Configuring NTP Access Restrictions

You can control NTP access on two levels as described in these sections:

♦ Creating an Access Group and Assigning a Basic IP Access List, page 7-40

♦ Disabling NTP Services on a Specific Interface, page 7-41

Creating an Access Group and Assigning a Basic IP Access List

Beginning in privileged EXEC mode, follow these steps to control access to NTP services by using access lists:

Step 1 Step 2

Step 3

Step 4 Step 5 Step 6

Command

Purpose

configure terminal

Enter global configuration mode.

ntp access-group {query-only | serve-only | serve | peer}

access-list-number

Create an access group, and apply a basic IP access list. The keywords have these meanings:

♦ query-only—Allows only NTP control queries.

♦ serve-only—Allows only time requests.

♦ serve—Allows time requests and NTP control queries, but does not allow the switch to synchronize to the remote device.

♦ peer—Allows time requests and NTP control queries and allows the switch to synchronize to the remote device.

For access-list-number, enter a standard IP access list number from 1 to 99.

access-list access-list-number permit source [source-wildcard]

Create the access list.

♦ For access-list-number, enter the number specified in Step 2.

♦ Enter the permit keyword to permit access if the conditions are matched.

♦ For source, enter the IP address of the device that is permitted access to the switch.

♦ (Optional) For source-wildcard, enter the wildcard bits to be applied to the source.

Note When creating an access list, remember that, by default, the end of the access list contains an implicit deny statement for everything if it did not find a match before reaching the end.

end

Return to privileged EXEC mode.

show running-config

Verify your entries.

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Step 1 Step 2

Step 3

Step 4 Step 5 Step 6

The access group keywords are scanned in this order, from least restrictive to most restrictive:

1. peer—Allows time requests and NTP control queries and allows the switch to synchronize itself to a device whose address passes the access list criteria.

2. serve—Allows time requests and NTP control queries, but does not allow the switch to synchronize itself to a device whose address passes the access list criteria.

3. serve-only—Allows only time requests from a device whose address passes the access list criteria.

4. query-only—Allows only NTP control queries from a device whose address passes the access list criteria.

If the source IP address matches the access lists for more than one access type, the first type is granted. If no access groups are specified, all access types are granted to all devices. If any access groups are specified, only the specified access types are granted.

To remove access control to the switch NTP services, use the no ntp access-group {query-only | serve-only | serve | peer} global configuration command.

This example shows how to configure the switch to allow itself to synchronize to a peer from access list 99. However, the switch restricts access to allow only time requests from access list 42:

Switch# configure terminal Switch(config)# ntp access-group peer 99 Switch(config)# ntp access-group serve-only 42 Switch(config)# access-list 99 permit 172.20.130.5 Switch(config)# access list 42 permit 172.20.130.6

Disabling NTP Services on a Specific Interface

NTP services are enabled on all interfaces by default.

Beginning in privileged EXEC mode, follow these steps to disable NTP packets from being received on an interface:

Step 1 Step 2 Step 3

Step 4 Step 5 Step 6

Command

Purpose

configure terminal

Enter global configuration mode.

interface interface-id

Enter interface configuration mode, and specify the interface to disable.

ntp disable

Disable NTP packets from being received on the interface. By default, all interfaces receive NTP packets.

end

Return to privileged EXEC mode.

show running-config

Verify your entries.

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To re-enable receipt of NTP packets on an interface, use the no ntp disable interface configuration command.

+1 0

Post a comment