Cisco IOS
e.g.
Vlan10 = interface management vlan
Vlan10 = interface management vlan
NTP Server = 192.168.10.100
1. Configure ACL to deny NTP requests and query
conf t
access-list 100 remark to block NTP requests and queryaccess-list 100 deny any
2. Configure ACL to allow only the NTP servers to peer or synch with
access-list 200 remark NTP to peeraccess-list 200 permit 192.168.10.100access-list 200 deny any
3. Configure NTP
conf t
ntp source Vlan10ntp access-group peer 200ntp access-group serve 100ntp access-group serve-only 100ntp access-group query-only 100ntp update-calendarntp server 192.168.10.100
Cisco IOS-XE
Loopback0= source interface for NTP
NTP Server = 192.168.10.100
1. Configure ACL to deny NTP requests and query
ip access-list standard Deny-NTP-Serversdeny any
2. Configure ACL to allow only the NTP servers to peer or synch with
ip access-list standard Allow-NTP-Serverspermit 192.168.10.100
3. Configure NTP
conf t
ntp source Loopback0ntp access-group peer Allow-NTP-Serversntp access-group serve Deny-NTP-Serversntp access-group serve-only Deny-NTP-Serversntp access-group query-only Deny-NTP-Serversntp server 192.168.10.100
Verify:
show ntp associationshow ntp status
Cisco IOS-XR
Loopback0= source interface for NTP
NTP Server = 192.168.10.100
1st option:
1. Configure ACL to deny NTP requests and query
ipv4 access-list Deny-NTP-Servers10 remark ACL to block requests NTP servers20 deny ipv4 any any
2. Configure ACL to allow only the NTP servers to peer or synch with
ipv4 access-list Allow-NTP-Servers10 remark NTP servers to peer and synch20 permit ipv4 host 192.168.10.100 any30 deny ipv4 any any
3. Configure NTP
configure
ntp server 192.168.10.100ntp access-group ipv4 peer Allow-NTP-Serversntp access-group ipv4 serve Deny-NTP-Serversntp access-group ipv4 serve-only Deny-NTP-Serversntp access-group ipv4 query-only Deny-NTP-Serversntp source Loopback0ntp update-calendar
(It will be something like this)
ntpserver 192.168.10.100access-group ipv4 peer Allow-NTP-Serversaccess-group ipv4 serve Deny-NTP-Servers
access-group ipv4 query-only Deny-NTP-Serverssource Loopback0update-calendar
Cisco NX-OS (Nexus)
mgmt0 = source interface for NTP
NTP Server = 192.168.10.100
1. Configure ACL to allow only the NTP servers to peer or synch with and deny everything
ip access-list ACL-VTY10 permit tcp 192.168.10.50/32 any eq 22100 permit udp 192.168.10.100/32 any eq ntp110 deny ip any any log
2. Configure the ACL in the management interface
interface mgmt0ip access-group ACL-VTY invrf member management
line vtyaccess-class ACL-VTY in
3. Configure NTP
ntp distributentp server 192.168.10.100 use-vrf managementntp source-interface mgmt0ntp commit
VERIFICATION:
show ntp status
show ntp associations
CiscoDevice#show ntp status
Clock is synchronized, stratum 2, reference is 192.168.10.100
nominal freq is 250.0000 Hz, actual freq is 249.9955 Hz, precision is 2**20
ntp uptime is 645584404 (1/100 of seconds), resolution is 4016
reference time is E28AC896.7F0B30EE (10:48:54.496 SST Wed Jun 10 2020)
clock offset is 3.1247 msec, root delay is 0.55 msec
root dispersion is 36.20 msec, peer dispersion is 0.12 msec
loopfilter state is ‘CTRL’ (Normal Controlled Loop), drift is 0.000017836 s/s
system poll interval is 1024, last update was 2218 sec ago.
CiscoDevice#show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.10.100 .GPS. 1 87 1024 377 0.538 3.124 0.123
* sys.peer, # selected, + candidate, – outlyer, x falseticker, ~ configured
[…] Related link –> Configuring Network Time Protocol (NTP) the Secured way in Cisco Routers and Switches (IOS, IOS-XE, … […]
[…] Related link –> Configuring Network Time Protocol (NTP) the Secured way in Cisco Routers and Switches (IOS, IOS-XE, … […]
Many Thanks,
20 permit ipv4 host 192.168.10.100 any _______ this is comaand need add any to dest. Hosts.
Thanks, I have updated. Appreciate for dropping by and pointing it out.