Lab - MPP
Load isis.ipv6.init.cfg
#IOS-XE
config replace flash:isis.ipv6.init.cfg
#IOS-XR
configure
load bootflash:isis.ipv6.init.cfg
commit replace
y
Configure MPP on R2 as follows:
Only allow management traffic inbound on Gi2.12 and only allow telnet
Configure MPP on XR1 as follows:
Only allow management traffic inbound on Gi0/0/0/0.519 and only allow Telnet from 4.4.4.4/32 and 2001:db8::4/128
Configure IPv6 for ISIS using multi-topology.
Answer
Add IPv6-MT to ISIS
#R1-R6
router isis
metric-style wide
add ipv6
multi-topology
#R1
int Gi2.12
ipv6 router isis
#R2
int Gi2.12
ipv6 router isis
int Gi2.23
ipv6 router isis
int Gi2.24
ipv6 router isis
#R3
int Gi2.23
ipv6 router isis
int Gi2.34
ipv6 router isis
int Gi2.36
ipv6 router isis
#R4
int Gi2.24
ipv6 router isis
int Gi2.34
ipv6 router isis
int Gi2.46
ipv6 router isis
int Gi2.45
ipv6 router isis
#R5
int Gi2.56
ipv6 router isis
int Gi2.519
ipv6 router isis
int Gi2.45
ipv6 router isis
#R6
int Gi2.46
ipv6 router isis
int Gi2.619
ipv6 router isis
int Gi2.56
ipv6 router isis
int Gi2.36
ipv6 router isis
#XR1
router isis 1
add ipv4 uni
metric-style wide
add ipv6 uni
!
interface Loopback0
add ipv6 uni
interface GigabitEthernet0/0/0/0.519
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/0.619
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/0.1920
address-family ipv6 unicast
#XR2
router isis 1
add ipv4 uni
metric-style wide
address-family ipv6 uni
!
interface Loopback0
address-family ipv6 unicast
!
!
interface GigabitEthernet0/0/0/0.1920
address-family ipv6 unicastConfigure MPP
#R2
control-plane host
management-interface gi2.12 allow telnet
!
line vty 0 15
transport input telnet
#XR1
control-plane
management-plane
inband
interface GigabitEthernet0/0/0/0.519
allow Telnet peer
address ipv4 4.4.4.4
address ipv6 2001:db8::4
!
telnet ipv4 server max-servers 10
telnet ipv6 server max-servers 10Explanation
IOS-XE
MPP on IOS-XE is quite straightforward. You must be careful though, because all other management plane protocols that are not specified will be denied. In this lab, the only management plane protocol allowed is telnet incoming on gi2.12. All other protocols (SNMP, SSH, HTTP, FTP, etc) will be dropped on all interfaces.
We can see that only R1 is able to telnet to R2:
Additionally, we can telnet to 2.2.2.2 only from R1, as the telnet packets will arrive via Gi2.12 from R1. But telnet will arrive in Gi2.23 or Gi2.24 from any other routers, and be denied.
This is also the case for IPv6 telnet traffic.
IOS-XR
MPP on IOS-XR gives us a few more options. First we can specify an interface as either inband or out-of-band. I cannot get out-of-band interfaces to work though on XRv or XRv9K. The idea is that an out-of-band interface can no longer be used as a dataplane interface.
Next, we have the ability to filter based on incoming source address in addition to incoming interface.
Just like IOS-XE, any interfaces that are not specified will not allow any management plane traffic once you enable this feature.
On XR1 we set Gi0/0/0/0.519 as the only acceptable incoming interface for management traffic, and only allow Telnet from 4.4.4.4 and 2001:db8::4
#XR1
control-plane
management-plane
inband
interface GigabitEthernet0/0/0/0.519
allow Telnet peer
address ipv4 4.4.4.4
address ipv6 2001:db8::4Let’s bring down Gi0/0/0/0.619 to get rid of the ECMP in the network.
#XR1
int Gi0/0/0/0.619
shutWe can verify that only R4 is able to telnet to XR1, and only from its Lo0 source address.
Remeber that just like IOS-XE, all non-specified protocols are denied. Currently all protocols such as SSH, SNMP, HTTP, etc. are dropped by XR1. All management protocols must be explicitly permitted when using MPP.
We can also see how MPP works on IOS-XR by inspecting the LPTS bindings that are created. Currently XR1 allows port 23 traffic inbound Gi0/0/0/0.519 from our specific source addresses, and inbound from the CPU itself. Also, port 22 has no bindings at all.
If we remove MPP, we can see that by default the router will accept port 22 and port 23 traffic incoming on any interface from any source.
Last updated