Symptom
NTP access-group query-only does not restrict the access. Irrespective of the entries in the access-group , Even if you have ip access-list denyntpquery configure to deny all incoming traffic,NTP is getting synched.
Customer's version is 6.0(2)U6(5a), 7.0(3)I4(5) also has the same behavior.
Conditions
ntp server 10.137.20.2 use-vrf default
ntp server 10.137.20.6 use-vrf default
ntp source-interface Vlan2
ntp access-group query-only denyntpquery
ASW-A4-22-B03.AU57# show ntp peer-s
Total peers : 2
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay vrf
-------------------------------------------------------------------------------
=10.137.20.2 11.185.78.1 3 64 377 0.26360 default
*10.137.20.6 11.185.78.1 3 64 377 0.26378 default
ASW-A4-22-B03.AU57# show ip access-lists denyntpquery
IPV4 ACL denyntpquery
10 deny ip any any
