03-31-2008 01:52 PM
If I need my 7206 to get timing from these configured servers, what should the access-group statement be set to (peer, serve, serve-only, or query-only)?
ntp server 63.192.96.2
ntp server 130.207.244.240
ntp server 199.165.76.11
ntp server 65.182.224.39
ntp server 18.26.4.105
ntp server 69.25.96.13
ntp server 132.163.4.103
ntp server 64.113.32.5
ntp server 198.60.22.240
When I try these 4 possible configurations only "peer" works. With this statement in place it syncs up to the other time servers but allows any client to grab timing from it as well. It seems to me I would want "query-only" for the servers I'm grabbing timing from and "serve-only" for the clients I want to allow to get timing from me. It doesn't work that way.
How can I make sure my router hasn't given any privileges to servers I'm connected to our my clients?
Configuring an NTP Access Group
The access list-based restriction scheme allows you to grant or deny certain access privileges to an entire network, a subnet within a network, or a host within a subnet. To define an NTP access group, use the following command in global configuration mode:
Command Purpose
Router(config)# ntp access-group {query-only | serve-only | serve | peer} access-list-number
Creates an access group and applies a basic IP access list to it.
The access group options are scanned in the following order, from least restrictive to most restrictive:
1. peer-Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.
2. serve-Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.
3. serve-only-Allows only time requests from a system whose address passes the access list criteria.
4. query-only-Allows only NTP control queries from a system whose address passes the access list criteria.
03-31-2008 04:49 PM
Solution was provided with the following settings:
-Exclusion in my inbound ACL for udp traffic port 123. This is specific to my configuration because I have an inbound ACL.
-ACL (23) defined for the NTP servers on the net that I want to grab time from.
-ACL (24) defined for my clients so they can query my router
-NTP Query statements:
ntp access-group peer 23
ntp access-group serve 24
The NTP access-group peer statement allows my 7206 to query the timing source on the Internet. The ntp access-group serve specifies the clients that can grab time from the 7206.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide