The ntp-service access command sets the access control authority of a local NTP service.
The undo ntp-service access command deletes the access control authority.
By default, no access authority is set.
ntp-service access { peer | query | server | synchronization | limited } { { acl-number | acl-name aclname } [ ipv6 { acl6-number | acl6-name acl6name } ] | ipv6 { acl6-number | acl6-name acl6name } [ { acl-number | acl-name aclname } ] }
undo ntp-service access { { peer | query | server | synchronization | limited } | { peer | query | server | synchronization | limited } { { acl-number | acl-name aclname } [ ipv6 { acl6-number | acl6-name acl6name } ] | ipv6 [ { acl6-number | acl6-name acl6name } | { acl6-number | acl6-name acl6name } { acl-number | acl-name aclname } ] | all } }
| Parameter | Description | Value |
|---|---|---|
| peer |
Indicates to maximum access. Both time request and control query can be performed on the local NTP service, and the local clock can be synchronized to the remote server. If the matching result is configured as permit for the source IP address configured in the ACL:
|
- |
| query |
Indicates to minimum access. Only control query can be performed on the local NTP service. |
- |
| server |
Permits server access and query. Both time requests and control query can be performed on the local NTP service, but the local clock cannot be synchronized to the remote server. If the matching result is configured as permit for the source IP address configured in the ACL:
|
- |
| synchronization |
Permits server access only. Only time request can be performed on the local NTP service. If the matching result is configured as permit for the source IP address configured in the ACL:
|
- |
| limited |
Controls the incoming packet rate and kiss code is sent when KoD is enabled. |
- |
| acl-number |
Specifies a basic ACL number for IPv4 addresses. |
The value is a string of 1 to 32 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive). |
| acl-name aclname |
Specifies the name of a named basic ACL. |
The value is a string of 1 to 32 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive). |
| ipv6 acl6-number |
Specifies an IPv6 address access list number. |
The value is a string of 1 to 32 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive). |
| acl6-name acl6name |
Specifies the name of a named basic ACL6. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter (a to z or A to Z, case sensitive). |
| all |
Indicates the IP address can be of both IPv6 and IPv4 types. |
- |
Usage Scenario
Compared with NTP authentication, the ntp-service access command is simpler to implement network security. When receiving an access query, an NTP server matches it with peer, query, server, and synchronization in descending order of access restriction strictness.
Precautions
Use this command based on the access limitation.
If this command is the first NTP configuration command, the system automatically adds the ntp-service server disable/ntp-service ipv6 server disable command in the configuration file to disable the NTP service. If this command is the last NTP configuration command to be deleted, the system automatically deletes the ntp server disable/ntp ipv6 server disable command from the configuration file.
Before configuring access control rights in an ACL, check the ACL rule configuration.
<HUAWEI> system-view [~HUAWEI] acl 2000 [*HUAWEI-acl4-basic-2000] quit [*HUAWEI] ntp-service access peer 2000
<HUAWEI> system-view [~HUAWEI] acl 2002 [*HUAWEI-acl4-basic-2002] quit [*HUAWEI] ntp-service access synchronization 2002
<HUAWEI> system-view [~HUAWEI] acl ipv6 2000 [*HUAWEI-acl6-basic-2000] quit [*HUAWEI] ntp-service access peer ipv6 2000
<HUAWEI> system-view [~HUAWEI] acl 2000 [*HUAWEI-acl4-basic-2000] quit [*HUAWEI] ntp-service access limited 2000