cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6987
Views
0
Helpful
12
Replies

Block NTP ACL

CobbyJ
Level 1
Level 1

Hello,

 

I am having some real issues blocking NTP on public IP's which are on a VLAN

 

i have tried "disable ntp" on the vlan but doesnt seem to be working.

 

Also tried this ACL

 

access-list 105 deny udp any host xxx.xxx.xxx.xxx eq ntp

 

Its just a single IP in want to block NTP on.

 

Any ideas on this?

 

12 Replies 12

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Just to clarify you want to prevent users on a subnet from peering with a NTP time source?

If so, then ACL you have created will work providing it is applied inbound on the gateway interface of the subnet where your users reside.

 

cheers,

Seb.

Its a public IP on a vlan

 

a NTP server is running by default on that IP so i want to block everyone outside of our network to access that port on that IP to secure NTP from the outside world.

In which case apply the ACL on the internet edge of your network in the inbound direction.

what am i doing wrong?

 

What would the command be?

 

What do you have at the internet edge? Is it a firewall? Router with stateful firewall?

These are 3750's edge routers which connect direct to BGP.

Then you need you configure ip access-group <acl_name> in on the Layer3 interface (either SVI or routed switchport) which connects to your ISP.

I would be surprised if there isn't already an ACL present.

Can you share the running config for that interface?

I cant send you our config as it has sensitive informations and ip's and blocks and so on in it and would be a further security risk

 

We do use "ip prefix-list" to block actual IP's and blackhole them.

But we want to block an actual IP's Port not the entire IP as it would cause big issues.

 

I dont understand why "disable ntp" doesnt not work on the vlan and still keeps the port open. and why there is no global command to disable NTP on the switches.

 

The ntp disable command issued at the interface level stops ntp queries from being served on that particular Layer3 interface, ie it prevents and outside NTP peer from querying your NTP router. It does not stop NTP quires which are traversing the router. ie a NTP packet can still arrive on an ntp disable interface and be routed further into your network.

 

If you want to stop peering traffic on an interface and/or stop NTP transit traffic then you need to use an ACL.

Hi,

Do you have the solution? I tried on the provider router it doesn't match any.

 

ip access-list extended block_ntp
 deny   udp any any eq ntp
 permit ip any any
!
interface Vlan2045
description Link WAN to CusA
ip address 10.170.112.68 255.255.255.248 secondary
ip address x.170.112.157 255.255.255.252
 ip access-group block_ntp in
ip access-group block_ntp out
standby 20 ip 10.170.112.70
standby 20 priority 105
!
ip route x.246.247.64 255.255.255.240 10.170.112.65 name CusA track 40

#sho access-lists block_ntp
Extended IP access list block_ntp
10 deny udp any x.246.247.64 0.0.0.15 eq ntp
100 permit ip any any

Thank you very much.


We do not know anything about this environment or the context for the application of this acl and that makes it difficult to give good advice. My comment at this point is that there is a mismatch between what you post as the configuration of the acl

 deny   udp any any eq ntp

and what you post as the operation of the acl

10 deny udp any x.246.247.64 0.0.0.15 eq ntp

 

HTH

Rick

I'm a novice, but if I had to take a guess, it's the same reason you can't block incoming SSH from hitting a router interface, the access-group ACL is getting processed AFTER the SSH (or NTP) request is processed by the router (same reason that object-groups are garbage and don't work for things processed on the local router, but work on things passing through the router). 
The only way you can block SSH or NTP from a specific interface is likely with a control-plane policy.  CPPs are hard to get right the first time, I highly advise you "write memory" and set a reload timer (reload in 60) in case you lock yourself out before starting, that way WHEN you lock yourself out because of something you forgot it will reboot on the original config after an hour.

Also you could just block the NTP via a global ACL with:

ip access-list standard ACL_NTP_PEER
 permit 132.163.97.5  ! NIST time server
 deny any
!
ip access-list standard ACL_NTP_SERVE
 permit 192.168.0.0 0.0.255.255  ! local network
 deny any
!
ntp access-group peer ACL_NTP_PEER
ntp access-group serve ACL_NTP_SERVE
!
ntp server 132.163.97.5

 

but know that all incoming NTP hits peer first, then serve, so if you want to get time from somewhere add a permit to peer, if you only want to give time to a user/device add it to serve, but EVERYTHING will try to peer first, so if you don't want them to set your clock but still want them to get timing, deny them in peer first and permit in serve.

There are other commands for NTP ACLs besides peer and serve (serve-only, query-only) but those will likely screw up the NTP handshake on the distant end and confuse it.

Review Cisco Networking for a $25 gift card