11-12-2013 02:01 AM
Hi,
I am really struggling with MPP on ASR 9001.
I am sure this was working previously but anyway I have an issue where I believe I had MPP configured and working to block ssh connections, I have since brought up BGP with a transit provider and now can see that I can open a SSH session from anywhere to public IP addresses from any source.
I have added an ACL to line default and specified vty-pool default 0 99 in the config as a short term work around but as I am sure people are aware using this method of blocking networks from SSH access still allows the user (on a blocked subnet) to open a session and get a username prompt.
In the config guides it does mention briefly 2 things that could be related, one was something about virtual interfaces - I don't know if Bundles are included in this.
The other thing that is worth noting is that Bundle-Ethernet 10.999 is in a IPVPN and not in the global VRF - I don't think this is related as I have tried removing this and just leaving the OOB config and I can still SSH from anywhere on the internet!!!
My config is below:
line console
!
line default
exec-timeout 0 0
access-class ingress MGMT-NETWORKS
!
vty-pool default 0 99
control-plane
management-plane
inband
interface Bundle-Ether10.999
allow SSH peer
address ipv4 10.1.0.0/16
address ipv4 10.2.0.0/16
address ipv4 10.3.0.0/16
!
!
!
out-of-band
vrf Mgmt
interface MgmtEth0/RSP0/CPU0/0
allow SSH peer
address ipv4 10.1.0.0/16
address ipv4 10.2.0.0/16
address ipv4 10.3.0.0/16
!
!
interface MgmtEth1/RSP0/CPU0/0
allow SSH peer
address ipv4 10.1.0.0/16
address ipv4 10.2.0.0/16
address ipv4 10.3.0.0/16
ipv4 access-list MGMT-NETWORKS
10 permit ipv4 10.1.0.0 0.0.255.255 any
20 permit ipv4 10.2.0.0 0.0.255.255 any
30 permit ipv4 10.3.0.0 0.0.255.255 any
!
ssh server v2
ssh server vrf IPVPN-XXX <----- this is the VRF that int bundle-eth 10.999 is in
Solved! Go to Solution.
11-26-2013 05:04 AM
you enable the telnet or ssh server on a per vrf basis.
since your interface in MPP is tied to the vrf, basically the ssh server in global opens it up everywhere.
this is a bit misleading I agree.
you oculd have done an interface all underneath it and potentially block it there, but then, you might as well remove
the global server, which you did as solution.
regards
xander
11-12-2013 08:37 AM
OK, I have been troubleshooting this; I removed all the control-plane config and I was still able to SSH to ALL interfaces except the mgmt interfaces, so OOB config is working as expected.
I added the config back in.
I then removed the line: ssh server v2 and the MPP worked properly again - blocked all connections that weren't going to int bundle-eth 10.999 for inband and just the mgmt interfaces for OOB.
Added the ssh server v2 command again and it allowed SSH from anywhere to any interface (inband) again.
Can someone explain this???
Is it a bug???
11-26-2013 05:04 AM
you enable the telnet or ssh server on a per vrf basis.
since your interface in MPP is tied to the vrf, basically the ssh server in global opens it up everywhere.
this is a bit misleading I agree.
you oculd have done an interface all underneath it and potentially block it there, but then, you might as well remove
the global server, which you did as solution.
regards
xander
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide