Notes - MPP (IOS-XR)

On IOS-XR, MPP controls which interfaces can be used for management traffic, and also allows you to perform filtering of management traffic.

An inband management interface is a phyiscal or logical interface on the router that will process mgmt traffic as well as data-plane traffic. This is sometimes called a “shared management interface.”

An out-of-band management interface is an interface that only allows management protocol traffic, and no data plane traffic. An interface that is configured as an out-of-band management interface can only forward traffic out another out-of-band interface. Additionally the out-of-band interface can still participate in dynamic routing protocols.

Once you configure management interfaces under control-plane management-plane, only those specific interfaces will accept mgmt traffic. You can further restrict the source address of the management traffic using allow … peer.

MPP can be configured for:

  • TFTP

  • Telnet

  • SNMP

  • SSH

  • XML

  • HTTP

  • Netconf

Examples

The following config only allows Telnet traffic on inband port Gi0/0/0/0.3012. This port still functions as a data-plane port since it is specified as “inband.”

control-plane
 management-plane
  inband
   interface GigabitEthernet0/0/0/0.3012
    allow Telnet

Theoretically, the following configuration should cause the interface to become an OoB interface. It should only accept Telnet traffic and not data plane traffic. However, on the XRv9000 I cannot get this to work. Telnet is not accepted on the interface, and data plane traffic still works. This seems to be a limitation of the XRv9000 data plane?

control-plane
 management-plane
  out-of-band
   vrf MGMT_PLANE
   interface GigabitEthernet0/0/0/0.3012
    allow Telnet

To filter the allowed sources, we can use the peer keyword.

control-plane
 management-plane
  inband
   interface GigabitEthernet0/0/0/0.3012
    allow Telnet peer
     address ipv4 10.0.0.2
     address ipv4 20.0.0.0/24

The LPTS bindings show that port 23 traffic is only accepted incoming Gi0/0/0/0.3012 from 10.0.0.3 and 20.0.0.0/24:

RP/0/RP0/CPU0:XR1(config)#do sho lpts bindings brief | in 23
Wed Feb  7 22:55:02.554 UTC
 0/RP0/CPU0 TCP  LR IPV4 TCP    default   Gi0/0/0/0.3012 any,23 10.0.0.2
 0/RP0/CPU0 TCP  LR IPV4 TCP    default   Gi0/0/0/0.3012 any,23 20.0.0.0/24

A shortcut to filter the allowed sources but not restrict which interfaces can be used for the management plane, is to use interface all. This is basically just an alternative to using an ACL with the mgmt protocol (telnet in this case)

control-plane
 management-plane
  inband
   interface all
    allow Telnet peer
     address ipv4 10.0.0.3
     address ipv4 20.0.0.0/24
     
     
! or use "telnet ipv4 server max-servers # access-list NAME" to achieve this with an ACL

Further Reading

https://www.cisco.com/c/en/us/td/docs/iosxr/ncs5500/security/75x/b-system-security-cg-ncs5500-75x/implementing-management-plane-protection.html

https://community.cisco.com/t5/service-providers-knowledge-base/asr9000-xr-local-packet-transport-services-lpts-copp/ta-p/3123792

PreviousNotes - Hybrid ACLsNextNotes - MPP (IOS-XE)

Last updated