I have a few questions and I am going to use the below topology as the reference.
My core routers are getting the time from a NTP server located in the internet and have the below configuration:
ntp server 220.127.116.11 prefer
ntp master 8
All the other Devices located in the LAN has the below configuration:
ntp server 192.168.1.1 prefer
ntp server 192.168.1.2
As far as my understanding goes, SW1 and SW2 will have stratum 9 since the core routers are hard coded to stratum 8. But in this case all of my LAN devices have stratum 3. I am not sure why. Would you please explain it to me?
show ntp status
Clock is synchronized, stratum 3, reference is 192.168.1.1
show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.1.1 18.104.22.168 2
+~192.168.1.2 22.214.171.124 2
Now for security I am planning to configure them as below:
On the Core Routers
access-list 1 permit 126.96.36.199
ntp access-group peer 1
access-list 2 permit 172.16.0.1
access-list 2 permit 172.16.0.2
ntp access-group serve-only 2
On the LAN devices
access-list 50 permit 192.168.1.1
access-list 50 permit 192.168.1.2
ntp access-group peer 50
Here, My goal is to restrict the core routers to allow to get updates only from 188.8.131.52 and allow only specific clients to get update from the core routers. Similarly, all the client devices located in the LAN will be allowed to get update only from those two core routers. Now, at this point of time, if any attacker sends a client request to one of my clients(for example SW1). Would SW1 respond to it? If it does, then I need to put a deny ACL in the client devices like below.
access-list 80 deny any
ntp access-group serve-only 80
Please let me know if all the syntax is correct or if I need to modify anything.
Thank you so much.