For security reason, you are recommended to restrict remote access to your network via SSH or Telnet by allowing a certain whitelist IP addresses in order to prevent brute-force attack. If you own a Cisco IOS XR, you are coming to the right place. Here, we provide you the best and recommended way to secure your Cisco IOS XR. There are two ways that we can do to accomplish this.
1. Using ACL (Not Preferred Method)
This is how to apply the access-class a-la IOS:
line default access-class ingress MYACL
The line template default needs to be associated with your VTY pool or SSH pool right like this:
vty-pool default 0 4 line-template default
And of course, Telnet daemon needs to run:
telnet vrf default ipv4 server max-servers 4
Example Configuration: ipv4 access-list VTY-ACL 10 permit ipv4 10.0.0.0 0.0.0.255 any 20 deny ipv4 any any log ! ipv6 access-list VTY-ACL 10 permit ipv6 2001:DB8::/32 any 20 deny ipv6 any any log ! vty-pool default 0 10 line default access-class ingress VTY-ACL
The reason why this is not preferred is because all the traffic received for telnet is processed by the hardware on the LC and sent to the RP. Then goes through all the forwarding chain until Telnet verifies it against the ACL and says OK deny.
2. Using MPP (Recommended Method)
Using MPP, which is hardware based, we can drop packets immediately in the hardware so they are not further forwarded and saves system resources and provides better protection.
In below case, we enable only SSH for remote access and disabled Telnet which is consider as insecure protocol.
line default transport input ssh ! control-plane management-plane inband interface TenGigE0/0/0/0 allow SSH peer address ipv4 220.127.116.11/24 address ipv4 192.168.100.254/32 address ipv6 1234:abcd::/32 !
Also, if you are having multiple VRFs configured on your system, using below command to enable SSH for specific VRF.
ssh server vrf TRANSIT ssh server vrf MANAGEMENT
And that’s it!! Now you secure your Cisco XR from brute-force attack with the recommended way.