The ntp-service access command sets the access control authority of the local NTP.
The undo ntp-service access command cancels the configured access control authority.
By default, no access control authority is set.
ntp-service access { peer | query | server | synchronization | limited } { acl-number | ipv6 acl6-number } *
undo ntp-service access { peer | query | server | synchronization | limited } [ ipv6 | all ]
undo ntp-service access { peer | query | server | synchronization | limited } [ acl-number | ipv6 acl6-number ] *
| Parameter | Description | Value |
|---|---|---|
| peer | Indicates maximum access authority. Both time request and control query can be performed on the local NTP service, and the local clock can be synchronized to the remote server. | - |
| query | Indicates minimum access. Only control query can be performed on the local NTP service. | - |
| server | Indicates that server access and query are permitted. Both time request and control query can be performed on the local NTP service, but the local clock cannot be synchronized to the remote server. | - |
| synchronization | Indicates that only server access is permitted. Only time request can be performed on the local NTP service. | - |
| limited | When the rate of NTP packets exceeds the upper limit, the incoming NTP packets are discarded. | - |
| acl-number | Indicates the number of a basic ACL with IPv4 address specified. | The value is an integer that ranges from 2000 to 2999. |
| ipv6 acl6-number | Indicates the number of an ACL with IPv6 address specified. | The value is an integer that ranges from 2000 to 2999. |
| all | Indicates all access control authority. | - |
Compared with NTP authentication, ntp-service access is simpler to ensure the network security. When an access request reaches the local end, the access request is successively matched with the access authority from the highest one to the lowest one. The first successfully matched access authority takes effect. The matching order is: peer, server, synchronization, query and limited.
Depending on the access authority to be limited, run the command on different devices accordingly. For details, see the following table.
NTP Operating Mode |
Usage Scenario |
Device Configured |
|---|---|---|
Unicast NTP server/client mode |
The client is restricted from being synchronized to a server, so that the client will not be synchronized to an unreliable unicast NTP server on the network. |
Client |
Unicast NTP server/client mode |
The server is restricted from processing the synchronization time request of the client, so that the synchronization range of the server is controlled. |
Server |
NTP symmetric peer mode |
The two ends are restricted from being synchronized with each other to prevent an unreliable symmetric passive peer on the network from synchronizing the client. |
Symmetric active peer |
NTP symmetric peer mode |
The symmetric passive peer is restricted from processing the time request, so that the synchronization range of the symmetric passive peer is controlled. |
Symmetric passive peer |
NTP multicast mode |
The client is restricted from synchronizing to the server to prevent an unreliable multicast NTP server from synchronizing the client. |
NTP multicast client |
NTP broadcast mode |
The client is restricted from being synchronized to a server, so that the client will not be synchronized to an unreliable broadcast NTP server on the network. |
NTP broadcast client |
NTP manycast client mode |
The client is restricted from being synchronized to a server. |
NTP manycast client |
NTP manycast server mode |
The server is restricted from processing the clock synchronization request sent by the client. |
NTP manycast server |
The ntp-service access command ensures the security to the minimal extent. A safer method is to perform identity authentication. See the ntp-service authentication enable command for relevant configuration.
Precautions# Enable the peer matching ACL 2000 to perform time request, query control and time synchronization on the local device.
<HUAWEI> system-view [HUAWEI] ntp-service access peer 2000
# Enable the server matching ACL 2002 to perform time request and query control on the local device.
<HUAWEI> system-view [HUAWEI] ntp-service access server 2002