Re: Cisco IOSXR 6.4.2 SSH on a vrf Interface

Abid Ghufran · ‎03-03-2023

Hello,

I am trying to enable ssh on a vrf interface, on an ASR9K running 6.4.2 code.

Following is the configuration I am testing with:

A)
control-plane
management-plane
out-of-band
vrf <VRF-NAME>
interface <INTERFACE-NAME>
allow SSH peer
address ipv4 0.0.0.0/0

B)

ssh server vrf <VRF-NAME>

Testing without the control-plane configuration (A) and enabling ssh on the VRF (B) , it works fine.

But when I enable control-plane configuration (A), it stops working. It behaves as if there is something explicitly blocking ssh incoming connection.

Following is the show command output:

!---------------------------------------------------------!

RP/0/RSP0/CPU0:lab_device#sh mgmt-plane out-of-band vrf

Management Plane Protection -
out-of-band VRF - <VRF-NAME>

!---------------------------------------------------------!

RP/0/RSP0/CPU0:lab_device#sh mgmt-plane interface <INTERFACE-NAME>

Management Plane Protection - outband interface

interface - <INTERFACE-NAME>
ssh configured -
peer v4 allowed - 0.0.0.0/0

!---------------------------------------------------------!

Please advise what could be the issue here and how it can be resolved.

Also what would be the command if I want to debug ssh traffic.

Thanks and regards.

MHM Cisco World · ‎03-03-2023

https://freenetworktutorials.com/best-security-practices-for-cisco-ios-xr-on-management-plane/

Abid Ghufran · ‎03-03-2023

Hi MHM. The link you have shared is quite generic and does not seem to have the specific issue I am experiencing. Rgds.

MHM Cisco World · ‎03-03-2023

Sure I will check and update you

MHM Cisco World · ‎03-04-2023

A VRF is not accepted as inband if that VRF is already set as an out-of-band VRF. SSH v1 continues to bind only to the default VRF.

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-1/security/configuration/guide/syssec_cg41asr9k_chapter6.html

smilstea · ‎03-03-2023

What interface is the ssh traffic coming in and going out on?

out of band means a mgmt port, in band means a data port like tengige x.

Thanks,

Sam

Abid Ghufran · ‎03-06-2023

Hi Sam,

Please see the following document regarding in-band and out-of-band classification:

https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r6-1/security/configuration/guide/b-syssec-cg-crs-61x/b-syssec-cg-crs-61x_chapter_0110.html

Regards,

Abid Ghufran

smilstea · ‎03-07-2023

Right, that is as I said and as the document says:

Inband Management Interface

An inband management interface is a Cisco IOS XR software physical or logical interface that processes management packets, as well as data-forwarding packets. An inband management interface is also called a shared management interface.

Out-of-Band Management Interface

Out-of-band refers to an interface that allows only management protocol traffic to be forwarded or processed. An out-of-band management interface is defined by the network operator to specifically receive network management traffic. The advantage is that forwarding (or customer) traffic cannot interfere with the management of the router, which significantly reduces the possibility of denial-of-service attacks.

Out-of-band interfaces forward traffic only between out-of-band interfaces or terminate management packets that are destined to the router. In addition, the out-of-band interfaces can participate in dynamic routing protocols. The service provider connects to the router’s out-of-band interfaces and builds an independent overlay management network, with all the routing and policy tools that the router can provide.

MPP will let you configure an inband or out of band interface under either out-of-band or in-band configuration but that doesnt mean it will work correctly.

When configuring a device for MPP for an inband interface the Interface all configuration does not apply specific VRF filter and allows traffic for all source and destination interfaces.

I still have not seen it defined here, are you using a mgmt (out of band) port or a data (inband) port.

Sam

Abid Ghufran · ‎03-07-2023

Hi,

I am taking it as:

In-band : physical or logical interface that processes management packets, as well as data-forwarding packets.

Out-of-band: an interface that allows only management protocol traffic to be forwarded or processed. Out-of-band interfaces forward traffic only between out-of-band interfaces or terminate management packets that are destined to the router. The service provider connects to the router’s out-of-band interfaces and builds an independent overlay management network, with all the routing and policy tools that the router can provide.

So, it can be any physical interface (GigEth) or a virtual interface (loopback), that can be defined under the control/management-plane, as an out-of-band interface. Plus it can be more than one interface, as the above explanation keep referring to interfaces.

I am using a virtual loopback interface. It works fine without the "allow" statement but not with the "allow" statement (see below for the config codes I used for testing). So to confirm, I am not using the mgmt interface but a loopback virtual interface.

As explained below, I have tried a wildcard as well as a host specific address, under the "allow" statement, but it does not work.

I will keep testing to investigate further.

Thanks,

Abid Ghufran

smilstea · ‎03-07-2023

It matters the physical port the packet arrives on as well. If you are using a lc port and loopback then you need to allow ssh on both. If you don't know which port the packet will arrive on then use interface all. As soon as you define a single interface it will block traffic on all the others.

Sam

Abid Ghufran · ‎03-08-2023

I have noticed that, it works with just specifying the loopback interface (not the physical), both with and without the vrf, specified as well:

- Without VRF:

control-plane
management-plane
out-of-band
interface <LOOPBACK-INTERFACE-NAME>

- With VRF:

control-plane
management-plane
out-of-band
vrf <VRF-NAME>
interface <LOOPBACK-INTERFACE-NAME>

Now, I am more confused, as I have not specified either "interface all" or the physical interface, on which the traffic actually arrives. Probably, I am looking at it the wrong way, as otherwise, the Cisco documentation on this and what I see in the lab, does not make sense.

Any idea(s)?

Abid Ghufran · ‎03-06-2023

Hi All,

Thank you for your help.

I have been testing further in the lab and it seems to be that the MPP "allow" command is blocking incoming connection:

control-plane
management-plane
out-of-band
vrf <VRF-NAME>
interface <INTERFACE-NAME>
allow SSH peer <<<<<<<<<<
address ipv4 0.0.0.0/0 <<<<<<<<<<

It works fine if I remove the "allow" statement and just configure the following:

control-plane
management-plane
out-of-band
vrf <VRF-NAME>
interface <INTERFACE-NAME>

This is with the following ssh statement:

ssh server vrf <VRF-NAME>

I have also tried giving the specific source IP address and without specifying anything:

!----------------------------------------------------------------------!

control-plane
management-plane
out-of-band
vrf <VRF-NAME>
interface <INTERFACE-NAME>
allow SSH peer
address ipv4 a.b.c.d <<<<<<<<<< Source IP originating the SSH connection

!----------------------------------------------------------------------!

control-plane
management-plane
out-of-band
vrf <VRF-NAME>
interface <INTERFACE-NAME>
allow SSH

!----------------------------------------------------------------------!

but none of the above work.

I will share further test information.

Regards.

Abid Ghufran

MHM Cisco World · ‎03-06-2023

A VRF is not accepted as inband if that VRF is already set as an out-of-band VRF. SSH v1 continues to bind only to the default VRF.

Abid Ghufran · ‎03-06-2023

Hi MHM,

I cannot see the option of configuring a vrf under inband:

RP/0/RSP0/CPU0:<device-name>(config)#control-plane
RP/0/RSP0/CPU0:<device-name>(config-ctrl)#management-plane
RP/0/RSP0/CPU0:<device-name>(config-mpp)#inband ?
interface Configure an inband interface
<cr>
RP/0/RSP0/CPU0:<device-name>(config-mpp)#inband

It only gives the option of a vrf under out-of-band:

RP/0/RSP0/CPU0:<device-name>(config-mpp)#out-of-band
RP/0/RSP0/CPU0:<device-name>config-mpp-outband)#?
..apply-group Apply configuration from a group
..apply-group-append Append apply-group configuration from a group
..apply-group-remove Remove a group from apply-group configuration
..clear Clear the uncommitted configuration
..commit Commit the configuration changes to running
..describe Describe a command without taking real actions
..do Run an exec command
..end Exit from configure mode
..exclude-group Exclude apply-group configuration from a group
..exclude-item Negate a command or set its defaults
..exit Exit from this submode
..interface Configure an outband interface
..no Negate a command or set its defaults
..pwd Commands used to reach current submode
..root Exit to the global configuration mode
..show Show contents of configuration
..vrf configure mpp outband vrf
RP/0/RSP0/CPU0:<device-name>(config-mpp-outband)#abort

Unless, I am missing the point and there is some other configuration option that I need to give, to get a vrf option under inband mode.

The above is after I had removed the previous vrf configuration under the out-of-band setup.

Regards,

Abid Ghufran

Abid Ghufran · ‎03-08-2023

Thanks MHM.

I am using ssh2 and tried with vrf under in-band, after removing it from out-of-band.

Regards.