Solved: Re: Management-Plane Apply-Group not working - NCS5508

ODJ · ‎03-31-2021

Hej

NCS5508 version 7.2.2

I have been trying to apply MPP to our new devices, and was intending to use "apply-group" to shorten the configuration.

I want to enable access only from Bundle-Ether interfaces and using the below wild card. (I have also used 'Bundle-Ether *'), but it does not work.

However, if I apply a Bundle-Ether directly under management-plane inband then it works.

Could use some help.

Regards

group INBAND-MGMT
 control-plane
  management-plane
   inband
    interface 'Bundle-Ether*'
     allow SSH peer
      address ipv4 1.2.3.4
!
!
control-plane
 management-plane
  inband
   apply-group INBAND-MGMT

tkarnani · ‎03-31-2021

Hi,

the apply group will help you with the additional configuration, not the interfaces themselves, you will still need to list them under control-plane.

example

group APPLYGROUP
control-plane
  management-plane
   inband
    interface 'TenGigE.*'
     allow SNMP peer
      address ipv4 1.2.3.0/24

Under control-plane management configure the interfaces:

control-plane
management-plane
  inband
   interface TenGigE0/0/0/0
   !
   interface TenGigE0/0/0/1


Once you have configured the interfaces you may then apply the flex-CLi group:

control-plane
management-plane
  inband
   apply-group APPLYGROUP

Now this Flex-CLI will match the criteria apply the configuration.


RP/0/RP0/CPU0:NCS5501-C#show mgmt-plane
Management Plane Protection

inband interfaces
----------------------
interface - TenGigE0_0_0_0/
        snmp configured -
                peer v4 allowed - 1.2.3.0/24
interface - TenGigE0_0_0_1/
        snmp configured -
                peer v4 allowed - 1.2.3.0/24

View solution in original post

tkarnani · ‎03-31-2021

Hi,

the apply group will help you with the additional configuration, not the interfaces themselves, you will still need to list them under control-plane.

example

group APPLYGROUP
control-plane
  management-plane
   inband
    interface 'TenGigE.*'
     allow SNMP peer
      address ipv4 1.2.3.0/24

Under control-plane management configure the interfaces:

control-plane
management-plane
  inband
   interface TenGigE0/0/0/0
   !
   interface TenGigE0/0/0/1


Once you have configured the interfaces you may then apply the flex-CLi group:

control-plane
management-plane
  inband
   apply-group APPLYGROUP

Now this Flex-CLI will match the criteria apply the configuration.


RP/0/RP0/CPU0:NCS5501-C#show mgmt-plane
Management Plane Protection

inband interfaces
----------------------
interface - TenGigE0_0_0_0/
        snmp configured -
                peer v4 allowed - 1.2.3.0/24
interface - TenGigE0_0_0_1/
        snmp configured -
                peer v4 allowed - 1.2.3.0/24

ODJ · ‎04-06-2021

Thanks for the help I found the problem I had. I needed "." in the wildcard

So instead of 'Bundle-Ether*' I needed to do 'Bundle-Ether.*' . A small thing but made it work.

RP/0/RP0/CPU0:test4p1dk(config-mpp-inband)#do show mgmt-plane
Tue Apr 6 10:29:57.741 CEST

Management Plane Protection

inband interfaces
----------------------
interface - Bundle-Ether666/
ssh configured -
peer v4 allowed - 1.2.3.4

ODJ · ‎03-31-2021

I followed what you did step by step but it does not seem to work.
1) Created Group
2) Configure interface under MGMT plane
3) Apply Group

control-plane
 management-plane
  inband
   apply-group INBAND-MGMT
   interface Bundle-Ether666
   !
  !

I only see the Outband MGMT interface still.

RP/0/RP0/CPU0:test4p1dk(config)#do show mgmt-plane                                      
Wed Mar 31 15:34:53.022 CEST


Management Plane Protection

outband interfaces
----------------------
interface - MgmtEth0_RP0_CPU0_0/ 
        ssh configured - 
                peer v4 allowed - 4.3.2.1
interface - MgmtEth0_RP1_CPU0_0/ 
        ssh configured - 
                peer v4 allowed - 4.3.2.1
RP/0/RP0/CPU0:test4p1dk(config)#