Howdy, I'm looking for a way to bidirectionally pass all traffic to/from our inside VLAN1 (the 10.10.10.x lan) and VLAN 2 (which has public IP addresses from an advertised /26) to our upstream provider on VLAN21, but get rid of traffic which is saturiating our cpu, probably on port 123.
Until a few days ago everything was working well, then our old 1335 died (power supply has totally failed, no lights, no fan, after 4 continuous years powered up.) Our upstream IP service is 50Mbit, shared by a bunch of users in our building, each of which has a static IP assigned by me personally. One inside computer (on port 0/2) is manually assigned x.x.x.67, which I use to access the Netvanta when needed.
Fortunately we have a spare Netvanta 1335, which came up fine. We upgraded the firmware to R11.10.6.E,
Symptom is that after several hours of normal use, the Netvanta CPU use goes to 100% and it becomes impossible to even telnet locally, and of course service to/from the big world goes almost totally dead (although once in a while a packet gets through.)
When this occurs, the command
#show processes cpu
indicates that ntpd is using 70%+ of the cpu.If I unplug the CAT6 cable to our fiber interface, that drops top 0 and I can at least access the Netvanta locally.
This seems to indicate that we are under some sort of DDos attack.
If I disable the sntp server (#no ip sntp server) then the problem seems to go away, although, of course we haven't got a way to sync the Netvanta clock to time.nist.gov. 'show processes cpu' then does not even show an entry for ntpd, which is what I would expect.
Strangely, I did this yesterday,but after about 8 hours, the problem recurred and 'show processes cpu' again showed that ntpd was running and getting hammered, which I really don't understand.
What I want is to have the Netvanta sync its time but NOT act as a time server at all, and to drop all ntp traffic coming from the outside, but pass all other traffic. I do not know how to do this.
You will note that in the config file I have pasted below there is no firewall active and I have an entry for VLAN100 which is unused and could go away.
Your help is much appreciated. (feel free to trash my amateur config efforts, btw..)
/Mr. Duck
(config below, passwords, IP addresses are XXed out)
------------------
!
!
! ADTRAN, Inc. OS version R11.10.6.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335, part number 1700515E2
! Serial number L...........AC810
!
!
hostname "something"
enable password somecrappypassword
!
!
clock timezone -5-Eastern-Time
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip routing
!
!
name-server 4.2.2.2 4.2.2.1
!
no ip route-cache express
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
no service password-encryption
!
username "admin" password "someotherpassword"
!
ip firewall stealth
no ip firewall alg msn
no ip firewall alg mszone
no ip firewall alg h323
!
no dot11ap access-point-control
!
vlan 1
name "Default"
!
vlan 2
name "Internal x.x.x.x/26"
!
vlan 21
name "Outside trunk stuff"
!
vlan 100
name "VLAN0100"
!
!
interface switchport 0/1
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/2
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/3
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/4
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/5
no shutdown
!
interface switchport 0/6
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/7
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/8
no shutdown
!
interface switchport 0/9
no shutdown
!
interface switchport 0/10
no shutdown
!
interface switchport 0/11
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/12
no shutdown
!
interface switchport 0/13
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/14
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/15
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/16
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/17
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/18
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/19
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/20
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/21
no shutdown
!
interface switchport 0/22
no shutdown
!
interface switchport 0/23
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
interface switchport 0/24
spanning-tree edgeport
no shutdown
switchport access vlan 2
!
!
interface gigabit-switchport 0/1
no shutdown
!
interface gigabit-switchport 0/2
description WAN
speed 100
spanning-tree bpdufilter enable
spanning-tree edgeport
no shutdown
switchport mode trunk
switchport access vlan 21
no lldp send-and-receive
!
!
interface vlan 1
ip address 10.10.10.1 255.255.255.0
ip access-policy Private
! IPv4 access-policy will not be used until IPv4 firewall is enabled
ip route-cache express
no shutdown
!
interface vlan 2
description internal
ip address x.x.x.65 255.255.255.192
no ip route-cache express
no shutdown
!
interface vlan 21
ip address out.side.fiber.ip 255.255.255.252
ip access-policy Public
! IPv4 access-policy will not be used until IPv4 firewall is enabled
no awcp
no ip route-cache express
no shutdown
!
interface vlan 100
ip address x.x.x.100 255.255.255.254
no ip route-cache express
no shutdown
!
!
ip access-list standard admin-access
permit host x.x.x.67
permit host 10.10.10.2
permit host x.x.x.68
!
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended admin
!
ip access-list extended "external stuff on .67"
permit ip any host x.x.x.67 log
!
ip access-list extended self
remark Traffic to Netvanta
permit ip any any log
!
ip access-list extended web-acl-6
remark Allow
permit ip any host x.x.x.67
!
ip access-list extended wizard-pfwd-1
remark Port Forward 1
permit tcp any host out.side.fiber.ip log
!
!
ip policy-class Allow
allow list web-acl-6 policy "Allow x.x.x.67" stateless
!
ip policy-class Allow-x.x.x.67
allow list web-acl-6 policy "Allow x.x.x.67" stateless
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface vlan 21 overload
!
ip policy-class Public
nat destination list wizard-pwfd-1 address 10.10.10.2
!
!
ip route 0.0.0.0 0.0.0.0 out.side.fiber.ip-1
!
no tftp server
no tftp server overwrite
http server
no http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
http ip access-class admin-access in
http ip secure-access-class admin-access in
!
sip udp 5060
sip tcp 5060
!
line con 0
login
!
line telnet 0 4
login
password root2001
no shutdown
ip access-class admin-access in
line ssh 0 4
login local-userlist
shutdown
ip access-class admin-access in
!
end
---------
(config ends above the dashes)
The command "ip sntp server" by itself configures your device to provide time service to others, potentially the world. There are DDoS exploits of ntpd that spoof source addresses to open NTP servers and in this case you are likely being used as a reflector.
What you want, in order to set the clock on your device from an external NTP server, is "sntp server <hostname>" or "sntp server <ip.add.re.ss>", without the <>.
Leave the "no ip sntp server" configuration in place.