Jump to content

Решил подружить cisco c внешними NTP серверами.

Но столкнулся с проблемой если накатить ACL, синхронизация пропадает.


ПО сабжу, ACL:


ip access-list extended NTP

permit udp host any

deny ip any any



И вот если добавляю это правило к

ntp access-groupe serve-only NTP

Связь пропадает...

Edited by Jora_Cornev

Share this post

Link to post
Share on other sites

Исправил ACL правило на

ip access-list 50 permit

ip access-list 50 deny any



ntp access-groupe serve-only 50


Применяю это правило и вроде бы всё ок, до первой перезагрузки.

Стоит перезагрузить и синхронизация пропадает:

#sh ntp ass

 address         ref clock       st   when   poll reach  delay  offset   disp
*~     .LOCL.           4      5     16   377  0.000   0.000  0.253
~   .INIT.          16      -     64     0  0.000   0.000 15937.
* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

Share this post

Link to post
Share on other sites

1) Peer – permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices.

2) Serve – permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted.

3) Serve-only – permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries.

4) Query-only – only accepts NTP control queries. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.


serve в сторону нижестоящих девайсов работает.

Добавь свой ацл на peer.

IOS router may associate an access-list with any of the above access-types, classifying NTP message sources by their types. Two rules are observed by IOS when an incoming NTP packet is matched against configured types of access:


1) All access-groups associated with access types are scanned in the ordrer presented above (from 1 to 4) – that is, following from most permissive to most restrictive. The first match is used to determine the message source access type.

2) If any of the access types has been defined with an ACL, all other access types are implicitly denied. Just by restricting some sources, you may effectively block all others as well


Now here is a catch. If your router is configured as NTP master, and you set up any access-control group, you must allow “peer” access type to a source with IP address “”. This is because “” is the internal server created by ntp master command, which the local router synchronizes to. If you forget to enable it peer access, your server will always be out of sync.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.