cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1009
Views
10
Helpful
6
Replies
Highlighted
Beginner

Restricting NTP Access on a Router

I have an internet facing Cisco 891F router that I have been requested to make some NTP changes on. The current and only NTP configuration has the router looking to 3 different public time servers.

ntp server 1.1.1.1

ntp server 2.2.2.2

ntp server 3.3.3.3

When querying that routers IP address with an NTP tool it responds as server, which we do not want. I don't want to prevent this router from getting ntp from the public servers. I just want to prevent any client on the internet from querying this router for NTP.  I don't have much experience with ACLs and the terminology for query-only, serve, peer, and serve-only have been a bit confusing for me.

 

Am I headed in the right direction with this?

 

access-list 46 remark utility ACL to block everything
access-list 46 deny any
!
access-list 47 remark NTP peers/servers we sync to/with
access-list 47 permit 1.1.1.1
access-list 47 permit 2.2.2.2

access-list 47 permit 3.3.3.3
access-list 47 deny any
!
! NTP access control
ntp access-group query-only 46 ! deny all NTP control queries
ntp access-group serve 46 ! deny all NTP time and control by default
ntp access-group peer 47 ! permit sync to configured peer(s)/server(s)
ntp access-group serve-only 46 ! deny NTP time sync requests

 

6 REPLIES 6
Highlighted
Beginner

Anyone? 

Highlighted
VIP Mentor

Hello

You just want you router to be able to accept ntp update from those servers

access-list 10 permit 1.1.1.1
access-list 10 permit 2.2.2.2
access-list 10 permit 3.3.3.3
ntp server 1.1.1.1
ntp server 2.2.2.2
ntp server 3.3.3.3
ntp access-group peer 10



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Yes I do want that. But I also want to prevent any internet source from accessing this router as an NTP server. 

Highlighted

Hello


@jws1986 wrote:

Yes I do want that. But I also want to prevent any internet source from accessing this router as an NTP server. 


Well try and test that config i posted - it should just allow communication betwen those ntp servers and your rtr



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Thank you Paul!!, it worked for me.

Highlighted

Hello

Gald to hear - Can you please maked as solve as to assist others in the future.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future