We need to have a way to remote access this device, and by default SSH and TELNET are not enabled.
First up, the easy one – telnet.
RP/0/RSP0/CPU0:R1(config)#telnet ipv4 server max-servers 10
And like that, we can telnet.
Ok, onto SSH – but before setting up SSH, we need to generate an RSA key. This is a bit different as you do not do this from config mode.
First up, add your domain-name if you do not have one:
RP/0/RSP0/CPU0:R1(config)#domain name fryguy.net
RP/0/RSP0/CPU0:R1(config)#commit
RP/0/RSP0/CPU0:R1#crypto key generate rsa
Sat Apr 21 00:36:07.790 UTC
The name for the keys will be: the_default
Choose the size of the key modulus in the range of 512 to 2048 for your General Purpose Keypair. Choosing a key modulus greater than 512 may take a few minutes.
How many bits in the modulus [1024]: 2048
Generating RSA keys …
Done w/ crypto generate keypair
[OK]
RP/0/RSP0/CPU0:R1#
Once we have generated the RSA key, we can now enable the SSH service:
RP/0/RSP0/CPU0:R1#conf t
Sat Apr 21 00:40:33.845 UTC
RP/0/RSP0/CPU0:R1(config)#ssh server v2
RP/0/RSP0/CPU0:R1(config)#commit
Sat Apr 21 00:40:39.939 UTC
And like that, SSH services are now enabled.
Ok, but what if we wanted to limit who has access to the box by IP address, that is where control-plane security comes in.
RP/0/RSP0/CPU0:R1(config)#control-plane
RP/0/RSP0/CPU0:R1(config-ctrl)#management-plane
RP/0/RSP0/CPU0:R1(config-mpp-inband)#int g0/1/0/18
RP/0/RSP0/CPU0:R1(config-mpp-inband-if)#allow SSH peer
RP/0/RSP0/CPU0:R1(config-ssh-peer)# address ipv4 192.168.0.0/24
RP/0/RSP0/CPU0:R1(config-ssh-peer)# allow Telnet peer
RP/0/RSP0/CPU0:R1(config-telnet-peer)#address ipv4 192.168.0.0/24
RP/0/RSP0/CPU0:R1(config-telnet-peer)#exit
RP/0/RSP0/CPU0:R1(config-mpp-inband)#comm
Sat Apr 21 01:09:45.163 UTC
And now to test, from a device on 192.168.0.0/24 network:
nX: ssh admin@150.1.1.1
admin@150.1.1.1’s password:
RP/0/RSP0/CPU0:R1#
There you go, SSH access from only the 192.168.0.0/24 subnet
And, when it comes close the expiry timer, you will get a message:
RP/0/RSP0/CPU0:R1#
*
* The idle timeout is soon to expire on this line
*
Received disconnect from 150.1.1.1: 11:
IOS XR – Remote Access Services – Telnet and SSH
12 Wednesday Sep 2012
in
Rob said:
Great job, I’ve been looking for limiting the access and could not find it anywhere ! Thanks a million !
Rob said:
Great job, I’ve been looking for limiting the access and could not find it anywhere ! Thanks a million !