[Jora_Cornev]

Решил подружить cisco c внешними NTP серверами.

Но столкнулся с проблемой если накатить ACL, синхронизация пропадает.

 

ПО сабжу, ACL:

 

ip access-list extended NTP

permit udp host 37.153.53.133 any

deny ip any any

 

 

И вот если добавляю это правило к

ntp access-groupe serve-only NTP

Связь пропадает...

Edited January 7, 2017 by Jora_Cornev

[snvoronkov]

Там стандартный акл нужен. Не расширенный. А вообще - гугл в помощь, если ещё и отдавать надо.

 

Вот, сходу:

 

http://xgu.ru/wiki/Cisco_NTP#ACL_.D0.B4.D0.BB.D1.8F_.D0.BF.D1.80.D0.B5.D0.B4.D0.BE.D1.82.D0.B2.D1.80.D0.B0.D1.89.D0.B5.D0.BD.D0.B8.D1.8F_.D0.BF.D0.BE.D0.BB.D1.83.D1.87.D0.B5.D0.BD.D0.B8.D1.8F_.D0.B8.D0.BD.D1.84.D0.BE.D1.80.D0.BC.D0.B0.D1.86.D0.B8.D0.B8_.D0.BE.D0.B1_.D1.83.D1.81.D1.82.D1.80.D0.BE.D0.B9.D1.81.D1.82.D0.B2.D0.B5_.D0.B8_IOS

[Jora_Cornev]

Чё то, я этот момент про стандартный ACl упустил.

СПС, сейчас попробую!

[Jora_Cornev]

Исправил ACL правило на

ip access-list 50 permit 37.153.53.133

ip access-list 50 deny any

 

 

ntp access-groupe serve-only 50

 

Применяю это правило и вроде бы всё ок, до первой перезагрузки.

Стоит перезагрузить и синхронизация пропадает:

#sh ntp ass

 address         ref clock       st   when   poll reach  delay  offset   disp
*~127.127.1.1     .LOCL.           4      5     16   377  0.000   0.000  0.253
~37.153.53.133   .INIT.          16      -     64     0  0.000   0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

[Jora_Cornev]

Да же как оказалось, синхронизация пропадает минут через 10, после навешанного ACL.

[zhenya`]

1) Peer – permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices.

2) Serve – permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted.

3) Serve-only – permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries.

4) Query-only – only accepts NTP control queries. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.

 

serve в сторону нижестоящих девайсов работает.

Добавь свой ацл на peer.

IOS router may associate an access-list with any of the above access-types, classifying NTP message sources by their types. Two rules are observed by IOS when an incoming NTP packet is matched against configured types of access:

 

1) All access-groups associated with access types are scanned in the ordrer presented above (from 1 to 4) – that is, following from most permissive to most restrictive. The first match is used to determine the message source access type.

2) If any of the access types has been defined with an ACL, all other access types are implicitly denied. Just by restricting some sources, you may effectively block all others as well

 

Now here is a catch. If your router is configured as NTP master, and you set up any access-control group, you must allow “peer” access type to a source with IP address “127.127.7.1”. This is because “127.127.7.1” is the internal server created by ntp master command, which the local router synchronizes to. If you forget to enable it peer access, your server will always be out of sync.

[Jora_Cornev]

zhenya` благодарю за наводку.