Notes - MPP (IOS-XE)

MPP (management plane protection) on IOS-XE is quite basic. You simply define the inband interface you would like to use as a management interface, and define which protocols are allowed.

Be aware that once you define the mgmt interface, no other mgmt traffic will be allowed on any other ports! This can be quite dangerous, as you could lock yourself out of the device. For example, the following config will only allow SNMP on BDI254. SSH, Telnet, etc. will be droped on all interfaces, locking yourself out of the router.

control-plane host
 management-interface BDI254 allow snmp

To re-iterate: once the above configuration is set, the only management traffic allowed is SNMP incoming on BDI254. All other mgmt protocols will be denied on all interfaces.

You can define multiple mgmt interfaces as follows:

control-plane host
 management-interface BDI254 allow snmp
 management-interface Gi2 allow telnet

You can confirm the configuration and packet counts using the following show command:

You can also filter the output on a per-protocol basis:

Comparisons to MPP on IOS-XR

IOS-XE does not allow you to specify filters in MPP. You can simply control the traffic at the incoming interface level, and that is all. With IOS-XR, you can filter the acceptable source IP addresses.

With IOS-XR, you specify interfaces as either inband or out-of-band. Theoretically, if you specify a physical data interface as OoB, it should not process data plane traffic any longer. However, I was not able to verify this on XRv9K. With IOS-XE, the interface is always inband. It will still process data plane packets after you configure it as a mgmt interface. In fact, with IOS-XE, you are limited to only using in-band interfaces. You cannot specify the external Mgmt interface under MPP.