Restricting Peers

Restricting Peers

Problem

You want to restrict whom your router will provide NTP services to.

Solution

You can use the ntp access-group command to restrict which devices you want your router to allow NTP associations with:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 88 permit host 172.25.1.1
Router(config)#access-list 88 permit host 10.1.1.1
Router(config)#access-list 99 permit 172.25.0.0 0.0.255.255
Router(config)#access-list 99 permit 10.2.0.0 0.0.255.255
Router(config)#clock timezone EST -5
Router(config)#clock summer-time EDT recurring
Router(config)#ntp server 172.25.1.1 version 3
Router(config)#ntp server 10.1.1.1 version 3
Router(config)#ntp access-group peer 88
Router(config)#ntp access-group serve-only 99
Router(config)#end
Router#

Discussion

In this example, the router will allow the internal clock to be synchronized by the two NTP servers listed in access-list number 88, 172.25.1.1, and 10.1.1.1. The router also allows time requests only from the client devices permitted by access-list 99.

By default, NTP has no access controls, and it gives full access to all NTP devices. The ntp access-group command limits this access to various NTP services. In the example above, the peer keyword means that the router will only allow its internal clock to be changed by those remote servers and peers permitted by the access-list.

The serve-only keyword specifies the clients permitted to obtain time services from the router. In the above example, the serve-only access-list (99) permits two entire subnets, 172.2.0.0 255.255.0.0 and 10.2.0.0 255.255.0.0. This means that any NTP clients residing on either of these two subnets can obtain time services from the local router. Using the same method, you can limit the access-list to a single subnet, a group of hosts, or no one. Omitting the ntp access-group serve-only command completely prevents the router from providing time services.

NTP access-groups provide excellent granularity of access to time services on a global basis. Used in conjunction with the interface command ntp disable, NTP access-groups can form the basis of an effective access control strategy.

See Also