Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Applying ACL to vty in IOS-XR

Hi.

I am trying to apply acl:s to vty on a ASR9k router.

I am doing the following, and this works...

! IOS-XR
!-------
ipv4 access-list VTY-ACL
 10 permit ipv4 10.0.0.0 0.0.0.255 any
 20 deny   ipv4 any any log
!
ipv6 access-list VTY-ACL
 10 permit ipv6 2001:DB8::/32 any
 20 deny   ipv6 any any log
!
vty-pool default 0 10
line default
 access-class ingress VTY-ACL
!

The ssh tcp port is still open from any host though. I am not beeing able to log in from other host but the ones specified in the acl:s, but it is possible to portscan tcp 22 from anyhost.

Any suggestions? When applying ACL directly on mgmt interface the port gets blocked.

Regards

Andreas

Everyone's tags (2)
6 REPLIES
Cisco Employee

Re: Applying ACL to vty in IOS-XR

Andreas,

This is not the preferred way to do this for the exact reasons you describe.  The better way to do this is via MPP, management plane protection.  This allows us to program the hardware via LPTS to drop unwanted requests in hardware instead of having to have software deal with it.

http://www.cisco.com/en/US/docs/routers/asr9000/software/security/configuration/guide/scasr9kmpp.html

Thanks,

Bryan

Applying ACL to vty in IOS-XR

Yes, i already figured it out.

Thanks,

Andreas

New Member

hican we apply acl for vty 

hi

can we apply acl for vty  and ssh on an asr5k ?

if yes, how ?

Cisco Employee

You can Joseph, but it there

You can Joseph, but it there are better options.

This is how to apply the access-class a-la ios :

line default
 access-class ingress MYACL

the line template default needs to be associated with your VTY pool or SSH pool right like this:

vty-pool default 0 4 line-template default


and of course telnet daemon needs to run:

telnet vrf default ipv4 server max-servers 4

The reason why this is not preferred is because all the traffic received for us-telnet uis processed by the hardware on teh LC and sent to the RP. then goes through all the forwarding chain until telnet verifies it agaisnt the ACL and says ok deny.

Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.

Google asr9000 local packet transport services to find a good write up on LPTS and more details about the management plane protection MPP.

 

cheers!

xander

 

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
New Member

thank you xander for you

thank you xander for you reply.

 

i wanted to know if we can do the same on asr5000 and not asr 9000.

 

Please can you advise on this point ?

thx

Joseph

Cisco Employee

I don't know the asr5000 well

I don't know the asr5000 well enough to comment on that Joseph...

I have forwarded this discussion to their support group to see if they can comment and add their expertise.

cheers

xander

Xander Thuijs CCIE #6775 Principal Engineer ASR9000, CRS, NCS6000 & IOS-XR
3502
Views
0
Helpful
6
Replies