ntp-service access

Format

ntp-service access { peer | query | server | synchronization | limited } { { acl-number | acl-name aclname } [ ipv6 { acl6-number | acl6-name acl6name } ] | ipv6 { acl6-number | acl6-name acl6name } [ { acl-number | acl-name aclname } ] }

undo ntp-service access { { peer | query | server | synchronization | limited } | { peer | query | server | synchronization | limited } { { acl-number | acl-name aclname } [ ipv6 { acl6-number | acl6-name acl6name } ] | ipv6 [ { acl6-number | acl6-name acl6name } | { acl6-number | acl6-name acl6name } { acl-number | acl-name aclname } ] | all } }

Parameters

Parameter	Description	Value
peer	Indicates to maximum access. Both time request and control query can be performed on the local NTP service, and the local clock can be synchronized to the remote server. If the matching result is configured as permit for the source IP address configured in the ACL: The local clock can be synchronized with the peer clock. The peer clock can be synchronized with the local clock.	-
query	Indicates to minimum access. Only control query can be performed on the local NTP service.	-
server	Permits server access and query. Both time requests and control query can be performed on the local NTP service, but the local clock cannot be synchronized to the remote server. If the matching result is configured as permit for the source IP address configured in the ACL: The local clock cannot be synchronized with the peer clock. The peer clock can be synchronized with the local clock.	-
synchronization	Permits server access only. Only time request can be performed on the local NTP service. If the matching result is configured as permit for the source IP address configured in the ACL: The local clock cannot be synchronized with the peer clock. The peer clock can be synchronized with the local clock.	-
limited	Controls the incoming packet rate and kiss code is sent when KoD is enabled.	-
acl-number	Specifies a basic ACL number for IPv4 addresses.	The value is a string of 1 to 32 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).
acl-name aclname	Specifies the name of a named basic ACL.	The value is a string of 1 to 32 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).
ipv6 acl6-number	Specifies an IPv6 address access list number.	The value is a string of 1 to 32 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).
acl6-name acl6name	Specifies the name of a named basic ACL6.	The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive).
all	Indicates the IP address can be of both IPv6 and IPv4 types.	-

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ntp	write

Usage Guidelines

Usage Scenario

Compared with NTP authentication, the ntp-service access command is simpler to implement network security. When receiving an access query, an NTP server matches it with peer, query, server, and synchronization in descending order of access restriction strictness.

Precautions

Use this command based on the access limitation.

Unicast NTP server or client mode: In client, the restricted NTP query is synchronizing the client with the server.
Unicast NTP server or client mode: In server, the restricted NTP query is clock synchronization request from the client.
NTP peer mode: In symmetric active end, the restricted NTP query is clock synchronization with each other.
NTP peer mode: In symmetric passive end, the restricted NTP query is clock synchronization request from the active end.
NTP multicast mode: In NTP multicast client, the restricted NTP query is synchronizing the client with the server.
NTP broadcast mode: In NTP broadcast client, the restricted NTP query is synchronizing the client with the server.
NTP manycast mode: In NTP manycast client, the restricted NTP query is synchronizing the client with the server.
NTP manycast mode: In NTP manycast Server, the restricted NTP query is clock synchronization request from the client.

If this command is the first NTP configuration command, the system automatically adds the ntp-service server disable/ntp-service ipv6 server disable command in the configuration file to disable the NTP service. If this command is the last NTP configuration command to be deleted, the system automatically deletes the ntp server disable/ntp ipv6 server disable command from the configuration file.

Before configuring access control rights in an ACL, check the ACL rule configuration.

If the ACL rule of a source IP address is set to permit, packets from the source IP address are permitted.
If the ACL rule of a source IP address is set to deny, packets from the source IP address are denied.
If a source IP address is not in an ACL rule, packets from the source IP address are denied.
If no rule exists in the ACL or the referenced ACL does not exist, packets from all source IP addresses are denied.

Example

# Enable a peer in IPv4 ACL 2000 to perform time request, query control, and time synchronization on a local device.

<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ntp-service access peer 2000

# Only the peer matching ACL 2002 can access the local NTP device.

<HUAWEI> system-view
[~HUAWEI] acl 2002
[*HUAWEI-acl4-basic-2002] quit
[*HUAWEI] ntp-service access synchronization 2002

# Only the peer matching ACL6 2000 can perform time request, query control, and time synchronization of the local NTP device.

<HUAWEI> system-view
[~HUAWEI] acl ipv6 2000
[*HUAWEI-acl6-basic-2000] quit
[*HUAWEI] ntp-service access peer ipv6 2000

# Enable the rate limit of incoming NTP packets and sending of RATE kiss code when Kiss-O'-Death is enabled. Set the ACL number to

<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ntp-service access limited 2000