Configuring NTP Access Control Authority
Context
peer: The remote end can perform time requests and control queries for the local NTP service. The local clock can also be synchronized with the clock of the remote server.
server: indicates that the remote end can send a time request and a control query to the local end. The local clock, however, cannot be synchronized with the clock of the remote server.
synchronization: indicates that the remote end can perform only the time request to the local end.
query: The remote end can only perform the control query to the local end.
The access control authority is configured on different devices in different NTP operating modes, as described in Table 3-1.
NTP Operating Mode |
Restricted NTP Request Type |
Configured Device |
---|---|---|
Unicast NTP client/server mode |
The client is restricted from synchronizing to the server. |
Client |
Unicast NTP client/server mode |
The server is restricted from processing the clock synchronization request sent by the client. |
Server |
NTP symmetric peer mode |
A symmetric passive peer and a symmetric active peer are restricted from synchronizing with each other. |
Symmetric active peer |
NTP symmetric peer mode |
The symmetric passive peer is restricted from processing the clock request sent by the symmetric active peer. |
Symmetric passive peer |
NTP multicast mode |
The client is restricted from synchronizing to the server. |
NTP multicast client |
NTP broadcast mode |
The client is restricted from synchronizing to the server. |
NTP broadcast client |
Procedure
- Run:
system-view
The system view is displayed.
- Configure the basic ACL.
Before configuring the access control rights, you must create a basic ACL. For the creation procedure, see "ACL Configuration" in the S2700 and S3700 Series Ethernet Switches Configuration Guide-Security.
- Run:
ntp-service access { peer | query | server | synchronization } acl-number
The access control authority of the NTP service is configured.
By default, no access control authority is set.
Check the configuration of the ACL rule before configuring the NTP access control authority in the ACL. When the ACL rule is permit, the peer device with the source IP address specified in this rule can access the NTP service on the local device. The access right of the peer device is configured using the ntp-service access command. When the ACL rule is deny, the peer device with the source IP address specified in this rule cannot access the NTP service on the local device.