NTP - Network Time Protocol
Packet types:
- Control messages : don't bother with this.- NTP request/update messages: used for time synchrnonization
You can define ACL to protect your infrastructure:
Cisco defines 4 Access Control :
- Peer:
The router responds to NTP Request, Accepts NTP Updates and NTP Control Queries.
This is where you filter from where you want to sync !
- Serve:
The router reponds to NTP Request, Accepts NTP Control Queries.
- Serve-only:
The router responds to NTP Requests Only.
Won't synchronize local system time.
- Query-only:
The router only accepts NTP control queries.
No response to NTP requests are sent, no local system time synchronization with remote system is permitted.
So basically,
- If you want your router to only synchronize to NTP Servers :
- Peer ACL is configured with the IP Address of the NTP Servers.
- Server, Serve-only and Query-only ACLs are denying everything.
That is:
!
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 185.156.175.251
access-list 10 permit 80.67.184.4
access-list 10 permit 134.59.1.5
access-list 10 deny any
!
ntp access-group query-only 1 ! deny all NTP control queries
ntp access-group serve 1 ! deny all NTP time and control queries by default
ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 1 ! deny NTP time sync requests from potential clients
!
- If you want to router to synchronize to NTP Servers and be an NTP Server:
- Peer ACL is configured with the IP Address of the NTP Servers.
- Serve-only ACL is configured with the IP Address of your clients.
- Server and Query-only ACLs are denying everything.
That is:
!
access-list 1 remark utility ACL to block everything
access-list 1 deny any
!
access-list 10 remark NTP peers/servers we sync to/with
access-list 10 permit 185.156.175.251
access-list 10 permit 80.67.184.4
access-list 10 permit 134.59.1.5
access-list 10 deny any
!
access-list 20 remark Hosts/Networks we allow to get time from us
access-list 20 permit 192.168.0.0 0.0.0.255
!
ntp access-group query-only 1 ! deny all NTP control queries
ntp access-group serve 1 ! deny all NTP time and control queries by default
ntp access-group peer 10 ! permit time sync to configured peer(s)/server(s) only
ntp access-group serve-only 20 ! permit NTP time sync requests from a select set of clients
!
ntp server ip ntp.deuza.net minpoll 10
ntp server ip ntp.midway.ovh minpoll 10
ntp server ip ntp.unice.fr minpoll 10 prefer source Vlan1
IOS router may associate an access-list with any of the above access-types, classifying NTP message sources by their types. Two rules are observed by IOS when an incoming NTP packet is matched against configured types of access:
1) All access-groups associated with access types are scanned in the ordrer presented above (from 1 to 4) – that is, following from most permissive to most restrictive. The first match is used to determine the message source access type.
2) If any of the access types has been defined with an ACL, all other access types are implicitly denied. Just by restricting some sources, you may effectively block all others as well
Now here is a catch. If your router is configured as NTP master, and you set up any access-control group, you must allow “peer” access type to a source with IP address “127.127.7.1”. This is because “127.127.7.1” is the internal server created by ntp master command, which the local router synchronizes to. If you forget to enable it peer access, your server will always be out of sync. Here are some examples. First one: configure R1 as NTP master and allow the server to be polled for NTP updates just by one client. Client should receive updates just from one source: