access-group (NTP)
To control access to Network Time Protocol (NTP) services for an IPv4 or IPv6 access list, use the access-group command in one of the NTP configuration modes. To remove the access-group command from the configuration file and restore the system to its default condition with respect to this command, use the no form of this command.
access-group [vrf vrf-name] [ipv4 | ipv6] {peer | query-only | serve | serve-only} access-list-name
no access-group [vrf vrf-name] [ipv4 | ipv6] {peer | query-only | serve | serve-only}
Syntax Description
vrf vrf-name |
(Optional) Applies the access control configuration to a specified nondefault VRF. If not specified, the configuration is applied to the default VRF. |
ipv4 |
(Optional) Specifies an IPv4 access list (default). |
ipv6 |
(Optional) Specifies an IPv6 access list. |
peer |
Allows time requests and NTP control queries and allows a networking device to synchronize to the remote system. |
query-only |
Allows only NTP control queries. Cisco IOS XR software uses NTP Version 4, but the RFC for Version 3 (RFC 1305: Network Time Protocol (Version 3)—Specification, Implementation and Analysis) still applies. |
serve |
Allows time requests and NTP control queries, but does not allow the networking device to synchronize to the remote system. |
serve-only |
Allows only time requests. |
access-list-name |
Name of an IPv4 or IPv6 access list. |
Command Default
No NTP access control is configured.
Command Modes
NTP configuration
VRF-specific NTP configuration
Command History
Release |
Modification |
---|---|
Release 3.7.2 |
This command was introduced. |
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The access group options are scanned in the following order from least restrictive to most restrictive:
-
peer—Allows time requests and NTP control queries and allows the router to synchronize itself to a system whose address passes the access list criteria.
-
serve—Allows time requests and NTP control queries, but does not allow the router to synchronize itself to a system whose address passes the access list criteria.
-
serve-only—Allows only time requests from a system whose address passes the access list criteria.
-
query-only—Allows only NTP control queries from a system whose address passes the access list criteria.
Access is granted for the first match that is found. If no access groups are specified, all access is granted to all sources. If any access groups are specified, only the specified access is granted. This facility provides minimal security for the time services of the system. However, it can be circumvented by a determined programmer. If tighter security is desired, use the NTP authentication facility.
If you use the access-group command in a VRF-specific NTP configuration mode, the command is applied to the specific VRF. If you are not in a VRF-specific NTP configuration mode, the command is applied to the default VRF unless you use the vrf vrf-name keyword and argument to specify a VRF.
Task ID
Task ID |
Operations |
---|---|
ip-services |
read, write |
Examples
The following example shows how to configure the router to allow itself to be synchronized by a peer from an IPv4 access list named access1 and to restrict access to allow only time requests from an IPv4 access list named access2:
RP/0/RSP0/CPU0:router(config-ntp)# access-group peer access1
RP/0/RSP0/CPU0:router(config-ntp)# access-group serve-only access2
The following example shows how to configure the router to allow itself to be synchronized by peers from the IPv6 access list named access20 that route through the vrf10 VRF:
RP/0/RSP0/CPU0:router(config-ntp)# access-group vrf vrf10 ipv6 peer access20