Hiya, I'm confused. I have this new and shiny ASR9001 with IOS XR on it, with supposedly totally superior local services access control, and stuff.
So, I configure:
control-plane
management-plane
inband
interface all
allow all peer
address ipv4 1.1.1.0/24
address ipv6 2001:1:1::/48
!
!
!
!
(nothing else under control-plane/management-plane, addresses
obviously faked)
I can see that this works perfectly to restrict access to telnet and ssh
to sources in 1.1.1.0/24 or 2001:1:1::/48 -- but at the same time, the
box happily answers NTP packets, both "time query" as well as "status
query", from all over the world.
If I configure an explicit NTP ACL ("ntp access-group ipv* serve $ACL"),
it stops answering the packet, but "debug ntp packet" tells me the
packet is still arriving at the CPU level:
RP/0/RSP0/CPU0:Aug 2 17:18:51.686 : ntpd[258]: Rx 213.95.27.20->193.149.45.3
on if 0x4000180[unnamed, flags:0x0/0x11] (48 bytes)
RP/0/RSP0/CPU0:Aug 2 17:18:52.687 : ntpd[258]: Rx 213.95.27.20->193.149.45.3
on if 0x4000180[unnamed, flags:0x0/0x11] (48 bytes)
... so, what am I missing here? How do I stop NTP packets not coming from
configured NTP servers (those are all inside "1.1.1.0/24") from arriving
at the CPU level? (Yes, interface ACLs would work, of course, and when
the box is in it's final location, incoming ACLs on all transit links will
prevent packets to the box, but I still think its control plane policing
should catch NTP packets just as well as SSH or SNMP)
IOS XR 4.3.4, ASR 9001
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
pgpadES_oiwMj.pgp
Description: PGP signature
_______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
