WTF is up with the ntp defaults on Cisco?

Thursday, 27th February 2014

So, it turns out that configuring an ntp peer on a Cisco router enables an ntp server that is open on every interface that that router has.

The only valid excuse I can come up with for this is that the defaults were chosen so long ago that the internet was a much nicer place.

So how do we fix this up?

There isn't a nice knob that says 'Don't serve client requests to anyone' ( which is screaming out to be the default ). So excluding ACL's applied directly to interfaces, we have to fake it with what there is.

There is the ability to appy ACL's on the ntp service for three classes of ntp packets; peers, querys and servers. This isn't as useful as it sounds, when you apply an ACL to a query class it triggers a default drop in all of the other classes, so if you apply a default deny to the query class, then you have to put in an ACL to permit the NTP servers that you have configured to talk to you.

Depending on what version of IOS you have, you may only be able to configure numbered access lists on your ntp service. The configuration that should work on anything running an old version of IOS as long as you are only doing IPv4 is the following:

ip access-list standard 99
permit 202.21.137.10
permit 202.21.136.66
permit 202.21.136.67

ntp access-group peer 99

If you have IOS 15.3 or newer and IPv6 configured you want something like the following:

ip access-list standard v4-ntp-servers
permit 202.21.137.10
permit 202.21.136.66
permit 202.21.136.67

ipv6 access-list v6-ntp-servers
permit 2001:4428:0:13::10
permit 2001:4428:0:6::66
permit 2001:4428:0:6::67

ntp access-group ipv4 peer v4-ntp-servers
ntp access-group ipv6 peer v6-ntp-servers