Configuring NTP Access Control Authority

Context

NTP access control is a simple but effective security measure. When access requests reach the local end, matching is attempted sequentially with the access authority from highest to lowest. The first successful match with an access authority takes effect. The matching order from highest to lowest and function of each access authority is as follows:

Peer

The remote end can send time requests and control queries to the local NTP service. The local clock can also be synchronized with the clock of the remote server.
Server

The remote end can send time requests and control queries to the local end. The local clock cannot be synchronized with the clock of the remote server.
Synchronization

The remote end can send time requests to the local end.
Query

The remote end can send control queries to the local end.
Limited

When NTP packet rates exceed the upper limit, incoming NTP packets are discarded.

As described in Table 1, the access control authority is configured in different NTP operating modes for different devices.

**Table 1** Configuration of the NTP access control authority
NTP Operating Mode	Restricted NTP Request Type	Configured Device
Unicast NTP client/server mode	The client cannot synchronize with the server.	Client
Unicast NTP client/server mode	The server cannot process clock synchronization requests sent by the client.	Server
NTP symmetric peer mode	Symmetric passive and symmetric active peers cannot synchronize with each other.	Symmetric active peer
NTP symmetric peer mode	The symmetric passive peer cannot process clock synchronization requests sent by the symmetric active peer.	Symmetric passive peer
NTP multicast mode	The client cannot synchronize with the server.	NTP multicast client
NTP broadcast mode	The client cannot synchronize with the server.	NTP broadcast client
NTP manycast client mode	The client cannot synchronize with the server.	NTP manycast client
NTP manycast server mode	The server cannot process clock synchronization requests sent by the client.	NTP manycast server

Procedure

Run system-view
The system view is displayed.
Configure the basic ACL.
Before configuring the access control authority, create a basic ACL. For details and procedures, see ACL Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security.
Run ntp-service access { peer | query | server | synchronization | limited } { acl-number | ipv6 acl6-number } ^*
The access control authority of the NTP service is configured.

By default, no access control authority is set.

Verify that the ACL rule has been configured before beginning configuration of the NTP access control authority in the ACL. If the ACL rule is permit, the peer device with the source IP address specified in this rule can access the NTP service on the local device. The access rights of the peer device are configured using the ntp-service access command. When the ACL rule is deny, the peer device with the source IP address specified in this rule cannot access the NTP service on the local device.
Run ntp-service discard { min-interval min-interval-val | avg-interval avg-interval-val }^*
The minimum inter-packet interval and the average inter-packet interval of NTP are configured.

By default, the minimum inter-packet interval of NTP is set to the first power of 2 in seconds, namely, 2 seconds, and the average inter-packet interval of NTP is set to the fifth power of 2 in seconds, namely, 32 seconds.