Implementing Management Plane Protection on Cisco IOS XR Software
Examples of protocols processed in the management plane are Simple Network Management Protocol
(SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for
monitoring and for command-line interface (CLI) access. Restricting access to devices to internal
sources (trusted networks) is critical.
Management Plane Protection Feature
The protocol, which is used for the MPP feature, is disabled by default. When a protocol is enabled, the
only default management interfaces can be the RP and standby route processor (SRP) Ethernet interfaces
that allow only management traffic. You must configure other interfaces by using the MPP CLI as
management interfaces. The feature does provide default management interfaces, such as RP and SRP
Ethernet interfaces, which are out-of-band interfaces that allow only management traffic. Using a single
CLI command, you can configure, modify, or delete a management interface. When you configure a
management interface, no interfaces except that management interface accept network management
packets destined to the device.
Following are the management protocols that the MPP feature supports. These management protocols
are also the only protocols affected when MPP is enabled.
•
•
•
•
•
•
Benefits of the Management Plane Protection Feature
Implementing the MPP feature provides the following benefits:
•
•
•
•
•
•
How to Configure a Device for Management Plane Protection
This section contains the following task:
•
SSH, v1 and v2
SNMP, all versions
Telnet
TFTP
HTTP
HTTPS
Greater access control for managing a device than allowing management protocols on all interfaces.
Improved performance for data packets on nonmanagement interfaces.
Support for network scalability.
Simplifies the task of using per-interface ACLs to restrict management access to the device.
Fewer access control lists (ACLs) are needed to restrict access to the device.
Prevention of packet floods on switching and routing interfaces from reaching the CPU.
Configuring a Device for Management Plane Protection, page SC-230
How to Configure a Device for Management Plane Protection
Cisco IOS XR System Security Configuration Guide
SC-229