[c-nsp] Odd ntp problem...

Phil Mayers p.mayers at imperial.ac.uk
Sat Aug 31 03:35:48 EDT 2013


On 08/30/2013 07:41 PM, Jeff Kell wrote:

> Have a 6500 core running 12.2(33)SXI that is setup to sync to an
> external NTP source, and in turn provide NTP for our networked devices.

Just my personal opinion here; but don't do that. Use an NTP server, 
rather than a router. Then you can avoid all kinds of devices hitting 
the control plane of your routers for time sync.

> I'm at a loss to explain why the 6500 would accept an unsolicited peer
> (assuming the Windows host was mistakenly trying to setup a peer rather
> than client/server relationship), let alone let it override the
> established external trust.

Ah, this old chestnut!

You need:

ntp access-group peer <x>

See also:

http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

In essence - yes, IOS will establish peer relationships with random 
hosts unless you ACL it off. Yes that is crazy.


More information about the cisco-nsp mailing list