-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, this should help:
lpts pifib hardware police flow ntp default rate 0 Configured ntp servers uses "flow ntp known". There're many other HW ratelimiters. With regards, Daniel On 2.8.2014 17:27, Gert Doering wrote: > Hiya, > > I'm confused. I have this new and shiny ASR9001 with IOS XR on it, > with supposedly totally superior local services access control, and > stuff. > > So, I configure: > > control-plane management-plane inband interface all allow all peer > address ipv4 1.1.1.0/24 address ipv6 2001:1:1::/48 ! ! ! ! > > (nothing else under control-plane/management-plane, addresses > obviously faked) > > I can see that this works perfectly to restrict access to telnet > and ssh to sources in 1.1.1.0/24 or 2001:1:1::/48 -- but at the > same time, the box happily answers NTP packets, both "time query" > as well as "status query", from all over the world. > > If I configure an explicit NTP ACL ("ntp access-group ipv* serve > $ACL"), it stops answering the packet, but "debug ntp packet" tells > me the packet is still arriving at the CPU level: > > RP/0/RSP0/CPU0:Aug 2 17:18:51.686 : ntpd[258]: Rx > 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11] > (48 bytes) RP/0/RSP0/CPU0:Aug 2 17:18:52.687 : ntpd[258]: Rx > 213.95.27.20->193.149.45.3 on if 0x4000180[unnamed, flags:0x0/0x11] > (48 bytes) > > ... so, what am I missing here? How do I stop NTP packets not > coming from configured NTP servers (those are all inside > "1.1.1.0/24") from arriving at the CPU level? (Yes, interface ACLs > would work, of course, and when the box is in it's final location, > incoming ACLs on all transit links will prevent packets to the box, > but I still think its control plane policing should catch NTP > packets just as well as SSH or SNMP) > > IOS XR 4.3.4, ASR 9001 > > gert > > > > _______________________________________________ cisco-nsp mailing > list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp archive at > http://puck.nether.net/pipermail/cisco-nsp/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlPdC+UACgkQ0m6yQqKjWoLBlACghDQUQdhgbnZ46rBomBHJ2FVd SuoAoKnBubVnVErNXbniBpIrb+sgbSQp =kIbX -----END PGP SIGNATURE----- _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/