Re: ntp access-group <peer vs serve>

Right, Petr has done an excellent job on this! Issue fixed and understood
now:

http://blog.ine.com/2008/07/28/ntp-access-control/

Sadiq

On Sun, May 30, 2010 at 11:12 PM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:

> Thanks guys,
>
> So whats the difference between "time requests" and "ntp control queries"
> BTW? Any link on the this would be helpful.
>
> Sadiq
>
>
> On Sun, May 30, 2010 at 10:45 PM, Tyson Scott <tscott_at_ipexpert.com> wrote:
>
>> For your situation you should be doing the query-only if you are wanting
>> to
>> control who can get time from the server. You would use the serve option
>> on
>> the clients if you want to control who can give them time. I would use the
>> peer option when you have the command "ntp server" configured and "ntp
>> peer"
>> with another device.
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S, Security, and SP
>> Managing Partner / Sr. Instructor - IPexpert, Inc.
>> Mailto: tscott_at_ipexpert.com
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Sadiq Yakasai
>> Sent: Sunday, May 30, 2010 5:39 PM
>> To: Cisco certification; Cisco certification
>> Subject: ntp access-group <peer vs serve>
>>
>> Guys,
>>
>> So I configured an NTP server and with authentication with 2 clients - all
>> working good and jolley.
>>
>> Now, I went on to configure the access-group to control who gets access to
>> the service on the NTP server. I used the NTP "ntp access-group peer 1"
>> with
>> an ACL 1 permitting my clients.
>>
>> However, right after making this addition, my hosts de-sync (if this word
>> exists :-)) from my NTP source/server. Checking the docCD, I have 4
>> options
>> when controlling NTP service access and from my understanding on the
>> documentation, it seems like the "peer" option is a kosher one (and also a
>> superset of the serve option). But naahhhh, my clients just fall off after
>> some time. I will now try out the "serve" keyword, to see what.
>>
>> Anyone got some good leads on this one please?
>>
>> Thanks as usual.
>> Sadiq
>>
>>
>> Excerp from the docCD:
>>
>> The access group options are scanned in the following order, from least
>> restrictive to most restrictive:
>>
>> * 1. **peer* Allows time requests and NTP control queries and allows the
>> system to synchronize itself to a system whose address passes the access
>> list criteria.
>>
>> * 2. **serve* Allows time requests and NTP control queries, but does not
>> allow the system to synchronize itself to a system whose address passes
>> the
>> access list criteria.
>>
>> * 3. **serve-only* Allows only time requests from a system whose address
>> passes the access list criteria.
>>
>> * 4. **query-only* Allows only NTP control queries from a system whose
>> address passes the access list criteria.
>>
>> More here:
>>
>>
>> http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys
>> _
>> manage_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1034942
>> --
>> CCIE #19963
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> CCIE #19963
>

-- 
CCIE #19963
Blogs and organic groups at http://www.ccie.net