Contents

• Management Plane Protection Commands
• address ipv4 (MPP)
• allow
• control-plane
• inband
• interface (MPP)
• management-plane
• out-of-band
• show mgmt-plane
• vrf (MPP)

Management Plane Protection Commands

---

This module describes the commands used to configure management plane protection (MPP).

For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Management Plane Protection on module in the System Security Configuration Guide for Cisco NCS 6000 Series Routers .

• address ipv4 (MPP)
• allow
• control-plane
• inband
• interface (MPP)
• management-plane
• out-of-band
• show mgmt-plane
• vrf (MPP)

address ipv4 (MPP)

To configure the peer IPv4 address in which management traffic is allowed on the interface, use the address ipv4command in interface peer configuration mode. To remove the IP address that was previously configured on this interface, use the no form of this command.

Syntax Description

peer-ip-address	Peer IPv4 address in which management traffic is allowed on the interface. This address can effectively be the source address of the management traffic that is coming in on the configured interface.
peer ip-address/length	Prefix of the peer IPv4 IPv4—A.B.C.D./length IPv6—X.X:X.X

Command Default

If no specific peer is configured, all peers are allowed.

Command Modes

Interface peer configuration

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Task ID

Task ID	Operations
system	read, write

The following example shows how to configure the peer address for management traffic:

allow

To configure an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols, use the allow command in management plane protection inband interface configuration mode or management plane protection out-of-band interface configuration. To disallow a protocol on an interface, use the no form of this command.

allow { protocol | all } [peer]

no allow { protocol | all } [peer]

Syntax Description

protocol	Interface configured to allow peer-filtering for the following specified protocol’s traffic: HTTP(S) SNMP (also versions) Secure Shell (v1 and v2) TFTP Telnet XML
all	Configures the interface to allow peer-filtering for all the management traffic that is specified in the list of protocols.
peer	(Optional) Configures the peer address on the interface. Peer refers to the neighboring router interface in which traffic might arrive to the main router.

Command Default

By default, no management protocol is allowed on any interface except the management interfaces.

Command Modes

Management plane protection inband interface configuration

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

If you permit or allow a specific protocol to an interface, traffic is allowed only for that protocol, and all other management traffic is dropped.

After you configure the interface as inband or out-of-band, the specified protocol's traffic, or all protocol traffic, is allowed on the interface. Interfaces that are not configured as inband or out-of-band interfaces, drop the protocol traffic.

The IOS-XR XML API provides a programmatic interface to the router for use by external management applications. This interface provides a mechanism for router configuration and monitoring utilizing XML formatted request and response streams. As one of the management services, XML should be capable of applying MPP. To secure XML MPP data, XML keyword has been added to the command.

Task ID

Task ID	Operations
system	read, write

The following example shows how to configure all management protocols for all inband interfaces:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# inband
RP/0/RP0/CPU0:router(config-mpp-inband)# interface all
RP/0/RP0/CPU0:router(config-mpp-inband-all)# allow all

The following example shows how to configure peer-filtering for the TFTP protocol for out-of-band interfaces:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# out-of-band
RP/0/RP0/CPU0:router(config-mpp-outband)# interface GigabitEthernet 0/1/1/2
RP/0/RP0/CPU0:router(config-mpp-outband-GigabitEthernet0_1_1_2)# allow TFTP peer
RP/0/RP0/CPU0:router(config-tftp-peer)#

The following example shows how to configure MPP support on an XML peer in-band interface:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-ctrl-mpp)# inband interface all allow xml peer address ipv4 172.10.10.1

Related Commands

Command	Description
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

control-plane

To enter the control plane configuration mode, use the control-plane command. To disable all the configurations under control plane mode, use the no form of this command.

control-plane

no control-plane

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

XR Config

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the control-plane command to enter control plane configuration mode.

Task ID

Task ID	Operations
system	read, write

The following example shows how to enter control plane configuration mode using the control-plane command:

RP/0/RP0/CPU0:router# configure 
RP/0/RP0/CPU0:router(config)# control-plane 
RP/0/RP0/CPU0:router(config-ctrl)# 

Related Commands

Command	Description
management-plane	Configures management plane protection to allow and disallow protocols.

inband

To configure an inband interface and to enter management plane protection inband configuration mode, use the inband command in management plane protection configuration mode. To disable all configurations under inband configuration mode, use the no form of this command.

inband

no inband

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Management plane protection configuration

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the inband command to enter management plane protection inband configuration mode.

Task ID

Task ID	Operations
system	read, write

The following example shows how to enter management plane protection inband configuration mode using the inband command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# inband
RP/0/RP0/CPU0:router(config-mpp-inband)# 

Related Commands

Command	Description
control-plane	Configures the control plane.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

interface (MPP)

To configure a specific interface or all interfaces as an inband or out-of-band interface, use the interface command in management plane protection inband configuration mode or management plane protection out-of-band configuration mode. To disable all the configurations under an interface mode, use the no form of this command.

interface { type interface-path-id | all }

no interface { type interface-path-id | all }

Syntax Description

type	Interface type. For more information, use the question mark (?) online help function.
interface-path-id	Virtual interface instance. Number range varies depending on interface type. Note    Use the show interfaces command in EXEC mode to see a list of all interfaces currently configured on the router. For more information about the syntax for the router, use the question mark (?) online help function.
all	Configures all interfaces to allow for management traffic.

Command Default

None

Command Modes

Management plane protection out-of-band configuration

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the interface command to enter management plane protection inband interface configuration mode or management plane protection out-of-band interface configuration mode.

For the instance argument, you cannot configure Management Ethernet interfaces as inband interfaces.

Task ID

Task ID	Operations
system	read, write

The following example shows how to configure all inband interfaces for MPP:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# inband
RP/0/RP0/CPU0:router(config-mpp-inband)# interface all
RP/0/RP0/CPU0:router(config-mpp-inband-all)#

The following example shows how to configure all out-of-band interfaces for MPP:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# out-of-band
RP/0/RP0/CPU0:router(config-mpp-outband)# interface all
RP/0/RP0/CPU0:router(config-mpp-outband-all)#

Related Commands

Command	Description
allow	Configures an interface as an inband or out-of-band interface to allow all peer addresses for a specified protocol or all protocols.
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.

management-plane

To configure management plane protection to allow and disallow protocols, use the management-plane command in control plane configuration mode. To disable all configurations under management-plane mode, use the no form of this command.

management-plane

no management-plane

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Control plane configuration

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the management-plane command to enter the management plane protection configuration mode.

Task ID

Task ID	Operations
system	read, write

The following example shows how to enter management plane protection configuration mode using the management-plane command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# 

out-of-band

To configure out-of-band interfaces or protocols and to enter management plane protection out-of-band configuration mode, use the out-of-band command in management plane protection configuration mode. To disable all configurations under management plane protection out-of-band configuration mode, use the no form of this command.

out-of-band

no out-of-band

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

Management plane protection out-of-band configuration

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

Use the out-of-band command to enter management plane protection out-of-band configuration mode.

Out-of-band refers to an interface that allows only management protocol traffic to be forwarded or processed. An out-of-band management interface is defined by the network operator to specifically receive network management traffic. The advantage is that forwarding (or customer) traffic cannot interfere with the management of the router.

Task ID

Task ID	Operations
system	read, write

The following example shows how to enter management plane protection out-of-band configuration mode using the out-of-band command:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# out-of-band
RP/0/RP0/CPU0:router(config-mpp-outband)#

Related Commands

Command	Description
control-plane	Configures the control plane.
inband	Configures an inband interface or protocol.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
show mgmt-plane	Displays the management plane.
vrf (MPP)	Configures a Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface.

show mgmt-plane

To display information about the management plane such as type of interface and protocols enabled on the interface, use the show mgmt-plane command.

show mgmt-plane [ inband | out-of-band ] [ interface type interface-path-id | vrf ]

Syntax Description

inband	(Optional) Displays the inband management interface configurations that are the interfaces that process management packets as well as data-forwarding packets. An inband management interface is also called a shared management interface.
out-of-band	(Optional) Displays the out-of-band interface configurations. Out-of-band interfaces are defined by the network operator to specifically receive network management traffic.
interface	(Optional) Displays all the protocols that are allowed in the specified interface.
type	Interface type. For more information, use the question mark (?) online help function.
interface-path-id	Virtual interface instance. Number range varies depending on interface type. Note    Use the show interfaces command in EXEC mode to see a list of all interfaces currently configured on the router. For more information about the syntax for the router, use the question mark (?) online help function.
vrf	(Optional) Displays the Virtual Private Network (VPN) routing and forwarding reference of an out-of-band interface.

Command Default

None

Command Modes

XR EXEC

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The vrf keyword is valid only for out-of-band VRF configurations.

Task ID

Task ID	Operations
system	read

The following sample output displays all the interfaces that are configured as inband or out-of-band interfaces under MPP:

RP/0/RP0/CPU0:router# show mgmt-plane

Management Plane Protection

inband interfaces
----------------------

interface - GigabitEthernet0_1_1_0 
        ssh configured - 
                All peers allowed
        telnet configured - 
                peer v4 allowed - 10.1.0.0/16
        all configured - 
                All peers allowed
interface - GigabitEthernet0_1_1_0 
        telnet configured - 
                peer v4 allowed - 10.1.0.0/16

interface - all 
        all configured - 
                All peers allowed

outband interfaces
----------------------
interface - GigabitEthernet0_1_1_0 
        tftp configured - 
                peer v6 allowed - 33::33

The following sample output displays the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface:

RP/0/RP0/CPU0:router# show mgmt-plane out-of-band vrf

Management Plane Protection - 
        out-of-band VRF - my_out_of_band

Related Commands

Command	Description
management-plane	Configures management plane protection to allow and disallow protocols.

vrf (MPP)

To configure a Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface, use the vrf command in management plane protection out-of-band configuration mode. To remove the VRF definition before the VRF name is used, use the no form of this command.

vrf vrf-name

no vrf vrf-name

Syntax Description

vrf-name

Name assigned to a VRF.

Command Default

The VRF concept must be used to configure interfaces as out-of-band. If no VRF is configured during an out-of-band configuration, the interface goes into a default VRF.

Command Modes

Management plane protection out-of-band configuration

Command History

Release	Modification
Release 5.0.0	This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

If the VRF reference is not configured, the default name MPP_OUTBAND_VRF is used.

If there is an out-of-band configuration that is referring to a VRF and the VRF is deleted, all the MPP bindings are removed.

Task ID

Task ID	Operations
system	read

The following example shows how to configure the VRF:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# vrf my_out_of_band
RP/0/RP0/CPU0:router(config-vrf)# address-family ipv4 unicast
RP/0/RP0/CPU0:router(config-vrf-af)# exit
RP/0/RP0/CPU0:router(config-vrf)# address-family ipv6 unicast
RP/0/RP0/CPU0:router(config-vrf-af)# commit
RP/0/RP0/CPU0:router(config-vrf-af)# end
RP/0/RP0/CPU0:router#

The following example shows how to configure the VRF definition for MPP:

RP/0/RP0/CPU0:router# configure
RP/0/RP0/CPU0:router(config)# control-plane
RP/0/RP0/CPU0:router(config-ctrl)# management-plane
RP/0/RP0/CPU0:router(config-mpp)# out-of-band
RP/0/RP0/CPU0:router(config-mpp-outband)# vrf my_out_of_band

Related Commands

Command	Description
control-plane	Configures the control plane.
interface (MPP)	Configures a specific inband or out-of-band interface or all inband or out-of-band interfaces.
management-plane	Configures management plane protection to allow and disallow protocols.
out-of-band	Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode.
show mgmt-plane	Displays the management plane.