Monitoring access
restrict default kod nomodify notrap nopeer noquery
restrict 127.0.0.1

After implementing these changes, verify the hierarchy with these commands:

# On RackCard23:
ntpq -p
ntpdc -c sysinfo

# On downstream clients:
ntpdate -d 10.1.4.23
ntptrace -n 10.1.4.23

For systems with multiple interfaces like RackCard23, ensure NTP binds correctly:

# In /etc/sysconfig/ntpd:
OPTIONS="-4 -g -I 10.1.4.23"

If stratum 16 errors persist, check these elements:

  • Firewall rules allowing UDP 123
  • Correct system time on Moon
  • NTP service running on all machines
  • Network connectivity between layers

For more stable timekeeping in isolated networks:

# Adjust polling intervals
tinker allan 1500
tinker dispersion 500

A successful setup should show:

remote           refid      st t when poll reach   delay   offset  jitter
========================================================================
*10.1.3.10      .GPS.        1 u   25   64  377    0.412   -0.021   0.008
+10.1.4.23      10.1.3.10    2 u   18   64  377    0.215    0.012   0.005