Skip to main content

NTP access control


Important trick I found on INE forum that should be remembered about NTP when you are using NTP access-control.


One of the important things that are not mentioned in the INE post is that by default no one will be rejected from the NTP master if it's not trying to authenticate that's why you will restrict those stations with ACL. 


"If your router is configured as NTP master, and you set up any access-control group, you must allow “peer” access type to a source with IP address “127.127.7.1”. This is because “127.127.7.1” is the internal server created by ntp master command, which the local router synchronizes to. If you forget to enable it peer access, your server will always be out of sync. Here are some examples. First one: configure R1 as NTP master and allow the server to be polled for NTP updates just by one client. Client should receive updates just from one source:"






reating an Access Group and Assign a Basic IP Access List to It


To control access to NTP services, you can create an NTP access group and apply a basic IP access list to it. To do so, use the following command in global configuration mode:
Command
Purpose
ntp access-group {query-only | serve-only | serve| peer} access-list-number
Creates an access group and applies a basic IP access list to it.


The access group options are scanned in the following order, from least restrictive to most restrictive:
1. peer—Allows time requests and NTP control queries and allows the system to synchronize itself to a system whose address passes the access list criteria.
2. serve—Allows time requests and NTP control queries, but does not allow the system to synchronize itself to a system whose address passes the access list criteria.
3. serve-only—Allows only time requests from a system whose address passes the access list criteria.
4. query-only—Allows only NTP control queries from a system whose address passes the access list criteria.
If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all systems. If any access groups are specified, only the specified access types will be granted.
For details on NTP control queries, see RFC 1305 (NTP version 3).






192.168.2.24 configured, insane, invalid, unsynced, stratum 16
ref ID 0.0.0.0, time 00000000.00000000 (02:00:00.000 GMT Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 512, peer poll intvl 512
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 3774813.461
delay 0.00 msec, offset 0.0000 msec, dispersion 16000.00
precision 2**5, version 3
org time 00000000.00000000 (02:00:00.000 GMT Mon Jan 1 1900)
rcv time 00000000.00000000 (02:00:00.000 GMT Mon Jan 1 1900)
xmt time CEE8139F.D5044C0D (08:24:31.832 GMT Fri Jan 1 2010)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =  16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0 16000.0


127.127.7.1 configured, our_master, sane, valid, stratum 4
ref ID 127.127.7.1, time CEE813A4.D3F3A778 (08:24:36.827 GMT Fri Jan 1 2010)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.015
delay 0.00 msec, offset 0.0000 msec, dispersion 0.02
precision 2**18, version 3
org time CEE813A4.D3F3A778 (08:24:36.827 GMT Fri Jan 1 2010)
rcv time CEE813A4.D3F3A778 (08:24:36.827 GMT Fri Jan 1 2010)
xmt time CEE813A4.D3F38B82 (08:24:36.827 GMT Fri Jan 1 2010)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =     0.02    0.99    1.97    2.94    3.92    4.90    5.87    6.85
Reference clock status:  Running normally
Timecode: 

Labels

Labels:
Location: Sofia, Bulgaria

Popular posts from this blog

IOS on Unix (IOU)

source http://evilrouters.net/2011/01/18/cisco-iou-faq/ What is IOU? From the Cisco Engineering Education web site (a long time ago): IOS on Unix (IOU) is a fully working version of IOS that runs as a user mode UNIX (Solaris) process. IOU is built as a native Solaris image and run just like any other program. IOU supports all platform independent protocols and features. What operating systems does IOU run on? It is my understanding that, initially, IOU was Solaris (SPARC) only. Nowadays, however, there are also builds for OS X and Linux. Similar to dynamips, IOU allows you to build out a network topology on a computer, without the need for physical routers. This is useful for validating designs, proof-of-concept testing, and certification self-study. Is my system compatible with IOU? You will need to be running the operating system that your IOU image were built for, obviously. Other than that, there are no special requirements to run IOU. It is not very CPU- or memory-intensive, unlik...
Read more >>

Impressed with Poly brand for conference headphones

I previously used my Sony XM4 headphones for calls and initially found them versatile for multiple purposes. However, as my meetings extended to several hours, I noticed they became less comfortable. To address this, I upgraded to wireless headphones from Poly, which offer significantly improved comfort. While I don’t plan to use them for music listening, my initial impression is very positive.
Read more >>

Flapping LDP/RSVP on Olive

I had a strange problem where the LDP and RSVP was flapping on JunOS/Olive and I think I managed to fix it by changing the driver from e1000 to i82559er and lo0.0 with 127.0.0.1.  I don't want to spend more time investigating it but if someone have similar problem at least this comment could be a good start. root@jr2>  *** MPLS *** May 21 14:27:21.472443 Session 4.4.4.4 hold timer expired in Operational state May 21 14:27:21.473451 Connection 4.4.4.4 state Open -> Closed May 21 14:27:21.473838 Session 4.4.4.4 GR state Operational -> Nonexistent May 21 14:27:21.473923 Session 4.4.4.4 state Operational -> Closing May 21 14:27:21.474054 LDP session 4.4.4.4 is down, reason: hold time expired May 21 14:27:21.474364 RPD_LDP_SESSIONDOWN: LDP session 4.4.4.4 is down, reason: hold time expired May 21 14:27:21.475567 Session 4.4.4.4 state Closing -> Nonexistent May 21 14:27:21.476180 CHANGE   317024 /52          nhid ...
Read more >>