Hiya, I'm confused. I have this new and shiny ASR9001 with IOS XR on it, with supposedly totally superior local services access control, and stuff.
So, I configure: control-plane management-plane inband interface all allow all peer address ipv4 1.1.1.0/24 address ipv6 2001:1:1::/48 ! ! ! ! (nothing else under control-plane/management-plane, addresses obviously faked) I can see that this works perfectly to restrict access to telnet and ssh to sources in 1.1.1.0/24 or 2001:1:1::/48 -- but at the same time, the box happily answers NTP packets, both "time query" as well as "status query", from all over the world. If I configure an explicit NTP ACL ("ntp access-group ipv* serve $ACL"), it stops answering the packet, but "debug ntp packet" tells me the packet is still arriving at the CPU level: RP/0/RSP0/CPU0:Aug 2 17:18:51.686 : ntpd[258]: Rx 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11] (48 bytes) RP/0/RSP0/CPU0:Aug 2 17:18:52.687 : ntpd[258]: Rx 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11] (48 bytes) ... so, what am I missing here? How do I stop NTP packets not coming from configured NTP servers (those are all inside "1.1.1.0/24") from arriving at the CPU level? (Yes, interface ACLs would work, of course, and when the box is in it's final location, incoming ACLs on all transit links will prevent packets to the box, but I still think its control plane policing should catch NTP packets just as well as SSH or SNMP) IOS XR 4.3.4, ASR 9001 gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpadES_oiwMj.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/