04-25-2018 09:24 PM - edited 02-21-2020 07:40 AM
Hi all,
From the vulnerability scan, we got the below issue for NTP for Cisco 3850 switch. Could somebody please advise how to fix it.
An NTP control (mode 6) message with the UNSETTRAP (31) opcode with an unknown association identifier will cause NTP to respond with two packets -- one error response packet indicating that the association identifier was invalid followed by another non-error.
Apply a restrict option to all hosts that are not authorized to perform NTP queries. For example, to deny query requests from all clients, put the following in the NTP configuration file, typically /etc/ntp.conf, and restart the NTP service.
The only config the switch have for NTP is
ntp source loopback
ntp server x.x.x.x
Regards
Kris
Solved! Go to Solution.
04-25-2018 10:35 PM - edited 04-25-2018 10:35 PM
Hi,
If you switch is just going to be an ntp client than you will need to restrict query and server requests using access lists
e.g.
access-list 40 permit host 192.168.1.1
access-list 50 deny any
ntp access-group peer 40
ntp access-group serve-only 50
ntp access-group query-only 50
ntp server 192.168.1.1
The example above allows switch to get time from ntp server 192.168.1.1 Access-list 49 only allows time from 192.168.1.1 Access-list 50 prevents switch from providing time to anyone and prevents queries from anyone.
The following doc provides more details:
Thanks
John
04-25-2018 10:35 PM - edited 04-25-2018 10:35 PM
Hi,
If you switch is just going to be an ntp client than you will need to restrict query and server requests using access lists
e.g.
access-list 40 permit host 192.168.1.1
access-list 50 deny any
ntp access-group peer 40
ntp access-group serve-only 50
ntp access-group query-only 50
ntp server 192.168.1.1
The example above allows switch to get time from ntp server 192.168.1.1 Access-list 49 only allows time from 192.168.1.1 Access-list 50 prevents switch from providing time to anyone and prevents queries from anyone.
The following doc provides more details:
Thanks
John
04-26-2018 08:18 PM
Hi John,
Thanks a lot for the reply. So just to confirm in this case, access list 50 prevents the ntp client to respond to NTP queries and and it doesn't accept control queries.
Regards
Kris
04-29-2018 04:05 PM
Hi,
Yes, access-list 50 is to prevent the switch from being an ntp server and to prevent the switch responding to control queries.
Thanks
John
04-29-2018 11:48 PM
12-30-2018 09:35 PM
01-18-2024 05:42 AM - edited 01-18-2024 06:31 AM
I know this is an old message, I was wondering what options can be done for a switch that is NTP Master for all your other switches. I found this: https://community.cisco.com/t5/network-management/ntp-allow-mode-control/td-p/4596164
So I went with the ntp allow mode control 3 option and our Nessus scan no longer shows this switch having the NTP Mode 6 vulnerability.
06-18-2024 06:43 AM
thanks @kkana
So many articles and posts on various forms to sift through, just to get this answer.
Much appreciated
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide