MPP on IOS XRv

mmelbourne · ‎03-15-2015

Hi,

I have the following configuration on IOS XRv (5.3.0):

control-plane
management-plane
out-of-band
vrf MGMT
interface MgmtEth0/0/CPU0/0
allow SSH
allow Telnet
!
!
!
!
interface MgmtEth0/0/CPU0/0
cdp
vrf MGMT
ipv4 address 10.6.6.202 255.255.255.0
!
interface GigabitEthernet0/0/0/0
ipv4 address 10.6.6.203 255.255.255.0

With this configuration, I thought that MPP would only allow management (SSH/telnet) connections on MgmtEth0/0/CPU0/0. However, I can still ssh to the virtual XR instance on the 10.6.6.203 IP address in the global VRF. Is this by design or is it a feature?

RP/0/0/CPU0:gw-xr1#sh lpts pifib brief | i (any,22)
Sun Mar 15 19:42:40.477 GMT
IPv4 default TCP any 0/0/CPU0 any,22 any
IPv4 * TCP Mg0/0/CPU0/0 0/0/CPU0 any,22 any
IPv6 default TCP any 0/0/CPU0 any,22 any
IPv6 * TCP Mg0/0/CPU0/0 0/0/CPU0 any,22 any

Cheers,

Matt

xthuijs · ‎03-17-2015

hi matt,

MPP eventually gets programmed in the hardware forwarding as an ACL.

since XRv doesn't have that hardware layer as such, I dont think this feature will work "as expected" on real hardware.

You could check cisco live session id 2904 from sanfran 2014 and orlando 2013 that may have some good detail for you on the MPP operation and verification under the hood.

I am afraid this is a limitation of XRv.

Also there is a default TCP alllow all for 22, which results in the fact taht every interface effectively is capable of accessing the ssh control plane.

you may want to put the inband interface all and not allowing anything specifically. Bit surprised on the default TCP 22 there in your output, but this may be that restriction of XRv possibly.

cheers

xander