[c-nsp] Problem encountered while securing NTP
Jeff Kell
jeff-kell at utc.edu
Thu Oct 8 10:33:09 EDT 2009
While we're on the subject, I came in this morning to find our core 6500
out of NTP sync. Checking the associations, a local host was in the
list as a "dynamic" association, with an invalid time.
I was under the (apparently incorrect) assumption that IOS would not
accept unsolicited/unconfigured NTP control requests from anyone... as I
haven't revisited my NTP configuration in years.
The IOS in question (12.2(33)SXI2) does not have a "ntp broadcast
client" option I can simply turn off, as the generic NTP configuration
suggests.
The access-group documentation is a bit confusing...
I'd like to have control requests restricted to my configured 'ntp
server' list, but allow queries from anyone, and certainly not accept
NTP updates from unsolicited sources.
Does anyone have a nice, canned NTP config to accomplish this goal they
would care to share?
Thanks,
Jeff
More information about the cisco-nsp
mailing list