Showing results for 
Search instead for 
Did you mean: 

NTP Server /Client


I have a cisco router with just a statement NTP Server X.X.X.X


This has been running fine for years, but now Security has run some tests and say that the router is acting as a NTP server and responding to clients.   I do not have the server configured but I have found some write ups that using that command does allow clients to use it as a NTP Sever.   The recommendation is to allow the IP address of the NTP server you define and drop all other traffic.  I can't do that because we have other traffic coming in.  Is there a way to use a ACL and use a ACL to drop NTP protocol?  Or is there a way to stop the broadcasting of the NTP.


Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello TRACY ,

one of the ntp commands should allow to speciify an ACL in that ACL you specify the address of the server only

ntp access-group peer 1

access-list 1 permit X.X.X:X


in this way all other devices NTP requests should be discarded.


Other options are possible with the ntp access-group command serve, serve-only and query-only.


Another option is to introduce authentication in NTP as described in the following thread:


But this requires a change in the NTP server X.X.X:X that should be under your control and also on all other devices using the same server.

Hope to help



Rising star
Rising star

When you activate the NTP Client feature on an IOS device, it will automatically enable the server feature as well.

If you don't want it to reply to NTP requests then you can configure an access-group on the NTP proccess.

This example will only allow a client to ask for NTP but not reply to others:

Jan  1 20:18:26.738: NTP message received from on interface 'Loopback0' (
Jan  1 20:18:26.738: NTP message sent to, from interface 'Loopback0' (
master(config)#access-list 1 deny any
master(config)#ntp access-group qu
master(config)#ntp access-group query-only 1
Jan  1 20:20:41.742: NTP message received from on interface 'Loopback0' (
master(config)#do show run | inc ntp|access-
access-list 1 deny   any
ntp access-group query-only 1
ntp master 2

I have configured this as a NTP master to show the functionality.

As you can see it replies to NTP queries, and then I add an ACL and access-group to the NTP queries. Afterwards it received a NTP query but does not reply to it.

This router is the NTP master with ip and the NTP client is on another router with IP

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

You could, potentially, build your own Stratum 1 NTP server using a Raspberry Pi

Other than "affordable", the most important thing about this is the rPi is INSIDE your network.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: