Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2865
Views
0
Helpful
1
Replies

NTP access-group

jradke
Level 1
Level 1

‎03-31-2008 01:52 PM

If I need my 7206 to get timing from these configured servers, what should the access-group statement be set to (peer, serve, serve-only, or query-only)?

ntp server 63.192.96.2

ntp server 130.207.244.240

ntp server 199.165.76.11

ntp server 65.182.224.39

ntp server 18.26.4.105

ntp server 69.25.96.13

ntp server 132.163.4.103

ntp server 64.113.32.5

ntp server 198.60.22.240

When I try these 4 possible configurations only "peer" works. With this statement in place it syncs up to the other time servers but allows any client to grab timing from it as well. It seems to me I would want "query-only" for the servers I'm grabbing timing from and "serve-only" for the clients I want to allow to get timing from me. It doesn't work that way.

How can I make sure my router hasn't given any privileges to servers I'm connected to our my clients?

Configuring an NTP Access Group

The access list-based restriction scheme allows you to grant or deny certain access privileges to an entire network, a subnet within a network, or a host within a subnet. To define an NTP access group, use the following command in global configuration mode:

Command Purpose

Router(config)# ntp access-group {query-only | serve-only | serve | peer} access-list-number

Creates an access group and applies a basic IP access list to it.

The access group options are scanned in the following order, from least restrictive to most restrictive:

1. peer-Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.

2. serve-Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.

3. serve-only-Allows only time requests from a system whose address passes the access list criteria.

4. query-only-Allows only NTP control queries from a system whose address passes the access list criteria.

Labels:
0 Helpful
1 Reply 1

jradke
Level 1
Level 1

‎03-31-2008 04:49 PM

Solution was provided with the following settings:

-Exclusion in my inbound ACL for udp traffic port 123. This is specific to my configuration because I have an inbound ACL.

-ACL (23) defined for the NTP servers on the net that I want to grab time from.

-ACL (24) defined for my clients so they can query my router

-NTP Query statements:

ntp access-group peer 23

ntp access-group serve 24

The NTP access-group peer statement allows my 7206 to query the timing source on the Internet. The ntp access-group serve specifies the clients that can grab time from the 7206.

0 Helpful
Customers Also Viewed These Support Documents