NTP Access Control

NTP security goal is to prevent unauthorized time sources to affect time synchronization within a set of network devices. Cisco IOS offers two methods of securing NTP infrastructure:
1) NTP Access Control. Limit types of NTP access and NTP sources associating with out router.
2) NTP Authentication. Validate the identity of NTP sources.
Let’s see how access control works. It is convenient to classify NTP messages in two types:
1) Control messages. Documented in RFC 1305 Appendix B, serve the purpose, usually fulfilled by SNMP. Without digging into any details, let’s just say the control messages are for reading and writing internal NTP variables and obtaining NTP status information. Not to deal with time synchronization itself.
2) NTP request/update messages. Those are used for actual time synchronization. Request packet obviouly asks for synchronization information, and update packet contains synchronization information, and may change local clock.
IOS router defines the following four types of access for NTP:
1) Peer – permits router to respond to NTP requests and accept NTP updates. NTP control queries are also accepted. This is the only class which allows a router to be synchronized by other devices.
2) Serve – permits router to reply to NTP requests, but rejects NTP updates (e.g. replies from a server or update packets from a peer). Control queries are also permitted.
3) Serve-only – permits router to respond to NTP requests only. Rejects attempt to synchronize local system time, and does not access control queries.
4) Query-only – only accepts NTP control queries. No response to NTP requests are sent, and no local system time synchronization with remote system is permitted.
IOS router may associate an access-list with any of the above access-types, classifying NTP message sources by their types. Two rules are observed by IOS when an incoming NTP packet is matched against configured types of access:
1) All access-groups associated with access types are scanned in the ordrer presented above (from 1 to 4) – that is, following from most permissive to most restrictive. The first match is used to determine the message source access type.
2) If any of the access types has been defined with an ACL, all other access types are implicitly denied. Just by restricting some sources, you may effectively block all others as well
Now here is a catch. If your router is configured as NTP master, and you set up any access-control group, you must allow “peer” access type to a source with IP address “127.127.7.1”. This is because “127.127.7.1” is the internal server created by ntp master command, which the local router synchronizes to. If you forget to enable it peer access, your server will always be out of sync. Here are some examples. First one: configure R1 as NTP master and allow the server to be polled for NTP updates just by one client. Client should receive updates just from one source:
R1:
access-list 1 permit 127.127.7.1
access-list 2 permit 150.1.2.2
ntp master
ntp access-group peer 1
ntp access-group serve-only 2

R2:
access-list 1 permit 150.1.1.1
ntp source Loopback0
ntp access-group peer 1
ntp server 150.1.1.1
A more complicated example. R1 and R3 are both NTP masters, peering via NTP. R2 is a client to both of them. Configure so that R1 and R3 only allow R2 to poll themselves for time updates, and allow synchronizing each other. Correspondingly, R2 should only accept NTP updates from R1 or R3.
R1:
access-list 2 permit 150.1.2.2
access-list 3 permit 150.1.3.3
access-list 3 permit 127.127.7.1
ntp master
ntp access-group serve-only 2
ntp access-group peer 3
!
! The following is needed to poll our peer from
! a consistent source IP address
!
ntp source Loopback0
ntp peer 150.1.3.3

R3:
access-list 2 permit 150.1.2.2
access-list 1 permit 150.1.1.1
access-list 1 permit 127.127.7.1
ntp master
ntp access-group serve-only 2
ntp access-group peer 1
ntp source Loopback0
ntp peer 150.1.1.1

R2:
access-list 13 permit 150.1.1.1
access-list 13 permit 150.1.3.3
ntp source Loopback0
ntp access-group peer 13
ntp server 150.1.1.1
ntp server 150.1.3.3
Some show commands output for the last example:
Rack1R1#show ntp associations detail
150.1.3.3 configured, selected, sane, valid, stratum 8
ref ID 127.127.7.1, time D2AA2222.362546B9 (00:06:58.211 UTC Sun Jan 1 2012)
our mode active, peer mode active, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.05, reach 377, sync dist 12.466
delay 24.70 msec, offset 0.0294 msec, dispersion 0.05
precision 2**18, version 3
org time D2AA2222.363128BC (00:06:58.211 UTC Sun Jan 1 2012)
rcv time D2AA2222.395A8A9D (00:06:58.224 UTC Sun Jan 1 2012)
xmt time D2AA221C.BA22B989 (00:06:52.727 UTC Sun Jan 1 2012)
filtdelay =    24.77   24.70   24.69   24.69   24.81   24.78   25.16   24.60
filtoffset =    0.01    0.03    0.01    0.01    0.07    0.02    0.30    0.04
filterror =     0.02    0.03    0.05    0.06    0.08    0.09    0.11    0.12

127.127.7.1 configured, our_master, sane, valid, stratum 7
ref ID 127.127.7.1, time D2AA224F.BA0A656E (00:07:43.726 UTC Sun Jan 1 2012)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 17, sync dist 0.015
delay 0.00 msec, offset 0.0000 msec, dispersion 0.02
precision 2**18, version 3
org time D2AA224F.BA0A656E (00:07:43.726 UTC Sun Jan 1 2012)
rcv time D2AA224F.BA0A656E (00:07:43.726 UTC Sun Jan 1 2012)
xmt time D2AA224F.BA09890A (00:07:43.726 UTC Sun Jan 1 2012)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =     0.02    0.99    1.97    2.94 15995.3 15995.3 15995.3 15995.3
Reference clock status:  Running normally
Timecode:

Rack1R3#show ntp associations detail
150.1.1.1 configured, selected, sane, valid, stratum 8
ref ID 127.127.7.1, time D2AA224F.BA0A656E (00:07:43.726 UTC Sun Jan 1 2012)
our mode active, peer mode active, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 376, sync dist 13.474
delay 24.70 msec, offset 0.0428 msec, dispersion 0.84
precision 2**16, version 3
org time D2AA2252.BA44EC9D (00:07:46.727 UTC Sun Jan 1 2012)
rcv time D2AA2252.BD81F301 (00:07:46.740 UTC Sun Jan 1 2012)
xmt time D2AA2262.362614E6 (00:08:02.211 UTC Sun Jan 1 2012)
filtdelay =    24.99   24.70   24.69   25.02   24.70   24.67   24.67   24.66
filtoffset =   -0.15    0.04   -0.06    0.16   -0.04   -0.04    0.03   -0.02
filterror =     0.75    0.76    0.78    0.79    0.81    0.82    0.84    0.85

127.127.7.1 configured, our_master, sane, valid, stratum 7
ref ID 127.127.7.1, time D2AA2263.362511B6 (00:08:03.211 UTC Sun Jan 1 2012)
our mode active, peer mode passive, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.00, reach 377, sync dist 0.015
delay 0.00 msec, offset 0.0000 msec, dispersion 0.02
precision 2**18, version 3
org time D2AA2263.362511B6 (00:08:03.211 UTC Sun Jan 1 2012)
rcv time D2AA2263.362511B6 (00:08:03.211 UTC Sun Jan 1 2012)
xmt time D2AA2263.36244305 (00:08:03.211 UTC Sun Jan 1 2012)
filtdelay =     0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filtoffset =    0.00    0.00    0.00    0.00    0.00    0.00    0.00    0.00
filterror =     0.02    0.99    1.01    1.02    1.04    1.05    1.07    1.08
Reference clock status:  Running normally
Timecode: 

Rack1R2#show ntp associations detail
150.1.1.1 configured, our_master, sane, valid, stratum 8
ref ID 127.127.7.1, time D2AA224F.BA0A656E (00:07:43.726 UTC Sun Jan 1 2012)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.03, reach 17, sync dist 2924.316
delay 92.15 msec, offset -814906.4035 msec, dispersion 2877.85
precision 2**16, version 3
org time D2AA225B.921F769B (00:07:55.570 UTC Sun Jan 1 2012)
rcv time D2AA258A.85F5230D (00:21:30.523 UTC Sun Jan 1 2012)
xmt time D2AA258A.6E599935 (00:21:30.431 UTC Sun Jan 1 2012)
filtdelay =    92.15   90.97   90.84  136.81    0.00    0.00    0.00   91.34
filtoffset = -814906 -814908 -814909 -814886    0.00    0.00    0.00    2.22
filterror =     0.02    0.99    1.97    2.94 16000.0 16000.0 16000.0    7.83

150.1.3.3 configured, selected, sane, valid, stratum 8
ref ID 127.127.7.1, time D2AA2263.362511B6 (00:08:03.211 UTC Sun Jan 1 2012)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 0.05, reach 377, sync dist 13.916
delay 24.57 msec, offset -814905.7885 msec, dispersion 1.59
precision 2**18, version 3
org time D2AA2273.89780E2F (00:08:19.536 UTC Sun Jan 1 2012)
rcv time D2AA25A2.747F40E8 (00:21:54.455 UTC Sun Jan 1 2012)
xmt time D2AA25A2.6E3030A3 (00:21:54.430 UTC Sun Jan 1 2012)
filtdelay =    24.57   24.73   24.70   24.84   24.64   24.75   24.55   24.67
filtoffset = -814905 -814907 -814907 -814907 -814907 -814907 -814907 -814907
filterror =     0.02    0.99    1.01    1.02    1.04    1.05    1.07    1.08

0 comments:

About US

Network Bulls is Best Institute for Cisco CCNA, CCNA Security, CCNA Voice, CCNP, CCNP Security, CCNP Voice, CCIP, CCIE RS, CCIE Security Version 4 and CCIE Voice Certification courses in India. Network Bulls is a complete Cisco Certification Training and Course Coaching Institute in Gurgaon/Delhi NCR region in India. Network Bulls has Biggest Cisco Training labs in India. Network Bulls offers all Cisco courses on Real Cisco Devices. Network Bulls has Biggest Team of CCIE Trainers in North India, with more than 90% of passing rate in First Attempt for CCIE Security Version 4 candidates.
  • Biggest Cisco Training Labs in India
  • More than 90% Passing Rate in First Attempt
  • CCIE Certified Trainers for All courses
  • 24x7 Lab Facility
  • 100% Job Guaranteed Courses
  • Awarded as Best Network Security Institute in 2011 by Times
  • Only Institute in India, to provide CCIE Security Version 4.0 Training
  • CCIE Security Version 4 Training available
  • Latest equipments available for CCIE Security Version 4

Network Bulls Institute Gurgaon

Network Bulls Institute in Gurgaon is one of the best Cisco Certifications Training Centers in India. Network Bulls has Biggest Networking Training and Networking courses labs in North India. Network Bulls is offering Cisco Training courses on real Cisco Routers and Switches. Labs of Network Bulls Institute are 24x7 Available. There are many coaching Centers in Delhi, Gurgaon, Chandigarh, Jaipur, Surat, Mumbai, Bangalore, Hyderabad and Chennai, who are offering Cisco courses, but very few institutes out of that big list are offering Cisco Networking Training on real Cisco devices, with Live Projects. Network Bulls is not just an institute. Network Bulls is a Networking and Network Security Training and consultancy company, which is offering Cisco certifications Training as well support too. NB is awarded in January 2012, by Times, as Best Network Security and Cisco Training Institute for the year 2011. Network Bulls is also offering Summer Training in Gurgaon and Delhi. Network Bulls has collaboration with IT companies, from which Network Bulls is offering Networking courses in Summer Training and Industrial Training of Btech BE BCA MCA students on real Live projects. Job Oriented Training and Industrial Training on Live projects is also offered by network bulls in Gurgaon and Delhi NCR region. Network Bulls is also providing Cisco Networking Trainings to Corporates of Delhi, Gurgaon, bangalore, Jaipur, Nigeria, Chandigarh, Mohali, Haryana, Punjab, Bhiwani, Ambala, Chennai, Hyderabad.
Cisco Certification Exams are also conducted by Network Bulls in its Gurgaon Branch.
Network Bulls don't provide any Cisco CCNA, CCNP simulations for practice. They Provide High End Trainings on Real topologies for high tech troubleshooting on real Networks. There is a list of Top and best Training Institutes in India, which are providing CCNA and CCNP courses, but NB has a different image from market. Many students has given me their feedbacks and reviews about Network bulls Institute, but there were no complaints about any fraud from this institute. Network Bulls is such a wonderful place to get trained from Industry expert Trainers, under guidance of CCIE Certified Engineers.

About Blog

This Blog Contains Links shared by sites: Cisco Guides, Dumps collection, Exam collection, Career Cert, Ketam Mehta, GodsComp.co.cc.

NB

NB
Cisco Networking Certifications Training

Cisco Training in Delhi

ccna training in gurgaon. ccnp course institute in gurgaon, ccie coaching and bootcamp training near gurgaon and delhi. best institute of ccna course in delhi gurgaon india. network bulls provides ccna,ccnp,ccsp,ccie course training in gurgaon, new delhi and india. ccsp training new delhi, ccie security bootcamp in delhi.

Testimonials : Network Bulls

My Name is Rohit Sharma and i Have done CCNA and CCNP Training in Gurgaon Center of Network Bulls and it was a great experience for me to study in Network Bulls.

Cisco Networking Certifications

Myself Komal Verma and i took CCSP Training from Network Bulls in Gurgaon. The day i joined Network Bulls, the day i get addicted with Networking Technologies and I thank Mr. Vikas Sheokand for this wonderful session of Networking. :)
I must say that Network Bulls is Best Institute of CCNA CCNP CCSP CCIE Course Training in Gurgaon, New Delhi and in India too.
Komal Verma

About a wonderfull CCIE Training Institute in Gurgaon

I am Kiran shah from New Delhi. I have recently completed my CCNA CCNP & CCIE Training in Gurgaon from Network Bulls and i recommend Network Bulls for Cisco Training in India.

Kiran Shah

Cisco Coaching and Learning Center

Disclaimer: This site does not store any files on its server. I only index and link to content provided by other sites. If you see any file on server that is against copy right you can inform me at (sidd12341 [at] gmail.com). I will delete that materials within two days. This Website is not official Website of any Institute like INE, Network Bulls, IP Expert. Thanks

CCIE Security Version 4

Cisco Finally updated CCIE Security Lab exam blueprint. WSA Ironport and ISE devices are added in CCIE Security Version 4 Lab Exam Syllabus Blueprint. In Updated CCIE Security Version 4 Syllabus blueprint, new technologies like Mobile Security, VoIP Security and IPV6 Security along with Network Security, are added. As in CCIE Security Version 3 blueprint, Cisco had focused on Network Security only, but now as per market demand, Cisco is looking forward to produce Internet gear Security Engineer, not only Network Security engineers.
In CCIE Security Version 4 Bluerpint, Lab Exam is going to be more interested than before. What is Difference in CCIE Security Version 3 and Version 4? Just go through the CCIE Security Version 4 Lab Equipment and Lab Exam Syllabus Blueprints and find out!