You want to control NTP services on a per-interface basis.
Depending on the level of access control required, you can use the ntp disable command to prevent the router from providing NTP services on a particular interface:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface Serial0/1 Router(config-if)#ntp disable Router(config-if)#end Router#
You can also prevent the router from providing NTP services on an individual interface with access control lists:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 107 deny udp any eq 123 any eq 123 Router(config)#access-list 107 permit ip any any Router(config)#interface Serial0/1 Router(config-if)#ip access-group 107 in Router(config-if)#end Router#
Both examples above effectively disable the router from providing NTP services through the interface Serial0/1, although the inbound access-list provides more flexibility.
By default, when you enable NTP services on a Cisco router, it automatically becomes an NTP server and provides time services on all interfaces. However, you may want to disable NTP services on one or more of the router's interfaces. For instance, you may want to prevent your router from providing NTP services to devices outside of your organization. You could accomplish this by disabling NTP on router interfaces that connect to these external networks. Further, some organizations insist that end devices should get their NTP services from a dedicated NTP server. In this case, you might want to prohibit routers from providing time services, although they would still take part in NTP for synchronizing their own clocks.
The ntp disable command in the example above prevents any NTP associations from using the Serial0/1 interface. This affects both inbound and outbound associations. However, it will not prevent the router from routing NTP traffic through this interface on its way to another NTP device. In contrast, the access-list example above prevents the router from passing any NTP packets received by this interface, regardless of the destination. And it will also prevent the router itself from using this interface for forming any NTP associations through this interface.