Hello,

I just would like to give an explanation about the different access-group options which are available for NTP to get a response that my understanding is correct or incorrect. Also I have a dedicated question to NTP control messages

So here's my understanding of the options.

"ntp access-group peer": The "peer" option specifies basically full-access, that means on the Router where we specify it, that only the ip addresses which are defined in an ACL, are valid. Meaning the Router can only sync with those ip addresses. So control and time-information both are allowed. That also means that the Router would only allow the ip addresses specified in the ACL to sync against the Router itself, every other ip address that is not specified in the ACL, will not be allowed to query the router for control/time information nor would the router sync with them.

"ntp access-group serve": This option allows a device e.g. a Router to send ntp queries and answer responses, but does not allow time synchronization. That means that the Router will not sync its time to the ip address specified in the ACL, however the devices specified in the ACL can get time information from that router

"ntp access-group serve-only": The device (Router) will respond to ntp queries, but won't synchronize its time. Also no control messages are allowed.

"ntp access-group query-only": The device (Router) will would accept ntp control queries and answers them. However time is not synchronized.

That said, what is the difference between the "serve" and "serve-only" option and also what are the ntp control packets? For what are they used and why would I allow them to come trough but not synchronize time?

Thanks in advance!

Kind regards,

Mirko