Best Way To Restrict SSH/Telnet On Cisco IOS XR

For security reason, you are recommended to restrict remote access to your network via SSH or Telnet by allowing a certain whitelist IP addresses in order to prevent brute-force attack. If you own a Cisco IOS XR, you are coming to the right place. Here, we provide you the best and recommended way to secure your Cisco IOS XR.  There are two ways that we can do to accomplish this.

1. Using ACL (Not Preferred Method)

This is how to apply the access-class a-la IOS:

line default  access-class ingress MYACL

The line template default needs to be associated with your VTY pool or SSH pool right like this:

vty-pool default 0 4 line-template default

And of course, Telnet daemon needs to run:

telnet vrf default ipv4 server max-servers 4

Example Configuration: ipv4 access-list VTY-ACL  10 permit ipv4 any  20 deny   ipv4 any any log ! ipv6 access-list VTY-ACL  10 permit ipv6 2001:DB8::/32 any  20 deny   ipv6 any any log ! vty-pool default 0 10 line default  access-class ingress VTY-ACL

The reason why this is not preferred is because all the traffic received for telnet is processed by the hardware on the LC and sent to the RP. Then goes through all the forwarding chain until Telnet verifies it against the ACL and says OK deny.

2. Using MPP (Recommended Method)

Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.

Example Configuration:

In below case, we enable only SSH for remote access and disabled Telnet which is consider as insecure protocol.

line default  transport input ssh ! control-plane  management-plane   inband    interface TenGigE0/0/0/0     allow SSH peer      address ipv4      address ipv4      address ipv6 1234:abcd::/32 !

Also, if you are having multiple VRFs configured on your system, using below command to enable SSH for specific VRF.

ssh server vrf TRANSIT ssh server vrf MANAGEMENT

And that’s it!! Now you secure your Cisco XR from brute-force attack with the recommended way.

Leave a Reply

Your email address will not be published. Required fields are marked *