Support

Table Of Contents

Management Plane Protection Commands on Cisco IOS XR Software

address ipv4 (MPP)

address ipv6 (MPP)

allow

control-plane

inband

interface (MPP)

management-plane

out-of-band

show mgmt-plane

vrf (MPP)

Management Plane Protection Commands on Cisco IOS XR Software

---

This module describes the Cisco IOS XR software commands used to configure management plane protection (MPP).

For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Management Plane Protection on Cisco IOS XR Software configuration module.

address ipv4 (MPP)

To configure the peer IPv4 address in which management traffic is allowed on the interface, use the address ipv4 command in interface peer configuration mode. To remove the IP address that was previously configured on this interface, use the no form of this command.

address ipv4 {peer-ip-address | peer ip-address/length}

no address ipv4 {peer-ip-address | peer ip-address/length}

Syntax Description

peer-ip-address	Peer IPv4 address in which management traffic is allowed on the interface. This address can effectively be the source address of the management traffic that is coming in on the configured interface.
peer ip-address/length	Prefix of the peer IPv4 address.

Defaults

If no specific peer is configured, all peers are allowed.

Command Modes

Interface peer configuration

Command History

Release	Modification
Release 3.6.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to configure the peer IPv4 address 10.1.0.0 with a prefix of 16 for management traffic:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# inband

RP/0/RP0/CPU0:router(config-mpp-inband)# interface POS 0/6/0/0

RP/0/RP0/CPU0:router(config-mpp-inband-POS0_6_0_0)# allow Telnet peer

RP/0/RP0/CPU0:router(config-telnet-peer)# address ipv4 10.1.0.0/16

Related Commands

Command	Description
address ipv6 (MPP)	Configures the peer IPv6 address in which management traffic is allowed on the interface.
allow	Configures an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols.
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

address ipv6 (MPP)

To configure the peer IPv6 address in which management traffic is allowed on the interface, use the address ipv6 command in interface peer configuration mode. To remove the IP address that was previously configured on this interface, use the no form of this command.

address ipv6 {peer-ip-address | peer ip-address/length}

no address ipv6 {peer-ip-address | peer ip-address/length}

Syntax Description

peer-ip-address	Peer IPv6 address in which management traffic is allowed on the interface. This address can effectively be the source address of the management traffic that is coming in on the configured interface.
peer ip-address/length	Prefix of the peer IPv6 address.

Defaults

If no specific peer is configured, all peers are allowed.

Command Modes

Interface peer configuration

Command History

Release	Modification
Release 3.6.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to configure the peer IPv6 address 33::33 for management traffic:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# out-of-band

RP/0/RP0/CPU0:router(config-mpp-outband)# interface POS 0/6/0/2

RP/0/RP0/CPU0:router(config-mpp-outband-POS0_6_0_2)# allow TFTP peer

RP/0/RP0/CPU0:router(config-tftp-peer)#address ipv6 33::33

Related Commands

Command	Description
address ipv4 (MPP)	Configures the peer IPv4 address in which management traffic is allowed on the interface.
allow	Configures an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols.
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

allow

To configure an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols, use the allow command in management plane protection inband interface configuration mode or management plane protection out-of-band interface configuration. To disallow a protocol on an interface, use the no form of this command.

allow {protocol | all} [peer]

no allow {protocol | all} [peer]

Syntax Description

protocol	Interface configured to allow peer-filtering for the following specified protocol's traffic: •HTTP(S) •SNMP (also versions) •Secure Shell (v1 and v2) •TFTP •Telnet
all	Configures the interface to allow peer-filtering for all the management traffic that is specified in the list of protocols.
peer	(Optional) Configures the peer address on the interface. Peer refers to the neighboring router interface in which traffic might arrive to the main router.

Defaults

By default, no management protocol is allowed on any interface except the management interfaces.

Command Modes

Management plane protection inband interface configuration

Management plane protection out-of-band interface configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.6.0	The following modifications were added: •The peer keyword was added to support peer-filtering. •Management plane protection out-of-band interface configuration mode was added.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

If you permit or allow a specific protocol to an interface, traffic is allowed only for that protocol, and all other management traffic is dropped.

After you configure the interface as inband or out-of-band, the specified protocol's traffic, or all protocol traffic, is allowed on the interface. Interfaces that are not configured as inband or out-of-band interfaces, drop the protocol traffic.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to configure all management protocols for all inband interfaces:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# inband

RP/0/RP0/CPU0:router(config-mpp-inband)# interface all

RP/0/RP0/CPU0:router(config-mpp-inband-all)# allow all

The following example shows how to configure peer-filtering for the TFTP protocol for out-of-band interfaces:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# out-of-band

RP/0/RP0/CPU0:router(config-mpp-outband)# interface POS 0/6/0/2

RP/0/RP0/CPU0:router(config-mpp-outband-POS0_6_0_2)# allow TFTP peer

RP/0/RP0/CPU0:router(config-tftp-peer)#

Related Commands

Command	Description
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

control-plane

To enter the control plane configuration mode, use the control-plane command in global configuration mode. To disable all the configurations under control plane mode, use the no form of this command.

control-plane

no control-plane

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the control-plane command to enter control plane configuration mode.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to enter control plane configuration mode using the control-plane command:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# 

Related Commands

Command	Description
management-plane	Configures management plane protection to allow and disallow protocols.

inband

To configure an inband interface and to enter management plane protection inband configuration mode, use the inband command in management plane protection configuration mode. To disable all configurations under inband configuration mode, use the no form of this command.

inband

no inband

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Management plane protection inband configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the inband command to enter management plane protection inband configuration mode.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to enter management plane protection inband configuration mode using the inband command:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# inband

RP/0/RP0/CPU0:router(config-mpp-inband)# 

Related Commands

Command	Description
control-plane	Configures the control plane.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

interface (MPP)

To configure a specific interface or all interfaces as an inband or out-of-band interface, use the interface command in management plane protection inband configuration mode or management plane protection out-of-band configuration mode. To disable all the configurations under an interface mode, use the no form of this command.

interface {type instance | all}

no interface {type instance | all}

Syntax Description

type	Interface type. For more information, use the question mark (?) online help function.
instance	Either a physical interface instance or a virtual interface instance as follows: •Physical interface instance. Naming notation is rack/slot/module/port and a slash between values is required as part of the notation. –rack: Chassis number of the rack. –slot: Physical slot number of the modular services card or line card. –module: Module number. A physical layer interface module (PLIM) is always 0. –port: Physical port number of the interface. Note In references to a Management Ethernet interface located on a route processor card, the physical slot number is alphanumeric (RP0 or RP1) and the module is CPU0. Example: interface MgmtEth0/RP1/CPU0/0. •Virtual interface instance. Number range varies depending on interface type. For more information about the syntax for the router, use the question mark (?) online help function.
all	Configures all interfaces to allow for management traffic.

Defaults

No default behavior or values

Command Modes

Management plane protection inband configuration

Management plane protection out-of-band configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.6.0	The management plane protection out-of-band configuration mode was added.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the interface command to enter management plane protection inband interface configuration mode or management plane protection out-of-band interface configuration mode.

For the instance argument, you cannot configure Management Ethernet interfaces as inband interfaces.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to configure all inband interfaces for MPP:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# inband

RP/0/RP0/CPU0:router(config-mpp-inband)# interface all

RP/0/RP0/CPU0:router(config-mpp-inband-all)#

The following example shows how to configure all out-of-band interfaces for MPP:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# out-of-band

RP/0/RP0/CPU0:router(config-mpp-outband)# interface all

RP/0/RP0/CPU0:router(config-mpp-outband-all)#

Related Commands

Command	Description
allow	Configures an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols.
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

management-plane

To configure management plane protection to allow and disallow protocols, use the management-plane command in control plane configuration mode. To disable all configurations under management-plane mode, use the no form of this command.

management-plane

no management-plane

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Control plane configuration

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.6.0	No modification.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the management-plane command to enter the management plane protection configuration mode.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to enter management plane protection configuration mode using the management-plane command:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# 

Related Commands

Command	Description
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.

out-of-band

To configure out-of-band interfaces or protocols and to enter management plane protection out-of-band configuration mode, use the out-of-band command in management plane protection configuration mode. To disable all configurations under management plane protection out-of-band configuration mode, use the no form of this command.

out-of-band

no out-of-band

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Management plane protection configuration

Command History

Release	Modification
Release 3.6.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the out-of-band command to enter management plane protection out-of-band configuration mode.

Out-of-band refers to an interface that allows only management protocol traffic to be forwarded or processed. An out-of-band management interface is defined by the network operator to specifically receive network management traffic. The advantage is that forwarding (or customer) traffic cannot interfere with the management of the router.

Task ID

Task ID	Operations
system	read, write

Examples

The following example shows how to enter management plane protection out-of-band configuration mode using the out-of-band command:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# out-of-band

RP/0/RP0/CPU0:router(config-mpp-outband)#

Related Commands

Command	Description
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
show mgmt-plane	Displays the management plane.
vrf (MPP)	Configures a Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface.

show mgmt-plane

To display information about the management plane such as type of interface and protocols enabled on the interface, use the show mgmt-plane command in EXEC mode.

show mgmt-plane [inband | out-of-band] [interface {type instance} | vrf]

Syntax Description

inband	(Optional) Displays the inband management interface configurations that are the interfaces that process management packets as well as data-forwarding packets. An inband management interface is also called a shared management interface.
out-of-band	(Optional) Displays the out-of-band interface configurations. Out-of-band interfaces are defined by the network operator to specifically receive network management traffic.
interface	(Optional) Displays all the protocols that are allowed in the specified interface.
type	Interface type. For more information, use the question mark (?) online help function.
instance	Either a physical interface instance or a virtual interface instance as follows: •Physical interface instance. Naming notation is rack/slot/module/port and a slash between values is required as part of the notation. –rack: Chassis number of the rack. –slot: Physical slot number of the modular services card or line card. –module: Module number. A physical layer interface module (PLIM) is always 0. –port: Physical port number of the interface. Note In references to a Management Ethernet interface located on a route processor card, the physical slot number is alphanumeric (RP0 or RP1) and the module is CPU0. Example: interface MgmtEth0/RP1/CPU0/0. •Virtual interface instance. Number range varies depending on interface type. For more information about the syntax for the router, use the question mark (?) online help function.
vrf	(Optional) Displays the Virtual Private Network (VPN) routing and forwarding reference of an out-of-band interface.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release	Modification
Release 3.5.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.6.0	The following modifications were added: •Both inband and out-of-band keywords were added. •The vrf keyword was added only for out-of-band VRF configurations. •Sample output was updated to display inband and out-of-band interface configurations.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

The vrf keyword is valid only for out-of-band VRF configurations.

Task IDI

Task ID	Operations
system	read

Examples

The following sample output displays all the interfaces that are configured as inband or out-of-band interfaces under MPP:

RR/0/RP0/CPU0:router# show mgmt-plane

Management Plane Protection

inband interfaces

----------------------

interface - POS0_6_0_0 

        ssh configured - 

                All peers allowed

        telnet configured - 

                peer v4 allowed - 10.1.0.0/16

        all configured - 

                All peers allowed

interface - POS0_6_0_1 

        telnet configured - 

                peer v4 allowed - 10.1.0.0/16

interface - all 

        all configured - 

                All peers allowed

outband interfaces

----------------------

interface - POS0_6_0_2 

        tftp configured - 

                peer v6 allowed - 33::33

The following sample output displays the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface:

RR/0/RP0/CPU0:router# show mgmt-plane out-of-band vrf

Management Plane Protection - 

        out-of-band VRF - my_out_of_band

Related Commands

Command	Description
management-plane	Configures management plane protection to allow and disallow protocols.

vrf (MPP)

To configure a Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface, use the vrf command in management plane protection out-of-band configuration mode. To remove the VRF definition before the VRF name is used, use the no form of this command.

vrf vrf-name

no vrf vrf-name

Syntax Description

vrf-name

Name assigned to a VRF.

Defaults

The VRF concept must be used to configure interfaces as out-of-band. If no VRF is configured during an out-of-band configuration, the interface goes into a default VRF.

Command Modes

Management plane protection out-of-band configuration

Command History

Release	Modification
Release 3.6.0	This command was introduced on the Cisco CRS-1 and Cisco XR 12000 Series Router.
Release 3.7.0	No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

If the VRF reference is not configured, the default name MPP_OUTBAND_VRF is used.

If there is an out-of-band configuration that is referring to a VRF and the VRF is deleted, all the MPP bindings are removed.

Task ID

Task ID	Operations
system	read

Examples

The following example shows how to configure the VRF:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# vrf my_out_of_band

RP/0/RP0/CPU0:router(config-vrf)# address-family ipv4 unicast

RP/0/RP0/CPU0:router(config-vrf-af)# exit

RP/0/RP0/CPU0:router(config-vrf)# address-family ipv6 unicast

RP/0/RP0/CPU0:router(config-vrf-af)# commit

RP/0/RP0/CPU0:router(config-vrf-af)# end

RR/0/RP0/CPU0:router#

The following example shows how to configure the VRF definition for MPP:

RR/0/RP0/CPU0:router# configure

RP/0/RP0/CPU0:router(config)# control-plane

RP/0/RP0/CPU0:router(config-ctrl)# management-plane

RP/0/RP0/CPU0:router(config-mpp)# out-of-band

RP/0/RP0/CPU0:router(config-mpp-outband)# vrf my_out_of_band

Related Commands

Command	Description
control-plane	Configures the control plane.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.