Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1176
Views
0
Helpful
2
Replies

Management Plane Protection Best Practice

Go to solution
Phil Clemens
Level 1
Level 1

‎07-06-2017 01:24 PM

When attempting to upgrade a 9000v from an ASR9010 host (5.3.3), I discovered that some of our ASR9K's have MPP configured on some interfaces, while others have none at all.  Working with my test unit, I saw that I could configure MPP for all protocols on all interfaces, and could then use the peer list for security.  This would be the most expedient.

Is there a stated best practice for MPP?

Sample:

control-plane
 management-plane
  inband
   interface all
    allow all peer
     address ipv4 10.10.10.0/24

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mivens
Level 1
Level 1

‎07-07-2017 01:50 AM

It depends your use-case. 

There may be reasons why you do not want MPP to accept management traffic on some interfaces. For example you may have untrusted interfaces connected to a third-party from which you know the router will never be managed, so rather than use "interface all", you only add your trusted interfaces that you receive management traffic from to your MPP config.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Phil Clemens
Level 1
Level 1

‎07-06-2017 02:19 PM

As a follow-up, it appears that I could configure ssh for all interfaces, but get more granular on specific interfaces.  How does the logic work in that case?

For instance, if I configure ssh for all interfaces, and then want to also allow tftp for an individual interface, do I need to specify both on the individual interface, or simply add tftp?

0 Helpful

Go to solution
mivens
Level 1
Level 1

‎07-07-2017 01:50 AM

It depends your use-case. 

There may be reasons why you do not want MPP to accept management traffic on some interfaces. For example you may have untrusted interfaces connected to a third-party from which you know the router will never be managed, so rather than use "interface all", you only add your trusted interfaces that you receive management traffic from to your MPP config.

0 Helpful
Customers Also Viewed These Support Documents