Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
3
Replies

NTP Server /Client

TRACY HARTMANN
Level 1
Level 1

‎04-09-2021 01:51 PM

I have a cisco router with just a statement NTP Server X.X.X.X

 

This has been running fine for years, but now Security has run some tests and say that the router is acting as a NTP server and responding to clients.   I do not have the server configured but I have found some write ups that using that command does allow clients to use it as a NTP Sever.   The recommendation is to allow the IP address of the NTP server you define and drop all other traffic.  I can't do that because we have other traffic coming in.  Is there a way to use a ACL and use a ACL to drop NTP protocol?  Or is there a way to stop the broadcasting of the NTP.

Labels:
0 Helpful
3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎04-09-2021 02:51 PM

Hello TRACY ,

one of the ntp commands should allow to speciify an ACL in that ACL you specify the address of the server only

ntp access-group peer 1

access-list 1 permit X.X.X:X

 

in this way all other devices NTP requests should be discarded.

 

Other options are possible with the ntp access-group command serve, serve-only and query-only.

 

Another option is to introduce authentication in NTP as described in the following thread:

https://community.cisco.com/t5/switching/ntp-server-x-x-x-x/m-p/3039880

 

But this requires a change in the NTP server X.X.X:X that should be under your control and also on all other devices using the same server.

Hope to help

Giuseppe

 

0 Helpful

rasmus.elmholt
Level 7
Level 7

‎04-09-2021 04:48 PM - edited ‎04-09-2021 04:51 PM

When you activate the NTP Client feature on an IOS device, it will automatically enable the server feature as well.

If you don't want it to reply to NTP requests then you can configure an access-group on the NTP proccess.

This example will only allow a client to ask for NTP but not reply to others:

master(config)#
Jan  1 20:18:26.738: NTP message received from 10.1.2.2 on interface 'Loopback0' (8.8.8.8).
Jan  1 20:18:26.738: NTP message sent to 10.1.2.2, from interface 'Loopback0' (8.8.8.8).
master(config)#access-list 1 deny any
master(config)#ntp access-group qu
master(config)#ntp access-group query-only 1
master(config)#
Jan  1 20:20:41.742: NTP message received from 10.1.2.2 on interface 'Loopback0' (8.8.8.8).
master(config)#do show run | inc ntp|access-
access-list 1 deny   any
ntp access-group query-only 1
ntp master 2
master(config)#

I have configured this as a NTP master to show the functionality.

As you can see it replies to NTP queries, and then I add an ACL and access-group to the NTP queries. Afterwards it received a NTP query but does not reply to it.

This router is the NTP master with ip 8.8.8.8 and the NTP client is on another router with IP 10.1.2.2

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-09-2021 06:00 PM

You could, potentially, build your own Stratum 1 NTP server using a Raspberry Pi

Other than "affordable", the most important thing about this is the rPi is INSIDE your network.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card