Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15391
Views
20
Helpful
2
Replies

Effect of using "ntp allow mode control 0"?

Go to solution
jonathan.e.brown
Level 1
Level 1

‎02-11-2019 07:38 AM

I am attempting to mitigate the issues surrounding bug report CSCum44673.  According to the software release notes found here, I need to ensure that all of my routers are on IOS version 15.2(2) or newer.  I also believe I need to include the statement "ntp allow mode control 3" on each of them. 

 

So far I've verified that all of my routers are on newer software versions than that.  What I am confused about is that many of them include the statement, "ntp allow mode control 0".  I was under the impression that the only allowed values were from 3 - 15.  I was also under the impression that a value of 3 was the default value.

 

What is the effect of using a 0 for the value? 

 

Does this effectively mean that rate limiting of ntp queries is turned off and that the router is still vulnerable to the potential DoS attack described in that bug report? 

 

Is this command only useful if the router is setup as an ntp master ("ntp master 3" for example in the config)? 

 

If it is only configured to synchronize with an ntp server located elsewhere ("ntp server x.x.x.x" in the config) does this command have any use?

 

Thanks for any clarification.

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
eperezor
Cisco Employee
Cisco Employee

‎02-19-2020 05:09 PM

It might be too late, I know, but for others to search on this:

 

run "ntp allow mode control 0" to disable the feature?
By using this, the device will respond to the mode 6 packets without any delays and this would help in DOS attacks

 

OR configure the parameter with 3 second rate control, for example, "ntp allow mode control 3"
You can use this one, and due to the rate limit added in the newer versions the device is responding but not affected the same way so it's considered non vulnerable

 

there is actually no default value configured to "ntp allow mode control"
You want to enable this feature you need to set the value manually

 

For Disabling this feature:
[ no ntp allow mode control ], and this would drop any mode 6 packets received.

View solution in original post

2 Replies 2

Go to solution
eperezor
Cisco Employee
Cisco Employee

‎02-19-2020 05:09 PM

It might be too late, I know, but for others to search on this:

 

run "ntp allow mode control 0" to disable the feature?
By using this, the device will respond to the mode 6 packets without any delays and this would help in DOS attacks

 

OR configure the parameter with 3 second rate control, for example, "ntp allow mode control 3"
You can use this one, and due to the rate limit added in the newer versions the device is responding but not affected the same way so it's considered non vulnerable

 

there is actually no default value configured to "ntp allow mode control"
You want to enable this feature you need to set the value manually

 

For Disabling this feature:
[ no ntp allow mode control ], and this would drop any mode 6 packets received.

Go to solution
Rich R
VIP
VIP
In response to eperezor

‎10-10-2022 10:15 PM

Thanks @eperezor - can you raise a bug to get the IOS command reference updated to reflect this information.  There's literally no documentation on "ntp allow mode control" other than brief mentions in bugs, release notes (listing the bugs) and here!

I also found Solved: ntp allow mode control - Cisco Community useful for anyone else finding this.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents