NTP Restrictions

NTP restrictions control how NTP treats traffic from peers. The NTP Service Example at the start of this section contains a good set of restrictions to use as a starting point.

These restrictions are configured using the restrict command from within config-ntp mode.

restrict <default|source|host|prefix>

This command enters config-ntp-restrict mode.

The restriction is placed upon an address specified as:

default

The default restriction for any host.

source

Default restrictions for associated hosts.

host

An address specified as an FQDN to be resolved using DNS.

prefix

An IPv4 or IPv6 network specification.

In config-ntp-restrict mode, the following settings control what hosts matching this restriction can do:

kod

Sends a Kiss of Death packet to misbehaving clients. Only works when paired with the limited option.

limited

Enforce rate limits on clients. This does not apply to queries from ntpq/ntpdc or the show ntp <x> commands.

nomodify

Allows clients to query read only server state information, but does not allow them to make changes.

nopeer

Deny unauthorized associations. When using a server entry in pool mode, this should be present in the default restriction but not in the source restriction.

noquery

Deny ntpq/ntpdc/show ntp <x> queries for NTP daemon information. Does not affect NTP acting as a time server.

noserve

Disables time service. Still allows ntpq/ntpdc/show ntp <x> queries

notrap

Decline mode 6 trap service to clients.