Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1770
Views
0
Helpful
2
Replies

Resticting SSH via the Management Plane vs an ACL

nonamer15
Level 1
Level 1

‎01-12-2019 08:26 PM - edited ‎01-12-2019 08:27 PM

Using the Management Plane Protection (MPP) feature, you can restrict which interfaces allow management plane packets. By doing this, you can prevent those packets from ever reaching the CPU on interfaces that are not allowed to pass that traffic. I tested using MPP, but it seems the packets are still being processed, at least as far as I can tell.

 

I've got an NCS 5500 running IOS XR 6.5.1. When I enable MPP and attempt to SSH to the router via an interface that isn't allowed, I receive the following message:

The remote system refused the connection.

 

To me, the above message indicates that the traffic is still being processed by the CPU. This is exactly to what you would see on an IOS/IOS XE device when you assign an ACL to a VTY interface and attempt to SSH to the device via an IP that isn't allowed within the ACL. Am i missing something? Thanks.

 

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎01-13-2019 03:47 AM

At this stage we are not sure how these device connected to network and what is configured. if you can post the configuration to have a look and suggest.

 

or another example document for reference :

 

https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r4-2/security/configuration/guide/b_syssec_cg42asr9k/b_syssec_cg42asr9k_chapter_0100.pdf

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

nonamer15
Level 1
Level 1
In response to balaji.bandi

‎01-13-2019 04:42 PM

Thanks for your response. I've seen the link you've provided and is what I was referencing in my post. If you look at page 4 under Benefits of the Management Plane Protection Feature, you'll see Prevention of packet floods on switching and routing interfaces from reaching the CPU. When I have this configured and attempt to SSH to the router via a port that doesn't allow SSH for MPP, I receive a The remote system refused the connection error message. To me, this means that the packets are still being processed the CPU. 

 

Below is a simple topology and some configuration to demonstrate this.

mpp.JPG

hostname xr1
!
interface GigabitEthernet0/0/0/0
 ipv4 address 1.1.1.1 255.255.255.0
!
end

hostname xr2
control-plane
 management-plane
  inband
   interface GigabitEthernet0/0/0/0
    allow SSH
   !
  !
 !
!
interface GigabitEthernet0/0/0/0
 ipv4 address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet0/0/0/1
 ipv4 address 2.2.2.2 255.255.255.0
!
ssh server vrf default
end
hostname xr3
!
interface GigabitEthernet0/0/0/0
 ipv4 address 2.2.2.3 255.255.255.0
!
end

 

When I attempt to SSH to xr2 from xr3, I get the following:

RP/0/0/CPU0:xr3#ssh 2.2.2.2
%Error in connect v4 - Connection refused

 

To me, the above error indicates that the CPU is still processing the packet. This is the same error you would see on an IOS/IOS XE device that had an ACL applied to the VTY. If the IP you were attempting to SSH from was not allowed in the ACL, you would get a connection refused error. So I'm not understanding how MPP prevents those packets from reaching the CPU.

 

0 Helpful
Customers Also Viewed These Support Documents