-
Cisco IOS XR System Security Command Reference, Release 3.5
-
Preface
-
Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software
-
Internet Key Exchange Security Protocol Commands on Cisco IOS XR Software
-
IPSec Network Security Commands on Cisco IOS XR Software
-
Public Key Infrastructure Commands on Cisco IOS XR Software
-
Secure Shell Commands on Cisco IOS XR Software
-
Secure Socket Layer Protocol Commands on Cisco IOS XR Software
-
Software Authentication Manager Commands on Cisco IOS XR Software
-
Key Chain Management Commands on Cisco IOS XR Software
-
Management Plane Protection Commands on Cisco IOS XR Software
-
Virtual Firewall Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Management Plane Protection Commands on Cisco IOS XR Software
Management Plane Protection Commands on Cisco IOS XR Software
This module describes the Cisco IOS XR software commands used to configure management plane protection (MPP).
For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Management Plane Protection on Cisco IOS XR Software configuration module.
allow
To configure an interface as an inband interface for a specified protocol or all protocols, use the allow command in management plane protection inband interface configuration mode. To disallow a protocol on an interface, use the no form of this command.
allow {protocol | all}
no allow {protocol | all}
Syntax Description
Defaults
By default, no management protocol is allowed on any interface except the management interfaces.
Command Modes
Management plane protection inband interface configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
If you permit or allow a specific protocol to an interface, traffic is allowed only for that protocol, and all other management traffic is dropped.
After you configure the interface as inband, the specified (or all) protocol's traffic is allowed on the interface. All other interfaces, which are not configured as inband interfaces, would drop the protocol traffic.
Task ID
Examples
The following example shows how to configure all management protocols for all inband interfaces:
RR/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# control-planeRP/0/RP0/CPU0:router(config-ctrl)# management-planeRP/0/RP0/CPU0:router(config-mpp)# inbandRP/0/RP0/CPU0:router(config-mpp-inband)# interface allRP/0/RP0/CPU0:router(config-mpp-inband-all)# allow allRelated Commands
control-plane
To enter the control plane configuration mode, use the control-plane command in global configuration mode. To disable all the configurations under control plane mode, use the no form of this command.
control-plane
no control-plane
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the control-plane command to enter control plane configuration mode.
Task ID
Examples
The following example shows how to enter control plane configuration mode using the control-plane command:
RR/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# control-planeRP/0/RP0/CPU0:router(config-ctrl)#Related Commands
inband
To configure an inband interface and to enter management plane protection inband configuration mode, use the inband command in management plane protection configuration mode. To disable all configurations under inband configuration mode, use the no form of this command.
inband
no inband
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Management plane protection inband configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the inband command to enter management plane protection inband configuration mode.
Task ID
Examples
The following example shows how to enter management plane protection inband configuration mode using the inband command:
RR/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# control-planeRP/0/RP0/CPU0:router(config-ctrl)# management-planeRP/0/RP0/CPU0:router(config-mpp)# inbandRP/0/RP0/CPU0:router(config-mpp-inband)#Related Commands
interface (MPP)
To configure a specific interface or all interfaces as an inband interface, use the interface command in management plane protection inband configuration mode. To disable all the configurations under interface mode, use the no form of this command.
interface {type instance | all}
no interface {type instance | all}
Syntax Description
Defaults
No default behavior or values
Command Modes
Management plane protection inband configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the interface command to enter management plane protection inband interface configuration mode.
For the instance argument, you cannot configure MgmtEth interfaces as inband interfaces.
Task ID
Examples
The following example shows how to configure all interfaces for MPP:
RR/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# control-planeRP/0/RP0/CPU0:router(config-ctrl)# management-planeRP/0/RP0/CPU0:router(config-mpp)# inbandRP/0/RP0/CPU0:router(config-mpp-inband)# interface allRP/0/RP0/CPU0:router(config-mpp-inband-all)#Related Commands
management-plane
To configure management plane protection to allow and disallow protocols, use the management-plane command in control plane configuration mode. To disable all configurations under management-plane mode, use the no form of this command.
management-plane
no management-plane
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Control plane configuration
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Use the management-plane command to enter the management plane protection configuration mode.
Task ID
Examples
The following example shows how to enter management plane protection configuration mode using the management-plane command:
RR/0/RP0/CPU0:router# configureRP/0/RP0/CPU0:router(config)# control-planeRP/0/RP0/CPU0:router(config-ctrl)# management-planeRP/0/RP0/CPU0:router(config-mpp)#Related Commands
show mgmt-plane
To display information about the management plane such as type of interface and protocols enabled on the interface, use the show mgmt-plane command in EXEC mode.
show mgmt-plane [interface {type instance}]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Task ID
Examples
The following sample output displays all the interfaces that are configured as inband interfaces under MPP:
RR/0/RP0/CPU0:router# show mgmt-planeManagement Plane Protection - inband interfacesInterface - POS0/5/0/0SSH AllowedInterface - POS0/5/0/1TELNET AllowedALL Protocols AllowedRelated Commands
HTTP(S)