Implementing Management Plane Protection

The Management Plane Protection (MPP) feature provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.

The MPP protection feature, as well as all the management protocols under MPP, are disabled by default. When you configure an interface as inband, it automatically enables MPP. Consequently, this enablement extends to all the protocols under MPP. If MPP is disabled and a protocol is activated, all interfaces can pass traffic.

When MPP is enabled with an activated protocol, the only default management interfaces allowing management traffic is the route processor (RP). You must manually configure any other interface for which you want to enable MPP as a management interface.

Afterwards, only the default management interfaces and those you have previously configured as MPP interfaces accept network management packets destined for the device. All other interfaces drop such packets. Logical interfaces (or any other interfaces not present on the data plane) filter packets based on the ingress physical interface.

Implementing Management Plane Protection

The Management Plane Protection (MPP) feature provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.

The MPP protection feature, as well as all the management protocols under MPP, are disabled by default. When you configure an interface as inband, it automatically enables MPP. Consequently, this enablement extends to all the protocols under MPP. If MPP is disabled and a protocol is activated, all interfaces can pass traffic.

When MPP is enabled with an activated protocol, the only default management interfaces allowing management traffic is the route processor (RP). You must manually configure any other interface for which you want to enable MPP as a management interface.

Afterwards, only the default management interfaces and those you have previously configured as MPP interfaces accept network management packets destined for the device. All other interfaces drop such packets. Logical interfaces (or any other interfaces not present on the data plane) filter packets based on the ingress physical interface.

Benefits of Management Plane Protection

Implementing the MPP feature provides the following benefits:

  • Greater access control for managing a device than allowing management protocols on all interfaces.

  • Improved performance for data packets on non-management interfaces.

  • Support for network scalability.

  • Simplifies the task of using per-interface access control lists (ACLs) to restrict management access to the device.

  • Fewer ACLs are needed to restrict access to the device.

  • Prevention of packet floods on switching and routing interfaces from reaching the CPU.

Restrictions for Implementing Management Plane Protection

The following restrictions are listed for implementing Management Plane Protection (MPP):

  • Currently, MPP does not keep track of the denied or dropped protocol requests.

  • MPP configuration does not enable the protocol services. MPP is responsible only for making the services available on different interfaces. The protocols are enabled explicitly.

  • Management requests that are received on inband interfaces are not necessarily acknowledged there.

  • The changes made for the MPP configuration do not affect the active sessions that are established before the changes.

  • Currently, MPP controls only the incoming management requests for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), Secure Shell (SSH), XML and Netconf.

  • MPP does not support MIB.

Configure Device for Management Plane Protection for Inband Interface

An inband management interface is a physical or logical interface that processes management packets, as well as data-forwarding packets. An inband management interface is also called a shared management interface. Perform this task to configure a device that you have just added to your network or a device already operating in your network. This task shows how to configure MPP as an inband interface in which Telnet is allowed to access the router only through a specific interface.

Perform the following additional tasks to configure an inband MPP interface in non-default VRF.

  • Configure the interface under the non-default inband VRF.

  • Configure the global inband VRF.

  • In the case of Telnet, configure the Telnet VRF server for the inband VRF.

SUMMARY STEPS

  1. configure
  2. control-plane
  3. management-plane
  4. inband
  5. interface {type instance | all}
  6. allow {protocol | all} [peer]
  7. address ipv4 {peer-ip-address | peer ip-address/length}
  8. Use the commit or end command.
  9. show mgmt-plane [inband | ] [interface {type instance}]

DETAILED STEPS

Step 1

configure

Example:


RP/0/RP0/CPU0:router# configure

Enters mode.

Step 2

control-plane

Example:



RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)#

Enters control plane configuration mode.

Step 3

management-plane

Example:



RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)#

Configures management plane protection to allow and disallow protocols and enters management plane protection configuration mode.

Step 4

inband

Example:



RP/0/RP0/CPU0:router(config-mpp)# inband
RP/0/RP0/CPU0:router(config-mpp-inband)#

Configures an inband interface and enters management plane protection inband configuration mode.

Step 5

interface {type instance | all}

Example:



RP/0/RP0/CPU0:router(config-mpp-inband)# interface HundredGigE 0/6/0/1
RP/0/RP0/CPU0:router(config-mpp-inband-Gi0_6_0_1)#

Configures a specific inband interface, or all inband interfaces. Use the interface command to enter management plane protection inband interface configuration mode.

  • Use the all keyword to configure all interfaces.

Step 6

allow {protocol | all} [peer]

Example:



RP/0/RP0/CPU0:router(config-mpp-inband-Gi0_6_0_1)# allow Telnet peer
RP/0/RP0/CPU0:router(config-telnet-peer)#

Configures an interface as an inband interface for a specified protocol or all protocols.

  • Use the protocol argument to allow management protocols on the designated management interface.

    • SNMP (also versions)

    • Secure Shell (v1 and v2)

    • TFTP

    • Telnet

    • Netconf

    • XML

  • Use the all keyword to configure the interface to allow all the management traffic that is specified in the list of protocols.

  • (Optional) Use the peer keyword to configure the peer address on the interface.

Step 7

address ipv4 {peer-ip-address | peer ip-address/length}

Example:



RP/0/RP0/CPU0:router(config-telnet-peer)# address ipv4 10.1.0.0/16

Configures the peer IPv4 address in which management traffic is allowed on the interface.

  • Use the peer-ip-address argument to configure the peer IPv4 address in which management traffic is allowed on the interface.

  • Use the peer ip-address/length argument to configure the prefix of the peer IPv4 address.

Step 8

Use the commit or end command.

commit —Saves the configuration changes and remains within the configuration session.

end —Prompts user to take one of these actions:

  • Yes — Saves configuration changes and exits the configuration session.

  • No —Exits the configuration session without committing the configuration changes.

  • Cancel —Remains in the configuration session, without committing the configuration changes.

Step 9

show mgmt-plane [inband | ] [interface {type instance}]

Example:


RP/0/RP0/CPU0:router# show mgmt-plane inband interface HundredGigE 0/6/0/1

Displays information about the management plane, such as type of interface and protocols enabled on the interface.

  • (Optional) Use the inband keyword to display the inband management interface configurations that are the interfaces that process management packets as well as data-forwarding packets.

  • (Optional) Use the interface keyword to display the details for a specific interface.

Information About Implementing Management Plane Protection

Before you enable the Management Plane Protection feature, you should understand the following concepts:

Peer-Filtering on Interfaces

The peer-filtering option allows management traffic from specific peers, or a range of peers, to be configured.

Control Plane Protection

A control plane is a collection of processes that run at the process level on a route processor and collectively provide high-level control for most Cisco software functions. All traffic directly or indirectly destined to a router is handled by the control plane. Management Plane Protection operates within the Control Plane Infrastructure.

Management Plane

The management plane is the logical path of all traffic that is related to the management of a routing platform. One of three planes in a communication architecture that is structured in layers and planes, the management plane performs management functions for a network and coordinates functions among all the planes (management, control, and data). In addition, the management plane is used to manage a device through its connection to the network.

Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, SSH, XML and Netconf. These management protocols are used for monitoring and for command-line interface (CLI) access. Restricting access to devices to internal sources (trusted networks) is critical.