Enabling and Disabling NTP Per Interface

Problem

You want to control NTP services on a per-interface basis.

Solution

Depending on the level of access control required, you can use the ntp disable command to prevent the router from providing NTP services on a particular interface:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#interface Serial0/1
Router(config-if)#ntp disable
Router(config-if)#end
Router#

You can also prevent the router from providing NTP services on an individual interface with access control lists:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 107 deny udp any eq 123 any eq 123
Router(config)#access-list 107 permit ip any any 
Router(config)#interface Serial0/1
Router(config-if)#ip access-group 107 in
Router(config-if)#end
Router#

Both examples above effectively disable the router from providing NTP services through the interface Serial0/1, although the inbound access-list provides more flexibility.

Discussion

By default, when you enable NTP services on a Cisco router, it automatically becomes an NTP server and provides time services on all interfaces. However, you may want to disable NTP services on one or more of the router's interfaces. For instance, you may want to prevent your router from providing NTP services to devices outside of your organization. You could accomplish this by disabling NTP on router interfaces that connect to these external networks. Further, some organizations insist that end devices should get their NTP services from a dedicated NTP server. In this case, you might want to prohibit routers from providing time services, although they would still take part in NTP for synchronizing their own clocks.

The ntp disable command in the example above prevents any NTP associations from using the Serial0/1 interface. This affects both inbound and outbound associations. However, it will not prevent the router from routing NTP traffic through this interface on its way to another NTP device. In contrast, the access-list example above prevents the router from passing any NTP packets received by this interface, regardless of the destination. And it will also prevent the router itself from using this interface for forming any NTP associations through this interface.

See Also

Recipe 14.14





Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net