NTP restrictions control how NTP treats traffic from peers. The NTP Service Example at the start of this section contains a good set of restrictions to use as a starting point.
These restrictions are configured using the
restrict command from within
- restrict <default|source|host|prefix>
This command enters
The restriction is placed upon an address specified as:
The default restriction for any host.
Default restrictions for associated hosts.
An address specified as an FQDN to be resolved using DNS.
An IPv4 or IPv6 network specification.
config-ntp-restrictmode, the following settings control what hosts matching this restriction can do:
Sends a Kiss of Death packet to misbehaving clients. Only works when paired with the
Enforce rate limits on clients. This does not apply to queries from
show ntp <x>commands.
Allows clients to query read only server state information, but does not allow them to make changes.
Deny unauthorized associations. When using a server entry in
poolmode, this should be present in the
defaultrestriction but not in the
show ntp <x>queries for NTP daemon information. Does not affect NTP acting as a time server.
Disables time service. Still allows
show ntp <x>queries
Decline mode 6 trap service to clients.