Solved: Re: IOS-XR Filtering - control-plane vs traditional ACL on "Line&

TisTos · ‎07-15-2022

Hey Guys,

What (and Why especially) should I prefer as a method for implementing control-plane filtering for SSH/SNMP... using classical ACL or using control-plane/management-plane method ?

line default
access-class ingress ACL_SSH <-- here I can add "remark" in the ACL, where I can't do this directly with control-plane filtering
control-plane
management-plane
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow SSH <--- without specifying any peer here

### Versus ###

control-plane
management-plane
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow SSH peer address ipv4 X.X.X.X/X
allow SSH peer address ipv4 X.X.X.X/X
allow SSH peer address ipv4 X.X.X.X/X

TisTos · ‎07-20-2022

I think the answer is in Cisco website : https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-4/system-security/configuration/guide/b-system-security-cg-asr9000-74x/implementing-management-plane-protection.html

Implementing the MPP feature provides the following benefits

Greater access control for managing a device than allowing management protocols on all interfaces.
Improved performance for data packets on non-management interfaces.
Support for network scalability.
Simplifies the task of using per-interface access control lists (ACLs) to restrict management access to the device.
Fewer ACLs are needed to restrict access to the device.
Prevention of packet floods on switching and routing interfaces from reaching the CPU.

Restrictions for Implementing Management Plane Protection

The following restrictions are listed for implementing Management Plane Protection (MPP):
Currently, MPP does not keep track of the denied or dropped protocol requests.
MPP configuration does not enable the protocol services. MPP is responsible only for making the services available on different interfaces. The protocols are enabled explicitly.
Management requests that are received on inband interfaces are not necessarily acknowledged there.
Both route processor (RP) and distributed route processor (DRP) Ethernet interfaces are by default out-of-band interfaces and can be configured under MPP.
The changes made for the MPP configuration do not affect the active sessions that are established before the changes.
Currently, MPP controls only the incoming management requests for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), Secure Shell (SSH), and HTTP.
MIB support is not provided.

View solution in original post

philclemens1835 · ‎07-15-2022

My opinion, control plane filtering is a better option, especially if there's any public-facing aspect.

MHM Cisco World · ‎07-15-2022

Acl will apply to only interface you config under it BUT this acl will filter traffic pass through interface not traffic pass into interface.

So acl will not so prevent access.

Control plane filter can do that it filter traffic to interface.

TisTos · ‎07-15-2022

Thank you, but I'm applying the ACL on "line default" not on a line interface, so it can't be 'pass through interface' right ?

tkarnani · ‎07-15-2022

the control-plane feature is better as its hardware assisted using LPTS

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/LTRARC-2002.pdf
https://community.cisco.com/t5/service-providers-knowledge-base/asr9000-xr-local-packet-transport-services-lpts-copp/ta-p/3123792

features such as SSH that allow an ACL will work. however its CPU/Process driven

ssh server [vrf vrf-name [ipv4 access-list IPv4 access-list name] [ipv6 access-list IPv6 access-list name]]

that is the main difference

Thank you

TisTos · ‎07-15-2022

Many thanks,

BTW, is'nt ACLs in IOS-XR ASR9K treated in ASIC so basically in HW ? (except for log acl...)

tkarnani · ‎07-15-2022

Yes, if you apply acl to a physical interface/bundle it is applied in hardware

for the ssh example is not in hardware.

ssh server [vrf vrf-name [ipv4 access-list IPv4 access-list name] [ipv6 access-list IPv6 access-list name]]

so the packet will be processed by the NPU and punted to the CPU, there it will be processed or dropped

TisTos · ‎07-18-2022

I see, so if I apply the ACL on the "line default", would it be treated on HW or CPU ? If in HW, why would I prefer control-plane ?

thanks a lot

TisTos · ‎07-20-2022

I think the answer is in Cisco website : https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r7-4/system-security/configuration/guide/b-system-security-cg-asr9000-74x/implementing-management-plane-protection.html

Implementing the MPP feature provides the following benefits

Greater access control for managing a device than allowing management protocols on all interfaces.
Improved performance for data packets on non-management interfaces.
Support for network scalability.
Simplifies the task of using per-interface access control lists (ACLs) to restrict management access to the device.
Fewer ACLs are needed to restrict access to the device.
Prevention of packet floods on switching and routing interfaces from reaching the CPU.

Restrictions for Implementing Management Plane Protection

The following restrictions are listed for implementing Management Plane Protection (MPP):
Currently, MPP does not keep track of the denied or dropped protocol requests.
MPP configuration does not enable the protocol services. MPP is responsible only for making the services available on different interfaces. The protocols are enabled explicitly.
Management requests that are received on inband interfaces are not necessarily acknowledged there.
Both route processor (RP) and distributed route processor (DRP) Ethernet interfaces are by default out-of-band interfaces and can be configured under MPP.
The changes made for the MPP configuration do not affect the active sessions that are established before the changes.
Currently, MPP controls only the incoming management requests for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), Secure Shell (SSH), and HTTP.
MIB support is not provided.

IOS-XR Filtering - control-plane vs traditional ACL on "Line"