[c-nsp] Odd ntp problem...
Phil Mayers
p.mayers at imperial.ac.uk
Sat Aug 31 03:35:48 EDT 2013
On 08/30/2013 07:41 PM, Jeff Kell wrote:
> Have a 6500 core running 12.2(33)SXI that is setup to sync to an
> external NTP source, and in turn provide NTP for our networked devices.
Just my personal opinion here; but don't do that. Use an NTP server,
rather than a router. Then you can avoid all kinds of devices hitting
the control plane of your routers for time sync.
> I'm at a loss to explain why the 6500 would accept an unsolicited peer
> (assuming the Windows host was mistakenly trying to setup a peer rather
> than client/server relationship), let alone let it override the
> established external trust.
Ah, this old chestnut!
You need:
ntp access-group peer <x>
See also:
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html
In essence - yes, IOS will establish peer relationships with random
hosts unless you ACL it off. Yes that is crazy.
More information about the cisco-nsp
mailing list