I am trying to secure NTP for our network. From the A Router, I would like to only pull time from the USNO and I would like to allow only B router to poll A Router for time. I have set-up an ACL on A Router to "serve-only" B Router (no problems there). I run in to the problem when I try to apply the "query" or "query-only" ACL on the A router facing the USNO. It loses sync everytime. It only stays active if "peer" is used but I thought that may be to much. Any suggestions?
Unfortunately I don't have an answer for this problem; however, I can confirm that this problem is not unique to your setup. With my 7206 I replicated your same issue. I'm guessing that I am misinterpreting Cisco's implementation of the query-only access control. I suspect that the only way for this to work properly is for you to use it in peer mode.
Another possibility is to setup a key exchange (authentication/hash/encryption) with another trusted entity. Perhaps USNO can setup an agreement with you or recommend someone else?
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...