This should help...
NTP allows you to configure ACLs to restrict access to the NTP services on the router. These ACLs can be configured to restrict access based on IP and the following four restrictions:
peer
Allows time synchronization requests and control queries and allows the router to synchronize itself to remote systems that pass the ACL
serve
Allows time synchronization requests and control queries, but does not allow the router to synchronize itself to remote systems that pass the ACL
serve-only
Allows only time synchronization requests from systems that pass the ACL
query-only
Allows only NTP control queries from systems that pass the ACL
On May 30, 2010, at 5:38 PM, Sadiq Yakasai wrote:
> Guys,
>
> So I configured an NTP server and with authentication with 2 clients - all
> working good and jolley.
>
> Now, I went on to configure the access-group to control who gets access to
> the service on the NTP server. I used the NTP "ntp access-group peer 1" with
> an ACL 1 permitting my clients.
>
> However, right after making this addition, my hosts de-sync (if this word
> exists :-)) from my NTP source/server. Checking the docCD, I have 4 options
> when controlling NTP service access and from my understanding on the
> documentation, it seems like the "peer" option is a kosher one (and also a
> superset of the serve option). But naahhhh, my clients just fall off after
> some time. I will now try out the "serve" keyword, to see what.
>
> Anyone got some good leads on this one please?
>
> Thanks as usual.
> Sadiq
>
>
> Excerp from the docCD:
>
> The access group options are scanned in the following order, from least
> restrictive to most restrictive:
>
> * 1. **peer*�Allows time requests and NTP control queries and allows the
> system to synchronize itself to a system whose address passes the access
> list criteria.
>
> * 2. **serve*�Allows time requests and NTP control queries, but does not
> allow the system to synchronize itself to a system whose address passes the
> access list criteria.
>
> * 3. **serve-only*�Allows only time requests from a system whose address
> passes the access list criteria.
>
> * 4. **query-only*�Allows only NTP control queries from a system whose
> address passes the access list criteria.
>
> More here:
>
> http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_
> manage_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1034942
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun May 30 2010 - 17:48:40 ART