Search this Blog

Saturday, February 15, 2014

What are the steps in configuring MPP On IOS XR To Control Network Management Traffic?


What are the features of MPP and how can we configure MPP on IOS XR to Control Network Management Traffic?

Management plane refers to a router’s architectural components involved in the processing of traffic that is meant for the management of the routing platform. Management Plane Protection (MPP) is a feature was introduced in Release 3.5.0. It helps to control the interfaces on which network management traffic can enter the router. This helps to enhance the router-level security and allows the network administrator better granularity in controlling management access to the router.

In the context of MPP, an in-band management interface is an interface that receives and processes management packets as well as forwards Internet traffic. This interface also referred to as a shared management interface.

An out-of-band interface allows only management protocol traffic to be forwarded or processed. This type of interface does not process or receive any customer or Internet traffic and, therefore, has lower potential for becoming a victim of a DoS attack. Out-of-band interfaces are usually also the last hop interfaces in the life of a packet, and these packets are then processed by higher-layer protocols on the router.

Following are the features of MPP:


  •      Enhances the manageability and security aspects of IOS XR.
  •      Helps alleviate the need to configure more access lists in controlling router access.
  •      Management ports on RP and DRP are not configurable under MPP because they are out of band by default.
  •      Controls incoming traffic for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), SSH, and HTTP.
  •      Allows control for both in-band and out-of-band interfaces.
  •      Can specify a peer IPv4 or IPv6 address or subnet from which traffic is allowed, thus providing more control.
  •      Prevention of packet floods on switching and routing interfaces from reaching the CPU.

Configuration Example:


Default all interfaces accept the management traffic for the service you defined.

RP/0/0/CPU0:Router2#conf t
Wed May 15 22:09:17.316 UTC
RP/0/0/CPU0:Router2(config)#control-plane
RP/0/0/CPU0:Router2(config-ctrl)#management-plane
RP/0/0/CPU0:Router2(config-mpp)#inband
RP/0/0/CPU0:Router2(config-mpp-inband)#int gig0/0/0/1
RP/0/0/CPU0:Router2(config-mpp-inband-if)#allow telnet
RP/0/0/CPU0:Router2(config-mpp-inband-if)#exit
RP/0/0/CPU0:Router2(config-mpp-inband)#exit
RP/0/0/CPU0:Router2(config-mpp)#out-of-band
RP/0/0/CPU0:Router2(config-mpp-outband)#vrf MGMT
RP/0/0/CPU0:Router2(config-mpp-outband)#interface Gig 0/0/0/3
RP/0/0/CPU0:Router2(config-mpp-outband-if)#allow ssh peer
RP/0/0/CPU0:Router2(config-ssh-peer)#address ipv4 1.1.1.1
RP/0/0/CPU0:Router2(config-ssh-peer)#address ipv4 192.168.1.0/24
RP/0/0/CPU0:Router2(config-ssh-peer)#exit
RP/0/0/CPU0:Router2(config-mpp-outband-if)#allow SNMP peer address ipv4 192.168.1.1
RP/0/0/CPU0:Router2(config-mpp-outband-if)#commit
Wed May 15 22:11:38.607 UTC
RP/0/0/CPU0:Router2(config-mpp-outband-if)#end
RP/0/0/CPU0:Router2#

The above MPP configuration shows the Telnet protocol is enabled for only one in-band interface gig0/0/0/1, and the out-of-band management interface gig0/0/0/0/3 under vrf MGMT is enabled for SSH and SNMP.

Verification:


RP/0/0/CPU0:Router2#sh mgmt-plane
Wed May 15 22:16:02.529 UTC


Management Plane Protection

inband interfaces
----------------------

interface - GigabitEthernet0/0/0/1
       telnet configured -
               All peers allowed

outband interfaces
----------------------
interface - GigabitEthernet0_0_0_3/
       ssh configured -
               peer v4 allowed - 1.1.1.1
               peer v4 allowed - 192.168.1.0/24
       snmp configured -
               peer v4 allowed - 192.168.1.1
RP/0/0/CPU0:Router2#

MPP Show command:

1) RP/0/0/CPU0:Router2#sh mgmt-plane interface
2) RP/0/0/CPU0:Router2#sh mgmt-plane inband
3) RP/0/0/CPU0:Router2#sh mgmt-plan out-of-band

MPP debug Commands:

  • debug management-plane detail
  • debug management-plane errors
  • debug management-plane events
  • debug management-plane detail job
  • debug management-plane errors job
  • debug management-plane events job

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

1 comment :

  1. It's easier to do this by using total network inventory and similar network managers, that helps to configure mpp.

    ReplyDelete

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */