How to set C9500-40X to NTP client only

Damon2021 · ‎03-01-2023

Hi,

We have a C9500-40X that connects to the internet. We have a tool that is showing that a lot of L3 VLANs' IPs on this switch have NTP and SNMP ports exposed from outside.

The switch is configured with:

ntp server x.x.x.1

ntp server x.x.x.x2

What is best way to fix this? I read on other threads that to set the NTP on that switch to client mode using "ntp broadcast client" but that syntax is not available. The router is running 16.12.

Thank You

MHM Cisco World · ‎03-01-2023

I dont get your Q
the SW is NTP client
but I dont get the multi VLAN IP !!

Damon2021 · ‎03-01-2023

So the switch has a bunch of L3 VLAN interfaces. These IP addresses are showing up in the report exposing the NTP port. The tool does the port scan from the outside.

Thanks

balaji.bandi · ‎03-01-2023

you can use the source interface or apply some ACL

Another note: 16.12 code is quire old upgrade to the latest 17.6.4?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Leo Laohoo · ‎03-01-2023

Enable DHCP Option 42.

David Ruess · ‎03-01-2023

Hello,

Not sure I quite understand the question but maybe can offer some insight.

NTP is a polling protocol, so when you configure ntp server x.x.x.1 on your device it automatically says "I need to poll this IP for my time". The NTP server responds with the information. By default NTP uses the closest port IP address as its source with UDP port 123.

You could do a couple things together to help mitigate some unwanted results:

ntp source lo0 <- makes the source packet IP that of your loopback 0 so it wont use the SVI interfaces to poll the ntp server (if you don't have a loopback 0 then any IP on the device will work as long as its reachable

ntp authentication-key 65535 md5 test <- configure authentication (other side must also be configured and support authentication)
ntp trusted-key 65535

Router(config-int)# ntp disable <-disabled ntp per interface (if command is supported)

Configure an IP access-list to limit the peers you are allowed to sync with

Router(config)#ip access-list standard 5
Router(config-acl)#permit x.x.x.1 0.0.0.0
Router(config-acl)#permit x.x.x.2 0.0.0.0
Router(config)#ntp server x.x.x.1 
Router(config)#ntp access-group peer 5

I don't think the ntp broadcast client would alleviate your issue as it just opens the port to listen for ntp requests coming from a broadcast source. On the flip side if your interface is NOT configured for ntp broadcast client but your server is configured to broadcast the ntp messages it wont get it. (I believe this alleviates having to configure an actual server and just listens for ntp broadcast messages)

Hope that helps

-David

Damon2021 · ‎03-02-2023

Thanks for the replies.

Let me explain the issue more since more are saying they dont fully understand the issue.

We have a switch that connects to the internet/outside. The switch is a C9500-40X that is running is getting NTP from a server inside the network. The switch has has a lot of L3 VLAN and those VLAN IPs are showing on report saying these have port 123 exposed from outside. So, when we add a NTP server on the switch (ntp server x.x.x.x), I believe it enables as server/client for NTP. We do not want outside seeing these IPs and NTP port. Same goes for SNMP.

I can not do "no ntp x.x.x.x" as that will disable NTP completely. I like @David Ruess ACL solution. I was hoping to just turn off the server side of NTP on the switch but seems like that might not be possible. Will the David's solution still help with issue now that I tried to explain it a bit better?

David Ruess · ‎03-02-2023

You can try another suggestion I offered and disable ntp on each SVI interface with the command reference above (may be different depending on SW make/model and version).

All in all we wont know what fixed your solution until you tell us something you implemented worked and fixed your solution.

What some organizations do is they find they have a problem with a scan. Then they make one change. Scan again to see if that fixed the issue. If not, then they make another change, and continue until a solution is found by the scans coming up clean.

I will offer one more bit of advice. Based on your description the SVI interfaces are also polling the time servers when you configure the servers. As I mentioned NTP uses the closest interface to the destination as its source IP. That could change at any time in the ntp process or even over time. TO mitigate this I would configure ntp source <interface> - that way the ntp packets will only use the IP or interface IP you choose and I believe the other SVIs wont show up.

Also keep in mind NTP needs at least 1 IP so the server can reply back to it...so one IP will need to be exposed most likely...the one talking to the ntp server.

If you want to provide more info you can debug ntp packets and attach the output here for us to check out. Sometimes its takes NTP a while to sync and update itself so the packets may be spread out for a bit. Make sure you capture enough information to get a good pool of logs to comb over.

-David

MHM Cisco World · ‎03-02-2023

I do lab and only the SVI that nearest to NTP server will send request?
Why you thing there are many SVI in same SW send NTP??
are you sure it is same SW or other SW use same VLAN (different SVI IP)???

Leo Laohoo · ‎03-02-2023

A humble Raspberry Pi can be built to be a stratum 1 NTP server and point the NTP settings to this rPi.