cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
680
Views
0
Helpful
2
Replies
Highlighted
Beginner

Management Plane Protection Best Practice

When attempting to upgrade a 9000v from an ASR9010 host (5.3.3), I discovered that some of our ASR9K's have MPP configured on some interfaces, while others have none at all.  Working with my test unit, I saw that I could configure MPP for all protocols on all interfaces, and could then use the peer list for security.  This would be the most expedient.

Is there a stated best practice for MPP?

Sample:

control-plane
 management-plane
  inband
   interface all
    allow all peer
     address ipv4 10.10.10.0/24

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

It depends your use-case. 

It depends your use-case. 

There may be reasons why you do not want MPP to accept management traffic on some interfaces. For example you may have untrusted interfaces connected to a third-party from which you know the router will never be managed, so rather than use "interface all", you only add your trusted interfaces that you receive management traffic from to your MPP config.

View solution in original post

2 REPLIES 2
Highlighted
Beginner

As a follow-up, it appears

As a follow-up, it appears that I could configure ssh for all interfaces, but get more granular on specific interfaces.  How does the logic work in that case?

For instance, if I configure ssh for all interfaces, and then want to also allow tftp for an individual interface, do I need to specify both on the individual interface, or simply add tftp?

Beginner

It depends your use-case. 

It depends your use-case. 

There may be reasons why you do not want MPP to accept management traffic on some interfaces. For example you may have untrusted interfaces connected to a third-party from which you know the router will never be managed, so rather than use "interface all", you only add your trusted interfaces that you receive management traffic from to your MPP config.

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here