Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
217
Views
0
Helpful
3
Replies

Can Management Plane Protection explicitly deny traffic?

steven.crutchley
Level 3
Level 3

‎11-04-2024 11:31 AM

I've been tinkering with MPP on an XR lab. 

I can understand the basics of how I would allow, say SSH, access to my out of band management interfaces for 10.1.1.1:

 

control-plane
 management-plane
  out-of-band
   interface MgmtEth0/RP0/CPU0/0
    allow SSH peer
     address ipv4 10.1.1.1
    !
   !
  !
 !

 

But is there a way I can explicitly deny something. Like just deny telnet and accept everything else.

I can't seem to apply a deny anywhere:

 

RP/0/RP0/CPU0:R1(config-mpp-outband-if)#?
  allow               Allow a protocol on this interface  <<<<<<< ONLY ALLOW
  apply-group         Apply configuration from a group
  apply-group-append  Append apply-group configuration from a group
  apply-group-remove  Remove a group from apply-group configuration
  clear               Clear the uncommitted configuration
  commit              Commit the configuration changes via pseudo-atomic operati
on
  describe            Describe a command without taking real actions
  do                  Run an exec command
  end                 Exit from configure mode
  exclude-group       Exclude apply-group configuration from a group
  exclude-item        Negate a command or set its defaults
  exit                Exit from this submode
  no                  Negate a command or set its defaults
  pwd                 Commands used to reach current submode
  root                Exit to the global configuration mode
  show                Show contents of configuration
RP/0/RP0/CPU0:R1(config-mpp-outband-if)#

 

 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎11-04-2024 12:36 PM

You mentioned already SSH that means everything is denied

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

steven.crutchley
Level 3
Level 3
In response to balaji.bandi

‎11-04-2024 12:38 PM

Yes but that is an implicit denial. Not explicit.

0 Helpful

AshSe
VIP
VIP

‎01-09-2025 10:39 PM - edited ‎01-09-2025 10:44 PM

Hello @steven.crutchley 

In Cisco IOS XR, the Management Plane Protection (MPP) feature is designed to explicitly allow specific protocols and IP addresses to access the management interfaces. By default, all other protocols and IP addresses are denied. This means that MPP operates on a "deny by default" principle, and you only need to explicitly allow the protocols and IP addresses you want to permit.

Key Points:

  1. Default Deny Behavior: If you do not explicitly allow a protocol (e.g., Telnet, SSH, SNMP) on a management interface, it is automatically denied. There is no need to explicitly configure a "deny" statement because the system inherently denies anything not explicitly allowed.

  2. Allow-Only Configuration: The allow command is used to specify which protocols and IP addresses are permitted. Anything not allowed is implicitly denied.

  3. Telnet Denial Example: If you want to deny Telnet and allow everything else (e.g., SSH), you simply do not configure an allow statement for Telnet. For example:

 

control-plane

  management-plane

    out-of-band

      interface MgmtEth0/RP0/CPU0/0

        allow SSH peer

          address ipv4 10.1.1.1

!

!

 

In this configuration:

  • SSH is explicitly allowed for the IP address 10.1.1.1.
  • Telnet (and any other protocol not explicitly allowed) is implicitly denied.

4. No Explicit Deny Command: As you observed, there is no explicit deny command in the MPP configuration. This is because the system's default behavior is to deny all traffic unless explicitly allowed.

Verifying the Configuration:

To verify that Telnet is denied and SSH is allowed, you can use the following command:

 

show running-config control-plane
 
show running-config control-plane

This will display the current MPP configuration. You can also test access by attempting to connect via Telnet and SSH to confirm the behavior.

Example Output:

If Telnet is not allowed, you should see a connection failure when attempting to use Telnet. For SSH, the connection should succeed if it matches the allowed IP address and protocol.

Summary:

  • MPP is inherently "deny by default."
  • You only need to configure allow statements for the protocols and IP addresses you want to permit.
  • There is no need for an explicit deny command because anything not allowed is automatically denied.

 

Hope This Helps!!!

 

AshSe

Forum Tips: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.

 

0 Helpful
Customers Also Viewed These Support Documents