Cisco IOS
e.g.
Vlan10 = interface management vlan
Vlan10 = interface management vlan
NTP Server = 192.168.10.100
conf t
1. Configure ACL to deny NTP requests and query
access-list 100 remark to block NTP requests and query
access-list 100 deny any
2. Configure ACL to allow only the NTP servers to peer or synch with
access-list 200 remark NTP to peer
access-list 200 permit 192.168.10.100
access-list 200 deny any
3. Configure NTP
conf t
ntp source Vlan10
ntp access-group peer 200
ntp access-group serve 100
ntp access-group serve-only 100
ntp access-group query-only 100
ntp update-calendar
ntp server 192.168.10.100
Cisco IOS-XE
Loopback0= source interface for NTP
NTP Server = 192.168.10.100
1. Configure ACL to deny NTP requests and query
ip access-list standard Deny-NTP-Servers
deny any
2. Configure ACL to allow only the NTP servers to peer or synch with
ip access-list standard Allow-NTP-Servers
permit 192.168.10.100
3. Configure NTP
conf t
ntp source Loopback0
ntp access-group peer Allow-NTP-Servers
ntp access-group serve Deny-NTP-Servers
ntp access-group serve-only Deny-NTP-Servers
ntp access-group query-only Deny-NTP-Servers
ntp server 192.168.10.100
Verify:
show ntp association
show ntp status
Cisco IOS-XR
Loopback0= source interface for NTP
NTP Server = 192.168.10.100
1st option:
1. Configure ACL to deny NTP requests and query
ipv4 access-list Deny-NTP-Servers
10 remark ACL to block requests NTP servers
20 deny ipv4 any any
2. Configure ACL to allow only the NTP servers to peer or synch with
ipv4 access-list Allow-NTP-Servers
10 remark NTP servers to peer and synch
20 permit ipv4 host 192.168.10.100
30 deny ipv4 any any
3. Configure NTP
configure
ntp server 192.168.10.100
ntp access-group ipv4 peer Allow-NTP-Servers
ntp access-group ipv4 serve Deny-NTP-Servers
ntp access-group ipv4 serve-only Deny-NTP-Servers
ntp access-group ipv4 query-only Deny-NTP-Servers
ntp source Loopback0
ntp update-calendar
(It will be something like this)
ntp
server 192.168.10.100
access-group ipv4 peer Allow-NTP-Servers
access-group ipv4 serve Deny-NTP-Servers
access-group ipv4 query-only Deny-NTP-Servers
access-group ipv4 query-only Deny-NTP-Servers
source Loopback0
update-calendar
Cisco NX-OS (Nexus)
mgmt0 = source interface for NTP
NTP Server = 192.168.10.100
1. Configure ACL to allow only the NTP servers to peer or synch with and deny everything
ip access-list ACL-VTY
10 permit tcp 192.168.10.50/32 any eq 22
100 permit udp 192.168.10.100/32 any eq ntp
110 deny ip any any log
2. Configure the ACL in the management interface
interface mgmt0
ip access-group ACL-VTY in
vrf member management
line vty
access-class ACL-VTY in
3. Configure NTP
ntp distribute
ntp server 192.168.10.100 use-vrf management
ntp source-interface mgmt0
ntp commit
VERIFICATION:
CiscoDevice#show ntp status
Clock is synchronized, stratum 2, reference is 192.168.10.100
nominal freq is 250.0000 Hz, actual freq is 249.9955 Hz, precision is 2**20
ntp uptime is 645584404 (1/100 of seconds), resolution is 4016
reference time is E28AC896.7F0B30EE (10:48:54.496 SST Wed Jun 10 2020)
clock offset is 3.1247 msec, root delay is 0.55 msec
root dispersion is 36.20 msec, peer dispersion is 0.12 msec
loopfilter state is 'CTRL' (Normal Controlled Loop), drift is 0.000017836 s/s
system poll interval is 1024, last update was 2218 sec ago.
CiscoDevice#show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.10.100 .GPS. 1 87 1024 377 0.538 3.124 0.123
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured
No comments:
Post a Comment