NTP access-group

Unanswered Question
Sep 10th, 2009
User Badges:

Hi Experts,


I need your help to understand the logic behind the NTP access restriction. I learned that, NTP access-list as follows:


1. peer - Allows time requests and NTP control queries and allows the switch to synchronize itself to a device whose address passes the access list criteria.


2. serve - Allows time requests and NTP control queries, but does not allow the switch to synchronize itself to a device whose address passes the access list criteria.


3. serve-only - Allows only time requests from a device whose address passes the access list criteria.


4. query-only - Allows only NTP control queries from a device whose address passes the access list criteria.


Okay with this above explanation, I want to know


1. What is NTP control queries

2. When access-group "serve" is configured in ROUTER-A, the defination states that it will "allow time request and control queries but does not allow the switch to synchronize itself to a device". How it is possible to provie time to a device without synchronizing with it?


Can you please help me in clarifying this


Sairam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Giuseppe Larosa Fri, 09/11/2009 - 03:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sairam,


NTP peering means that both devices compare their NTP status and the better wins and the other accepts the better NTP information.

So this is a mutual bidirectional relationship.


Configuring NTP server means that you provide with ACLs a list of possible clients.



that is the serve option is used on an NTP server device to specify allowed NTP clients that can query it.

This is the sense it doesn't allow local device to accept the time source of the other device even if it is better then the local one.


You are reading this link I suppose


http://www.cisco.com/en/US/docs/ios/netmgmt/command/reference/nm_10.html#wp1090935


For NTP messages types you can use


http://www.faqs.org/rfcs/rfc1305.html



Hope to help

Giuseppe


snarayanaraju Fri, 09/11/2009 - 10:08
User Badges:

Hi Giuseppe,


Your explanation was good. But I was not able to know what for Control query message are used and How it is different from request/response message. (RFC pages was vast and i find difficult to read each line by line)


While searching for the details, I found the below link seems to shed some lights


http://blog.internetworkexpert.com/2008/07/28/ntp-access-control/


Just a thought to share with you


Thanks


sairam

Giuseppe Larosa Sun, 09/13/2009 - 07:20
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sairam,

yes the RFC is quite long and I admit I haven't read it too.


thanks for the link.

Of course that web site can be helpful for your studies.

As I wrote in other threads you need to focus on the concepts and on router configuration.


Best Regards

Giuseppe


Actions

This Discussion