Restrictions for Implementing Management Plane Protection(IOS XR)

The following restrictions are listed for implementing Management Plane Protection (MPP):

  • Currently, MPP does not keep track of the denied or dropped protocol requests.

  • MPP configuration does not enable the protocol services. MPP is responsible only for making the services available on different interfaces. The protocols are enabled explicitly.

  • Management requests that are received on inband interfaces are not necessarily acknowledged there.

  • Both Route Processor (RP) and distributed route processor (DRP) Ethernet interfaces are by default out-of-band interfaces and can be configured under MPP.

  • The changes made for the MPP configuration do not affect the active sessions that are established before the changes.

  • Currently, MPP controls only the incoming management requests for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), Secure Shell (SSH), and HTTP.

  • MPP does not support MIB.

  • In a MPLS L3VPN, when MPP has VRF interface attached, it applies the VRF filter on an incoming interface through LPTS. When an incoming packet from the core interface has a different VRF, then MPP does not allow it.

    Note

    When configuring a device for MPP for an inband interface the Interface all configuration does not apply specific VRF filter and allows traffic for all source and destination interfaces.

Following are the management protocols that the MPP feature supports. These management protocols are also the only protocols affected when MPP is enabled.

  • SSH, v1 and v2

  • SNMP, all versions

  • Telnet

  • TFTP

  • HTTP

  • HTTPS

RP/0/0/CPU0:XR32(config-mpp-inband-all)#allow ?
  HTTP     HTTP(S)
  NETCONF  NETCONF version 1.1 protocol
  SNMP     SNMP (all versions)
  SSH      Secure Shell (v1 & v2)
  TFTP     Enable TFTP
  Telnet   Telnet
  XML      XML
  all      All Protocols

 

posted @ 2023-04-26 10:19  剪刀石头布Cheers  阅读(20)  评论(0编辑  收藏  举报