Solved: Management Plane

Aruba_Net · ‎11-29-2018

Hey Guys,

I can't figure out if what I am seeing is expected or if it is a bug.

So I have a 9001 running on 6.4.2. The router has a few external connection links. I would like to have one loopback interface as inband management interface so I have configured the following lines:

control-plane
management-plane
inband
interface Lo1
allow SSH peer

address ipv4 X.X.X.X/Y
!
!
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow all
!
interface MgmtEth0/RSP0/CPU0/1
allow all

No luck... I cannot ssh to the Lo0 IP.

I have squeezed my mind a little bit and I have found that if I allow the external interface from where the SSH request arrives(let's say Te0/0/0/0) I can open a shell session to the 9001 Lo0 IP address.(Even if Lo0 is not part of the inband management plane anymore)

So if the config looks like the following I can ssh to the Lo0 address:

control-plane
management-plane
inband
interface Te0/0/0/0
allow SSH peer

address ipv4 X.X.X.X/Y
!
!
out-of-band
interface MgmtEth0/RSP0/CPU0/0
allow all
!
interface MgmtEth0/RSP0/CPU0/1
allow all

Is this the way it should be? It doesn't look like from the docs.

Thanks,

ADP

Aleksandar Vidakovic · ‎12-02-2018

Apologies for a very brief previous reply. It wasn't my intention to sound rude, but reading it back it really seemed so. :)

Inband MPP configuration is applied in hardware. The purpose is to checks whether a particular management protocol is allowed to be received on the given physical interface. HW doesn't know anything about loopback interfaces. On asr9k you can check the "show uidb index location <location>" to see which interfaces are known to HW. You will see the physical, bundle, BVI and tunnel interfaces. With loopback as destination, you never know on which LC/NPU is the packet going to be received. Hence the equivalent of allowing Loopback as destination for ssh is to configure

control-plane
 management-plane
  inband
   interface all
    allow SSH

and couple that with an ACL that will limit the allowed sources of ssh connection:

ssh server vrf default ipv4 access-list my_ssh_acl

Hope this helps.

/Aleksandar

Hope this clarifies.

View solution in original post

xr-escalation · ‎11-30-2018

This is expected behaviour.

best,
/Aleksandar

Aruba_Net · ‎12-01-2018

Thank you,

That is weird. So if I would like to make sure that ssh is only allowed on the loopback interface my best option would be to remove the inband block of the management-plane and apply an ACL to the ssh server?

Thanks,

ADP

Aleksandar Vidakovic · ‎12-02-2018

Apologies for a very brief previous reply. It wasn't my intention to sound rude, but reading it back it really seemed so. :)

Inband MPP configuration is applied in hardware. The purpose is to checks whether a particular management protocol is allowed to be received on the given physical interface. HW doesn't know anything about loopback interfaces. On asr9k you can check the "show uidb index location <location>" to see which interfaces are known to HW. You will see the physical, bundle, BVI and tunnel interfaces. With loopback as destination, you never know on which LC/NPU is the packet going to be received. Hence the equivalent of allowing Loopback as destination for ssh is to configure

control-plane
 management-plane
  inband
   interface all
    allow SSH

and couple that with an ACL that will limit the allowed sources of ssh connection:

ssh server vrf default ipv4 access-list my_ssh_acl

Hope this helps.

/Aleksandar

Hope this clarifies.

Aruba_Net · ‎12-02-2018

Hello Aleksandar,

Many thanks for the explanation, it makes sense now. And no worries for the first post ;-)

Regards,

ADP