[c-nsp] Problem encountered while securing NTP

Phil Mayers p.mayers at imperial.ac.uk
Thu Oct 8 12:03:04 EDT 2009

Jeff Kell wrote:
> While we're on the subject, I came in this morning to find our core 6500
> out of NTP sync.  Checking the associations, a local host was in the
> list as a "dynamic" association, with an invalid time.

Yeah, we've seen that. You need an ACL. This is dumb. To anyone from 
cisco reading - this is dumb, fix it.

> I was under the (apparently incorrect) assumption that IOS would not
> accept unsolicited/unconfigured NTP control requests from anyone... as I
> haven't revisited my NTP configuration in years.
> The IOS in question (12.2(33)SXI2) does not have a "ntp broadcast
> client" option I can simply turn off, as the generic NTP configuration
> suggests.
> The access-group documentation is a bit confusing...
> I'd like to have control requests restricted to my configured 'ntp
> server' list, but allow queries from anyone, and certainly not accept
> NTP updates from unsolicited sources.
> Does anyone have a nice, canned NTP config to accomplish this goal they
> would care to share? 

Ours does not do what you need; it restricts NTP querying to the NTP 
servers & our management network (nagios checks the routers are in-sync 
with an NTP query packet).

Give the caveat mentioned earlier in the thread (CSCsw79186) it's not 
clear to me that you *can* do what you want.

Any reason you can't just run an NTP server?

More information about the cisco-nsp mailing list