Restricting Peers

Problem

You want to restrict whom your router will provide NTP services to.

Solution

You can use the ntp access-group command to restrict which devices you want your router to allow NTP associations with:

Router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 88 permit host 172.25.1.1
Router(config)#access-list 88 permit host 10.1.1.1
Router(config)#access-list 99 permit 172.25.0.0 0.0.255.255
Router(config)#access-list 99 permit 10.2.0.0 0.0.255.255
Router(config)#clock timezone EST -5
Router(config)#clock summer-time EDT recurring
Router(config)#ntp server 172.25.1.1 version 3
Router(config)#ntp server 10.1.1.1 version 3
Router(config)#ntp access-group peer 88
Router(config)#ntp access-group serve-only 99
Router(config)#end
Router#

Discussion

In this example, the router will allow the internal clock to be synchronized by the two NTP servers listed in access-list number 88, 172.25.1.1, and 10.1.1.1. The router also allows time requests only from the client devices permitted by access-list 99.

By default, NTP has no access controls, and it gives full access to all NTP devices. The ntp access-group command limits this access to various NTP services. In the example above, the peer keyword means that the router will only allow its internal clock to be changed by those remote servers and peers permitted by the access-list.

The serve-only keyword specifies the clients permitted to obtain time services from the router. ...

Get Cisco IOS Cookbook, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.