Restrictions for Implementing Management Plane Protection(IOS XR)
The following restrictions are listed for implementing Management Plane Protection (MPP):
-
Currently, MPP does not keep track of the denied or dropped protocol requests.
-
MPP configuration does not enable the protocol services. MPP is responsible only for making the services available on different interfaces. The protocols are enabled explicitly.
-
Management requests that are received on inband interfaces are not necessarily acknowledged there.
-
Both Route Processor (RP) and distributed route processor (DRP) Ethernet interfaces are by default out-of-band interfaces and can be configured under MPP.
-
The changes made for the MPP configuration do not affect the active sessions that are established before the changes.
-
Currently, MPP controls only the incoming management requests for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), Secure Shell (SSH), and HTTP.
-
MPP does not support MIB.
-
In a MPLS L3VPN, when MPP has VRF interface attached, it applies the VRF filter on an incoming interface through LPTS. When an incoming packet from the core interface has a different VRF, then MPP does not allow it.
Note
When configuring a device for MPP for an inband interface the Interface all configuration does not apply specific VRF filter and allows traffic for all source and destination interfaces.
Following are the management protocols that the MPP feature supports. These management protocols are also the only protocols affected when MPP is enabled.
-
SSH, v1 and v2
-
SNMP, all versions
-
Telnet
-
TFTP
-
HTTP
-
HTTPS
RP/0/0/CPU0:XR32(config-mpp-inband-all)#allow ? HTTP HTTP(S) NETCONF NETCONF version 1.1 protocol SNMP SNMP (all versions) SSH Secure Shell (v1 & v2) TFTP Enable TFTP Telnet Telnet XML XML all All Protocols