Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10573
Views
25
Helpful
9
Replies

Shutting off NTP on Specific interfaces

Go to solution
Patrick McHenry
Level 3
Level 3

‎10-11-2016 12:05 PM - edited ‎03-05-2019 07:15 AM

Hi,

I want to be able to use our HQ Internet router as the NTP source for the rest of our network equipment - including other Internet routers at remote sites. It is all configured and all working fine, but I would like to turn NTP off on all External facing interfaces for remote sites...

I think this will accomplish that...

config t

int g0/0/0 (Internet facing interface)

ntp disable

!

That way, I will still be able to get my NTP info from the HQ Inter routers MGMT IP.

But,

for the HQ Internet router I need to be able to access the Internet NTP servers that we are getting our clock info from. On that router "ntp disable" on the Internet facing interface will break NTP. What do I need to configure on the HQ internet router Internet facing interface to stop the router from being a source to anyone on the Internet, but still be able to get clock info from the Internet and act as a source for the rest of our network equipment?

I thought this would work "no ntp source-interface interface", but command is not supported on the 4400s I guess.

Thanks, Pat

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to Patrick McHenry

‎10-12-2016 01:33 PM

Your configuration looks  good. The 'peer' access group is the only one that actually allows a router to BE synchronized, that is, influenced, so to speak, by other devices. The 'serve-only' allows the (HQ router in your case) to update others, but not BE updated, or influenced, by others. Does that make sense ? 

In order for the HQ router to reject requests from the defined Internet IPs, but still accept updates from those IPs, the 'serve-only' access group would need to be configured on the Internet routers. Thinking about it, it is almost certain that those routers have configured this anyway, since they don't want to have their time synchronized with you, or any other downstream client.

View solution in original post

9 Replies 9

Go to solution
Georg Pauwen
VIP
VIP

‎10-11-2016 01:53 PM

Hello,

you can globally configure an ntp access-group to restrict who can query your router for NTP and who your router serves for NTP requests.

http://blog.ine.com/2008/07/28/ntp-access-control/

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Georg Pauwen

‎10-12-2016 06:16 AM

Thanks for the response...

What do you think of this?

HQ:


config t
!
access-list 1 permit x.x.x.x 0.0.0.0 (Public IP)
access-list 1 permit x.x.x.x 0.0.0.0 (Public IP)
access-list 1 permit x.x.x.x 0.0.0.0 (Public IP)
access-list 1 permit x.x.x.x 0.0.0.0 (Public IP)
!
access-list 2 permit 10.0.0.0 0.0.0.255 (All internal sources)
access-list 2 permit 172.16.0.0 0.0.15.255 (All internal sources)
access-list 2 permit 192.168.0.0 0.0.255.255 (All internal sources)
!
ntp access-group peer 1 (Accept updates and respond to requests)
ntp access-group serve-only 2 (Responds to NTP requests and rejects attempt to sync local time)
!

Remote site routers:


config t
!
access-list 1 permit x.x.x.x 0.0.0.0 (HQ MGMT IP)
ntp source Loopback0
ntp access-group peer 1
ntp server x.x.x.x (HQ MGMT IP)
!

On HQ router

I'm thinking here that access-list 1 will allow the HQ router to accept updates from the Internet IPs defined and respond to requests from the Internet IPs defined. I would rather the HQ router didn't respond to requests from the defined Internet IPs, but it seems there is no option to reject them and still get updates. Or, is there?

On Remote site routers

I'm thinking here that this will allow the Remote sites routers to accept updates from the HQ router and respond to requests from the HQ router. I would rather it didn't respond to the HQ router's requests, but it does seem that the access-list 2 defined on the HQ router will reject any attempts to sync local from the Internal sources.

BTW - does access-list 2 defined on HQ router allow the remote sites routers to update their time? I only ask this as in the document it mentions that a serve-only access-group rejects attempt to sync local time - that seems confusing a contradiction.

Thank you

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Patrick McHenry

‎10-12-2016 01:33 PM

Your configuration looks  good. The 'peer' access group is the only one that actually allows a router to BE synchronized, that is, influenced, so to speak, by other devices. The 'serve-only' allows the (HQ router in your case) to update others, but not BE updated, or influenced, by others. Does that make sense ? 

In order for the HQ router to reject requests from the defined Internet IPs, but still accept updates from those IPs, the 'serve-only' access group would need to be configured on the Internet routers. Thinking about it, it is almost certain that those routers have configured this anyway, since they don't want to have their time synchronized with you, or any other downstream client.

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Georg Pauwen

‎10-13-2016 06:50 AM

Thanks for the explanation - that really helped my understanding!!!

As far as the second paragraph that you wrote in your last response...yeah that makes total sense, but what I was getting at was.... I want to reject any IP, other than the ones I configure from the Internet, from being served by me (serve-only) and serve me (peer).

But...now looking at my access-lists I believe they accomplish just that. I will only be allowed to peer and "serve" with access-list 1 IPs and no other Internet IPs and only serve access-list 2 IPs, correct? And, like you mentioned - will most likely not serve those same Internet IPs as they are probably serve-only.

Thank you, Pat

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Patrick McHenry

‎10-13-2016 08:09 AM

Patrick,

you are quite right. By allowing some IP addresses, all other are implicitly denied.

I once worked for a company called WorldCom, which does not exist anymore. They were, back then, the biggest ISP around. We had several authoritative time servers, some of them even served the Pentagon as far as a I remember. There was no way anyone could manipulate the time on these servers, so they were definitely serve-only.

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Georg Pauwen

‎10-13-2016 11:14 AM

Feel like I am beating a dead horse - sorry man.

One more question....

when creating the access-list 1 (Internet IPs access-list) should I use the hostnames?...I mention this because  from what I understand the IP addresses we could be assigned could be from a random timeserver.

access-list 1 permit ip host 0.us.pool.ntp.org
access-list 1 permit ip host 1.us.pool.ntp.org
access-list 1 permit ip host 2.us.pool.ntp.org
access-list 1 permit ip host 3.us.pool.ntp.org
!

ip domain lookup source-interface GigabitEthernet0/1

!

ip name-server 8.8.8.8
ip name-server 8.8.4.4

!

Thx, Pat

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Patrick McHenry

‎10-13-2016 11:29 AM

Patrick,

I had to look that up myself, but pool.ntp.org recommends to use the host names, since the pools point to a set of servers that change every hour. I didn't know that !

So your access list looks fine.

http://www.pool.ntp.org/en/use.html

Go to solution
Patrick McHenry
Level 3
Level 3
In response to Georg Pauwen

‎10-13-2016 07:03 AM

Oh - one other question....

If I wanted to make sure my remote site network devices did not serve any other network devices would it be smart to create an access-list that would deny any and apply it to access-group serve-only?

Remote site routers:


config t
!
access-list 1 permit x.x.x.x 0.0.0.0 (HQ MGMT IP)
access-list 2 deny any
ntp source Loopback0
ntp access-group peer 1
ntp access-group serve-only 2
ntp server x.x.x.x (HQ MGMT IP)
!

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Patrick McHenry

‎10-13-2016 07:59 AM

Hello,

since you have already defined a peer group with access list 1, all other access is implicitly denied. That means you do not need to specifically deny all other traffic - it is denied already.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card