Skip to main content

NTP access control


Important trick I found on INE forum that should be remembered about NTP when you are using NTP access-control.


One of the important things that are not mentioned in the INE post is that by default no one will be rejected from the NTP master if it's not trying to authenticate that's why you will restrict those stations with ACL. 


"If your router is configured as NTP master, and you set up any access-control group, you must allow “peer” access type to a source with IP address “127.127.7.1”. This is because “127.127.7.1” is the internal server created by ntp master command, which the local router synchronizes to. If you forget to enable it peer access, your server will always be out of sync. Here are some examples. First one: configure R1 as NTP master and allow the server to be polled for NTP updates just by one client. Client should receive updates just from one source:"






reating an Access Group and Assign a Basic IP Access List to It


To control access to NTP services, you can create an NTP access group and apply a basic IP access list to it. To do so, use the following command in global configuration mode:
Command
Purpose
ntp access-group {query-only | serve-only | serve| peer} access-list-number
Creates an access group and applies a basic IP access list to it.


The access group options are scanned in the following order, from least restrictive to most restrictive:
1. peer—Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.
2. serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.
3. serve-only—Allows only time requests from a system whose address passes the access list criteria.
4. query-only—Allows only NTP control queries from a system whose address passes the access list criteria.
If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types will be granted.
For details on NTP control queries, see RFC 1305 (NTP version 3).






192.168.2.24 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (02:00:00.000 GMT Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 512, peer poll intvl 512
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 3774813.461
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (02:00:00.000 GMT Mon Jan 1 1900)
rcv time 00000000.00000000 (02:00:00.000 GMT Mon Jan 1 1900)
xmt time CEE8139F.D5044C0D (08:24:31.832 GMT Fri Jan 1 2010)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0


127.127.7.1 configured, our_master, sane, valid, stratum 4
ref ID 127.127.7.1, time CEE813A4.D3F3A778 (08:24:36.827 GMT Fri Jan 1 2010)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.015
delay 0.00 msec, offset 0.0000 msec, dispersion 0.02
precision 2**18, version 3
org time CEE813A4.D3F3A778 (08:24:36.827 GMT Fri Jan 1 2010)
rcv time CEE813A4.D3F3A778 (08:24:36.827 GMT Fri Jan 1 2010)
xmt time CEE813A4.D3F38B82 (08:24:36.827 GMT Fri Jan 1 2010)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87    6.85
Reference clock status:  Running normally
Timecode: 

Labels:
Location: Sofia, Bulgaria

Popular posts from this blog

Juniper IS-IS summary

##################################################################################################### ## ISIS ##################################################################################################### # Be sure to set family iso on the interface to be placed into ISIS set interfaces <interface> family iso # By default Junos places interfaces as L1/L2 # Default route leaking:         L1 to L2 - all internal routes         L2 to L1 - 0/0 route # L1/L2 will send the attached-bit down to L1 and it will act as a NSSA-like area.  When the L1 interface # receives the attached-bit it will inject a 0/0 route into the RIB point to the L1/L2 interface. # To disable the attached bit use: set protocols isis ignore-attached-bit # Be careful with the "interface all" command, as it may have some unexpected consequences such as trying # to establish a neighbor on your fxp0 management...
Read more >>

IOS on Unix (IOU)

source http://evilrouters.net/2011/01/18/cisco-iou-faq/ What is IOU? From the Cisco Engineering Education web site (a long time ago): IOS on Unix (IOU) is a fully working version of IOS that runs as a user mode UNIX (Solaris) process. IOU is built as a native Solaris image and run just like any other program. IOU supports all platform independent protocols and features. What operating systems does IOU run on? It is my understanding that, initially, IOU was Solaris (SPARC) only. Nowadays, however, there are also builds for OS X and Linux. Similar to dynamips, IOU allows you to build out a network topology on a computer, without the need for physical routers. This is useful for validating designs, proof-of-concept testing, and certification self-study. Is my system compatible with IOU? You will need to be running the operating system that your IOU image were built for, obviously. Other than that, there are no special requirements to run IOU. It is not very CPU- or memory-intensive, unlik...
Read more >>

Beijing - China

I am not sure how to describe Beijing China, maybe everyone who goes their simply use the world 'Amazing' because it will be nearly impossible to describe it. I had a personal driver and tour guide which significantly simplify my trip around.  Of course, it was a business trip and I didn't have as much time as I needed to see everything from Beijing but I will try to share couple of pictures and some of my impressions. I will start with the food.  I remember when I was younger there was so many Chines restaurants in the neighbourhood and I could eat Chines food everyday, and at every time - my parents were joking that I will became a Chines if I continue to eat only Chines, but it was so good and I didn't care ;-)  In Beijing I tried so many different things and I am amazed by the quality of the food, and most amazingly I didn't have any problems with my stomach - which was a good sign ;-) . I uploaded few photos from my album, which are from different places I ...
Read more >>