[c-nsp] Problem encountered while securing NTP
Phil Mayers
p.mayers at imperial.ac.uk
Thu Oct 8 12:03:04 EDT 2009
Jeff Kell wrote:
> While we're on the subject, I came in this morning to find our core 6500
> out of NTP sync. Checking the associations, a local host was in the
> list as a "dynamic" association, with an invalid time.
Yeah, we've seen that. You need an ACL. This is dumb. To anyone from
cisco reading - this is dumb, fix it.
>
> I was under the (apparently incorrect) assumption that IOS would not
> accept unsolicited/unconfigured NTP control requests from anyone... as I
> haven't revisited my NTP configuration in years.
>
> The IOS in question (12.2(33)SXI2) does not have a "ntp broadcast
> client" option I can simply turn off, as the generic NTP configuration
> suggests.
>
> The access-group documentation is a bit confusing...
>
> I'd like to have control requests restricted to my configured 'ntp
> server' list, but allow queries from anyone, and certainly not accept
> NTP updates from unsolicited sources.
>
> Does anyone have a nice, canned NTP config to accomplish this goal they
> would care to share?
Ours does not do what you need; it restricts NTP querying to the NTP
servers & our management network (nagios checks the routers are in-sync
with an NTP query packet).
Give the caveat mentioned earlier in the thread (CSCsw79186) it's not
clear to me that you *can* do what you want.
Any reason you can't just run an NTP server?
More information about the cisco-nsp
mailing list