Solved: Blocking Admin Access IOS XR

Dumpster Eightyeight · ‎11-12-2013

Hi,

I am really struggling with MPP on ASR 9001.

I am sure this was working previously but anyway I have an issue where I believe I had MPP configured and working to block ssh connections, I have since brought up BGP with a transit provider and now can see that I can open a SSH session from anywhere to public IP addresses from any source.

I have added an ACL to line default and specified vty-pool default 0 99 in the config as a short term work around but as I am sure people are aware using this method of blocking networks from SSH access still allows the user (on a blocked subnet) to open a session and get a username prompt.

In the config guides it does mention briefly 2 things that could be related, one was something about virtual interfaces - I don't know if Bundles are included in this.

The other thing that is worth noting is that Bundle-Ethernet 10.999 is in a IPVPN and not in the global VRF - I don't think this is related as I have tried removing this and just leaving the OOB config and I can still SSH from anywhere on the internet!!!

My config is below:

line console

!

line default

exec-timeout 0 0

access-class ingress MGMT-NETWORKS

!

vty-pool default 0 99

control-plane

management-plane

inband

interface Bundle-Ether10.999

allow SSH peer

address ipv4 10.1.0.0/16

address ipv4 10.2.0.0/16

address ipv4 10.3.0.0/16

!

out-of-band

vrf Mgmt

interface MgmtEth0/RSP0/CPU0/0

allow SSH peer

address ipv4 10.1.0.0/16

address ipv4 10.2.0.0/16

address ipv4 10.3.0.0/16

!

interface MgmtEth1/RSP0/CPU0/0

allow SSH peer

address ipv4 10.1.0.0/16

address ipv4 10.2.0.0/16

address ipv4 10.3.0.0/16

ipv4 access-list MGMT-NETWORKS

10 permit ipv4 10.1.0.0 0.0.255.255 any

20 permit ipv4 10.2.0.0 0.0.255.255 any

30 permit ipv4 10.3.0.0 0.0.255.255 any

!

ssh server v2

ssh server vrf IPVPN-XXX <----- this is the VRF that int bundle-eth 10.999 is in

xthuijs · ‎11-26-2013

you enable the telnet or ssh server on a per vrf basis.

since your interface in MPP is tied to the vrf, basically the ssh server in global opens it up everywhere.

this is a bit misleading I agree.

you oculd have done an interface all underneath it and potentially block it there, but then, you might as well remove

the global server, which you did as solution.

regards

xander

View solution in original post

Dumpster Eightyeight · ‎11-12-2013

OK, I have been troubleshooting this; I removed all the control-plane config and I was still able to SSH to ALL interfaces except the mgmt interfaces, so OOB config is working as expected.

I added the config back in.

I then removed the line: ssh server v2 and the MPP worked properly again - blocked all connections that weren't going to int bundle-eth 10.999 for inband and just the mgmt interfaces for OOB.

Added the ssh server v2 command again and it allowed SSH from anywhere to any interface (inband) again.

Can someone explain this???

Is it a bug???

xthuijs · ‎11-26-2013

you enable the telnet or ssh server on a per vrf basis.

since your interface in MPP is tied to the vrf, basically the ssh server in global opens it up everywhere.

this is a bit misleading I agree.

you oculd have done an interface all underneath it and potentially block it there, but then, you might as well remove

the global server, which you did as solution.

regards

xander