When NTP access-control needs ACL for 127.127.7.1?

The very simple answer is when the local NTP master controller is synching to the IP address 127.127.7.1 instead of 127.127.1.1. Ok, I think I need to clarify few things.  In a number of CCIE workbooks, you’ll get a task to configure NTP access-control on the master NTP router to only peer with R1.  After trying for a long time, you lookup the solution guide and realize that you were missing an ACL entry for the local address 127.127.7.1. Or you finished the task, everything works, you check the solution guide and ask yourself “why did they have an ACL for the IP address 127.127.7.1? I did it without it and it worked.”

This is something that I found to be very frustrating and without any information on the web. After doing some of my own research, it appears Cisco made few changes that are not very clearly documented.

To give you an example, R4 is the NTP master and R6 (150.1.6.6) is the NTP peer.

R4#sh run | i ntp | access-list
ntp master 4
ntp access-group peer 1


access-list 1 permit 150.1.6.6

Checking the associations, you’ll notice that R4 is not able to sync with the local clock.

R4#sh ntp associations


address         ref clock     st  when  poll reach  delay  offset    disp
~127.127.7.1      127.127.7.1       3   972    64    0     0.0    0.00  16000.
~150.1.6.6       127.127.1.1      5     22     64   377  0.000  -4.211  5.791


* master (synced), # master (unsynced), + selected, - candidate, ~ configured

You might have the same requirement but on a different route and it works. For example I had R5 with the same configuration (see below) and it was able to sync with the local clock.

R5#sh run | i ntp | access-list
ntp master 4
ntp access-group peer 1


access-list 1 permit 150.1.6.6


R5#sh ntp associations

address         ref clock       st   when   poll reach  delay  offset   disp
*~127.127.1.1     .LOCL.           4      7     16   377  0.000   0.000  0.241
~150.1.6.6       127.127.1.1      5     22     64   377  0.000  -4.211  5.791


* sys.peer, # selected, + candidate, - outlyer, x falseticker, ~ configured

What is going on? There are few differences between R4 and R5 in my example. The IOS version for R4 is 12.4(15)T while R5 is 12.4(24)T2, which would indicate that something must have changed.

The other thing that stands out is the address and ref clock in the output of show ntp associations displays the IP address 127.127.7.1 and 127.127.1.1. Some time between the version 12.4(15) and 12.4(24), Cisco decided to eliminate the requirement that you have to provide an ACL for the local ref clock address when specifying NTP access-list. The good part is that, you can easily identify this by looking up the IP address of the ref clock. If the IP address is 127.127.7.1 you’ll need to explicitly define that in the NTP access-group ACL. If the IP address of the ref clock is 127.127.1.1, you won’t need to worry about it.

The CCIE lab uses version 12.4(15)T on its routers, so you will always need to add the local ref clock for NTP access-control, but if you are using a lab with a higher version of IOS and can’t make any sense of what is going on, hopefully this post will bring back some senity :)

For more info on NTP access-control check out: http://blog.ine.com/2008/07/28/ntp-access-control/