07-06-2017 01:24 PM
When attempting to upgrade a 9000v from an ASR9010 host (5.3.3), I discovered that some of our ASR9K's have MPP configured on some interfaces, while others have none at all. Working with my test unit, I saw that I could configure MPP for all protocols on all interfaces, and could then use the peer list for security. This would be the most expedient.
Is there a stated best practice for MPP?
Sample:
control-plane
management-plane
inband
interface all
allow all peer
address ipv4 10.10.10.0/24
Solved! Go to Solution.
07-07-2017 01:50 AM
It depends your use-case.
There may be reasons why you do not want MPP to accept management traffic on some interfaces. For example you may have untrusted interfaces connected to a third-party from which you know the router will never be managed, so rather than use "interface all", you only add your trusted interfaces that you receive management traffic from to your MPP config.
07-06-2017 02:19 PM
As a follow-up, it appears that I could configure ssh for all interfaces, but get more granular on specific interfaces. How does the logic work in that case?
For instance, if I configure ssh for all interfaces, and then want to also allow tftp for an individual interface, do I need to specify both on the individual interface, or simply add tftp?
07-07-2017 01:50 AM
It depends your use-case.
There may be reasons why you do not want MPP to accept management traffic on some interfaces. For example you may have untrusted interfaces connected to a third-party from which you know the router will never be managed, so rather than use "interface all", you only add your trusted interfaces that you receive management traffic from to your MPP config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide