Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10362
Views
11
Helpful
3
Replies

NTP Access Lists

Go to solution
Craddockc
Level 3
Level 3

‎09-27-2017 08:05 AM - edited ‎03-01-2019 06:09 PM

Community,

 

Im a little confused about where the NTP ACL's need to be applied. Everything im reading is making it sound like the ACL's need to be applied to the Servers that the clients are syncing their time to, is this correct? I would like to apply ACL's to my client network devices that define only the servers theyre allowed to sync to but the options of "peer" "server" "serve-only" and "query-only" make it sound like these are only server side options. Would I have to use authentication instead on the clients to define which servers the client devices are allowed to sync their time to? Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8
In response to Craddockc

‎10-04-2017 05:43 PM

HI, 

That is correct, but you have to remember that if your clients are routers or switches, they will act as servers themselves if a client points to them. If you would like to make your NTP infrastructure secure, you will need a deny  access list on  the routers and switches using the "peer" "server" "serve-only" and "query-only" keywords.

 

Hope this helps

 

Thanks

John

**Please rate posts you find helpful**

View solution in original post

3 Replies 3

Go to solution
johnd2310
Level 8
Level 8

‎09-27-2017 06:07 PM

Hi,

You can use the access list on the clients which protect the client from serving NTP or responding to queries. 

You specify the servers cleints are allowed to sync to using the "server" command. e.g.

ntp server 192.168.1.1

ntp server 192.168.1.2 

The above restricts the client to sync to servers 192.168.1.1 and 192.168.1.2 only.

 

thanks

John

**Please rate posts you find helpful**

Go to solution
Craddockc
Level 3
Level 3
In response to johnd2310

‎09-28-2017 09:19 AM

John,

 

Thanks for the reply! This makes sense. The client isnt going to sync to anything thats not explicitly configured so no need for a client side ACL defining the servers. However, the servers need ACL's to control which clients can sync to it because there is no way to specify that in the running config. Does this sound correct? Thanks.

0 Helpful

Go to solution
johnd2310
Level 8
Level 8
In response to Craddockc

‎10-04-2017 05:43 PM

HI, 

That is correct, but you have to remember that if your clients are routers or switches, they will act as servers themselves if a client points to them. If you would like to make your NTP infrastructure secure, you will need a deny  access list on  the routers and switches using the "peer" "server" "serve-only" and "query-only" keywords.

 

Hope this helps

 

Thanks

John

**Please rate posts you find helpful**
Customers Also Viewed These Support Documents