Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1868
Views
5
Helpful
3
Replies

Configure router as NTP client/server to NTP pool with ACL to block internet NTP requests

James G Diroff II
Level 1
Level 1

‎09-01-2019 02:29 PM - edited ‎09-01-2019 02:31 PM

tl:dr - I want to receive NTP updates from the NTP.org pool on my router, while giving NTP updates to local network clients, and blocking NTP requests coming from the internet. 

This configuration is just a a private home project that I'm working on. I'm practicing on a router and I want to see if I can make this configuration work. I understand this may not be optimal usage of NTP. 

I'm trying to configure a Cisco 1921 router to serve as an NTP server to my home network, and retrieve NTP updates from the NTP.org pool. I want to do this while blocking NTP client requests from the internet to my router's WAN address. 

I've been able to get both the NTP client updates from 0.us.pool.ntp.org, and distribute NTP server updates to home and internet clients working on the router with no ACLs applied. Once I had this working, I started getting NTP requests into the router on the WAN address. 

Every attempt I've made to block NTP requests from the internet have resulted in behavior I don't want. Either the NTP pool is blocked, or the local clients are blocked, or any number of other variations of things I've tried that haven't worked. 

I have a similar configuration already setup for DNS. I use the router as a DNS server for LAN clients, and allow the router to make lookups to public DNS servers. I blocked internet requests coming in on 53 while allowing the public DNS servers. This configuration has worked very well. 

The main issue I see is that the NTP.org pool uses a pool of addresses. ACLs work on networks or individual hosts. Since I don't know which servers NTP.org is going to give me, I can't build a functional ACL that permits specific NTP traffic. Is there a way to make this configuration work? 

If the configuration isn't going to work with the NTP pools, what is a recommended NTP server with a static IP that I can build this ACL around? Is it necessary to block NTP on the WAN after enabling NTP server for LAN clients? Is there another way to block this traffic that I am missing?

Thank you for your time. 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-01-2019 02:33 PM

quick fix for this is, since you know the source IP where the NTP intiation to ntp.org ( so you make ACL source  NTP roueter IP, Destination any to NTP request only - ntp port along with DNS)

 

is that make sense ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

James G Diroff II
Level 1
Level 1
In response to balaji.bandi

‎09-01-2019 02:37 PM

Yes, I think so. If I can summarize, use the router interface as the source address for NTP packet filtering. I think I see how to make that work. Thank you for your response.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to James G Diroff II

‎09-01-2019 04:04 PM

Sure, let us know any further asistance required, if not resolve the issue.

if resolved the issue mark as solution so useful for other members.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents