Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7534
Views
10
Helpful
4
Replies

NTP and its access-list

Go to solution
interfacedy
Spotlight
Spotlight

‎03-10-2022 08:38 PM - edited ‎03-10-2022 09:17 PM

Hi, 

NTP server 10.1.1.2 / 10.1.2.2 The client switch has the below configuration. But after adding ntp access-group server-only NTP, the switch become unsynch. Any suggestion? Thanks

 

Ntp server 10.1.1.2

Ntp server 10.1.2.2 pref

ntp access-group serve-only NTP

 

ip access-list extended NTP

permit ip host 10.1.1.2 any

permit ip any host 10.1.1.2

permit ip host 10.1.2.2 any

permit ip any host 10.1.2.2

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
johnd2310
Level 8
Level 8

‎03-10-2022 10:30 PM

Hi,

The serve-only keyword means you want "these" clients to get time from your switch. This is not what you want. You want your switch to get time from 10.1.1.2 and 10.1.2.2. You need to user the peer keyword instead of serve-only. Also we normally use a standard access-list for NTP.

Your configuration should be as follows:

  • create standard access-list: access-list 1 permit host 10.1.1.2  access-list 1 permit host 10.1.2.2
  • create NTP access-group: ntp access-group peer 1
  • configure your NTP servers: ntp server 10.1.1.2  ntp server 10.1.2.2

Thanks

John

**Please rate posts you find helpful**

View solution in original post

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-10-2022 11:12 PM

not sure what is your goal mentioned in the config :

 

as i understand the NTP Server running on the Device, you like to restrict only device to allow to use NTP Server then below example should work for you :

 

ntp access-group peer NTP

 

or below make it simple :

 

ntp access-group peer 20
Access-list 20 permit x.x.x.x (these are client device IP)
access-list 20 permit x.x.x.x
access-list 20 deny any log

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

Go to solution
johnd2310
Level 8
Level 8

‎03-10-2022 10:30 PM

Hi,

The serve-only keyword means you want "these" clients to get time from your switch. This is not what you want. You want your switch to get time from 10.1.1.2 and 10.1.2.2. You need to user the peer keyword instead of serve-only. Also we normally use a standard access-list for NTP.

Your configuration should be as follows:

  • create standard access-list: access-list 1 permit host 10.1.1.2  access-list 1 permit host 10.1.2.2
  • create NTP access-group: ntp access-group peer 1
  • configure your NTP servers: ntp server 10.1.1.2  ntp server 10.1.2.2

Thanks

John

**Please rate posts you find helpful**

Go to solution
interfacedy
Spotlight
Spotlight
In response to johnd2310

‎03-13-2022 03:31 PM

Thank you. is there any difference between standard acl and extended in this case? 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-10-2022 11:12 PM

not sure what is your goal mentioned in the config :

 

as i understand the NTP Server running on the Device, you like to restrict only device to allow to use NTP Server then below example should work for you :

 

ntp access-group peer NTP

 

or below make it simple :

 

ntp access-group peer 20
Access-list 20 permit x.x.x.x (these are client device IP)
access-list 20 permit x.x.x.x
access-list 20 deny any log

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
interfacedy
Spotlight
Spotlight
In response to balaji.bandi

‎03-15-2022 06:46 PM

Hi we scan network security vulnerability. It shows some NTP related issue. so we need to block the potential issue. thanks

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card