-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes the commands used to configure management plane protection (MPP).
For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Management Plane Protection on the Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router Software configuration module.
To configure the peer IPv4 or IPv6 address in which management traffic is allowed on the interface, use the address ipv4command in interface peer configuration mode. To remove the IP address that was previously configured on this interface, use the no form of this command.
address { ipv4 | ipv6 } peer-ip-address |peer-ip-address /length
no address { ipv4 | ipv6 } peer-ip-address| peer-ip-address /length
peer-ip-address |
(Required) Peer IPv4 or IPv6 address in which management traffic is allowed on the interface. This address can effectively be the source address of the management traffic that is coming in on the configured interface. |
peer ip-address/length |
(Required) Prefix of the peer IP address and IPv4 or IPv6 format: |
If no specific peer is configured, all peers are allowed.
Interface peer configuration
Release |
Modification |
---|---|
Release 3.6.0 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID |
Operations |
---|---|
system |
read, write |
The following example shows how to configure the peer IPv6 address 33::33 for management traffic:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inbandout-of-band RP/0/RP0/CPU0:router(config-mpp-inbandoutband)# interface GigabitEthernet POS 0/16/10/12 RP/0/RP0/CPU0:router(config-mpp-inbandoutband-GigabitEthernet0_1_1_1POS0_6_0_2)# allow Telnet TFTP peer RP/0/RP0/CPU0:router(config-telnettftp-peer)# address ipv4 10.1.0.0/16ipv6 33::33
Command |
Description |
---|---|
Configures an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols. |
|
Configures the control plane. |
|
Configures an inband interface or protocol. |
|
Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces. |
|
Configures management plane protection to allow and disallow protocols. |
|
Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. |
|
Displays the management plane. |
To configure an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols, use the allow command in management plane protection inband interface configuration mode or management plane protection out-of-band interface configuration. To disallow a protocol on an interface, use the no form of this command.
allow { protocol | all } [peer]
no allow { protocol | all } [peer]
By default, no management protocol is allowed on any interface except the management interfaces.
Management plane protection inband interface configuration
Release |
Modification |
---|---|
Release 3.5.0 |
This command was introduced. |
Release 3.6.0 |
The following modifications were added: |
Release 4.0.0 |
The XML keyword was added. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If you permit or allow a specific protocol to an interface, traffic is allowed only for that protocol, and all other management traffic is dropped.
After you configure the interface as inband or out-of-band, the specified protocol's traffic, or all protocol traffic, is allowed on the interface. Interfaces that are not configured as inband or out-of-band interfaces, drop the protocol traffic.
The IOS XR XML API provides a programmatic interface to the router for use by external management applications. This interface provides a mechanism for router configuration and monitoring utilizing XML formatted request and response streams. As one of the management services, XML should be capable of applying MPP. To secure XML MPP data, XML keyword has been added to the command.
Task ID |
Operations |
---|---|
system |
read, write |
The following example shows how to configure all management protocols for all inband interfaces:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-inband)# interface all RP/0/RP0/CPU0:router(config-mpp-inband-all)# allow all
The following example shows how to configure peer interface for the TFTP protocol for out-of-band interfaces:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# out-of-band RP/0/RP0/CPU0:router(config-mpp-outband)# interface GigabitEthernet 0/1/1/2 RP/0/RP0/CPU0:router(config-mpp-outband-GigabitEthernet0_1_1_2)# allow TFTP peer RP/0/RP0/CPU0:router(config-tftp-peer)#
The following example shows how to configure MPP support on an XML peer in-band interface:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-ctrl-mpp)# inband interface all allow xml peer address ipv4 172.10.10.1
Command |
Description |
---|---|
Configures the control plane. |
|
Configures an inband interface or protocol. |
|
Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces. |
|
Configures management plane protection to allow and disallow protocols. |
|
Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. |
|
Displays the management plane. |
To enter the control plane configuration mode, use the control-plane command. To disable all the configurations under control plane mode, use the no form of this command.
control-plane
no control-plane
This command has no keywords or arguments.
None
Global configuration mode
Release |
Modification |
---|---|
Release 3.5.0 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the control-plane command to enter control plane configuration mode.
Task ID |
Operations |
---|---|
system |
read, write |
The following example shows how to enter control plane configuration mode using the control-plane command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)#
Command |
Description |
---|---|
Configures management plane protection to allow and disallow protocols. |
To configure an inband interface and to enter management plane protection inband configuration mode, use the inband command in management plane protection configuration mode. To disable all configurations under inband configuration mode, use the no form of this command.
inband
no inband
This command has no keywords or arguments.
None
Management plane protection inband configuration
Release |
Modification |
---|---|
Release 3.5.0 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the inband command to enter management plane protection inband configuration mode.
Task ID |
Operations |
---|---|
system |
read, write |
The following example shows how to enter management plane protection inband configuration mode using the inband command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-inband)#
Command |
Description |
---|---|
Configures the control plane. |
|
Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces. |
|
Configures management plane protection to allow and disallow protocols. |
|
Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. |
|
Displays the management plane. |
To configure a specific interface or all interfaces as an inband or out-of-band interface, use the interface command in management plane protection inband configuration mode or management plane protection out-of-band configuration mode. To disable all the configurations under an interface mode, use the no form of this command.
interface { type interface-path-id | all }
no interface { type interface-path-id | all }
type |
Interface type. For more information, use the question mark (?) online help function. |
||
interface-path-id |
Virtual interface instance. Number range varies depending on interface type.
For more information about the syntax for the router, use the question mark (?) online help function. |
||
all |
Configures all interfaces to allow for management traffic. |
None
Management plane protection out-of-band configuration
Release |
Modification |
---|---|
Release 3.5.0 |
This command was introduced. |
Release 3.6.0 |
The management plane protection out-of-band configuration mode was added. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the interface command to enter management plane protection inband interface configuration mode or management plane protection out-of-band interface configuration mode.
For the instance argument, you cannot configure Management Ethernet interfaces as inband interfaces.
Task ID |
Operations |
---|---|
system |
read, write |
The following example shows how to configure all inband interfaces for MPP:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-inband)# interface all RP/0/RP0/CPU0:router(config-mpp-inband-all)#
The following example shows how to configure all out-of-band interfaces for MPP:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# out-of-band RP/0/RP0/CPU0:router(config-mpp-outband)# interface all RP/0/RP0/CPU0:router(config-mpp-outband-all)#
Command |
Description |
---|---|
Configures an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols. |
|
Configures the control plane. |
|
Configures an inband interface or protocol. |
|
Configures management plane protection to allow and disallow protocols. |
|
Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. |
|
Displays the management plane. |
To configure management plane protection to allow and disallow protocols, use the management-plane command in control plane configuration mode. To disable all configurations under management-plane mode, use the no form of this command.
management-plane
no management-plane
This command has no keywords or arguments.
None
Control plane configuration
Release |
Modification |
---|---|
Release 3.5.0 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the management-plane command to enter the management plane protection configuration mode.
Task ID |
Operations |
---|---|
system |
read, write |
The following example shows how to enter management plane protection configuration mode using the management-plane command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)#
To configure out-of-band interfaces or protocols and to enter management plane protection out-of-band configuration mode, use the out-of-band command in management plane protection configuration mode. To disable all configurations under management plane protection out-of-band configuration mode, use the no form of this command.
out-of-band
no out-of-band
This command has no keywords or arguments.
None
Management plane protection out-of-band configuration
Release |
Modification |
---|---|
Release 3.6.0 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the out-of-band command to enter management plane protection out-of-band configuration mode.
Out-of-band refers to an interface that allows only management protocol traffic to be forwarded or processed. An out-of-band management interface is defined by the network operator to specifically receive network management traffic. The advantage is that forwarding (or customer) traffic cannot interfere with the management of the router.
Task ID |
Operations |
---|---|
system |
read, write |
The following example shows how to enter management plane protection out-of-band configuration mode using the out-of-band command:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# out-of-band RP/0/RP0/CPU0:router(config-mpp-outband)#
Command |
Description |
---|---|
Configures the control plane. |
|
Configures an inband interface or protocol. |
|
Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces. |
|
Configures management plane protection to allow and disallow protocols. |
|
Displays the management plane. |
|
Configures a Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface. |
To display information about the management plane such as type of interface and protocols enabled on the interface, use the show mgmt-plane command.
show mgmt-plane [ inband | out-of-band ] [ interface type interface-path-id | vrf ]
inband |
(Optional) Displays the inband management interface configurations that are the interfaces that process management packets as well as data-forwarding packets. An inband management interface is also called a shared management interface. |
||
out-of-band |
(Optional) Displays the out-of-band interface configurations. Out-of-band interfaces are defined by the network operator to specifically receive network management traffic. |
||
interface |
(Optional) Displays all the protocols that are allowed in the specified interface. |
||
type |
Interface type. For more information, use the question mark (?) online help function. |
||
interface-path-id |
Interface instance. Number range varies depending on interface type.
For more information about the syntax for the router, use the question mark (?) online help function. |
||
vrf |
(Optional) Displays the Virtual Private Network (VPN) routing and forwarding reference of an out-of-band interface. |
None
EXEC
Release |
Modification |
---|---|
Release 3.5.0 |
This command was introduced. |
Release 3.6.0 |
The following modifications were added: |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
The vrf keyword is valid only for out-of-band VRF configurations.
Task ID |
Operations |
---|---|
system |
read |
The following sample output displays all the interfaces that are configured as inband or out-of-band interfaces under MPP:
RP/0/RP0/CPU0:router# show mgmt-plane
Management Plane Protection
inband interfaces
----------------------
interface - GigabitEthernet0_1_1_0
ssh configured -
All peers allowed
telnet configured -
peer v4 allowed - 10.1.0.0/16
all configured -
All peers allowed
interface - GigabitEthernet0_1_1_0
telnet configured -
peer v4 allowed - 10.1.0.0/16
interface - all
all configured -
All peers allowed
outband interfaces
----------------------
interface - GigabitEthernet0_1_1_0
tftp configured -
peer v6 allowed - 33::33
The following sample output displays the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface:
RP/0/RP0/CPU0:router# show mgmt-plane out-of-band vrf
Management Plane Protection -
out-of-band VRF - my_out_of_band
Command |
Description |
---|---|
Configures management plane protection to allow and disallow protocols. |
To configure a Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface, use the vrf command in management plane protection out-of-band configuration mode. To remove the VRF definition before the VRF name is used, use the no form of this command.
vrf vrf-name
no vrf vrf-name
vrf-name |
Name assigned to a VRF. |
The VRF concept must be used to configure interfaces as out-of-band. If no VRF is configured during an out-of-band configuration, the interface goes into a default VRF.
Management plane protection out-of-band configuration
Release |
Modification |
---|---|
Release 3.6.0 |
This command was introduced. |
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If the VRF reference is not configured, the default name MPP_OUTBAND_VRF is used.
If there is an out-of-band configuration that is referring to a VRF and the VRF is deleted, all the MPP bindings are removed.
Task ID |
Operations |
---|---|
system |
read |
The following example shows how to configure the VRF:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# vrf my_out_of_band RP/0/RP0/CPU0:router(config-vrf)# address-family ipv4 unicast RP/0/RP0/CPU0:router(config-vrf-af)# exit RP/0/RP0/CPU0:router(config-vrf)# address-family ipv6 unicast RP/0/RP0/CPU0:router(config-vrf-af)# commit RP/0/RP0/CPU0:router(config-vrf-af)# end RP/0/RP0/CPU0:router#
The following example shows how to configure the VRF definition for MPP:
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# out-of-band RP/0/RP0/CPU0:router(config-mpp-outband)# vrf my_out_of_band
Command |
Description |
---|---|
Configures the control plane. |
|
Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces. |
|
Configures management plane protection to allow and disallow protocols. |
|
Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. |
|
Displays the management plane. |