Management Plane Protection (MPP)

Management Plane Protection (MPP) is a security feature for Cisco IOS routers that accomplishes two things:

  • Restrict the interfaces where the router permits packets from network management protocols.
  • Restrict the network management protocols that the router permits.

The management plane is the logical path of all traffic related to the management of the router. For example:

  • Telnet
  • SSH
  • SNMP
  • HTTP
  • HTTPS

MPP makes it easier to protect management traffic. You need fewer access-lists because you can restrict most of the network management traffic with MPP. It also prevents network management packet flood attacks since it drops denied packets and does not forward them to the CPU. It’s a good tool to permit/deny most of your network management traffic. You can still use access-lists if you need to permit/deny specific subnets and/or IP addresses.

Configuration

Let me show you how to configure MPP. This is the topology we’ll use:

H1 R1 H2 Mpp Lab Topology

H1 is on a trusted network we use to manage R1. H2 is on a remote network that should not be able to manage R1 with any network management protocols.

Configurations


Want to look for yourself? Here you will find the startup configuration of each device.

H1

hostname H1 
! 
interface GigabitEthernet2 
 ip address 192.168.1.1 255.255.255.0 
! 
end

H2

hostname H2 
! 
interface GigabitEthernet2 
 ip address 192.168.2.2 255.255.255.0 
! 
end

R1

hostname R1 
! 
interface GigabitEthernet2 
 ip address 192.168.1.254 255.255.255.0 
! 
interface GigabitEthernet3 
 ip address 192.168.2.254 255.255.255.0 
! 
end

Let’s do a “before” and “after” scenario where you can see the difference between when we use MPP or not.

Management Plane Protection (MPP) is a security feature for Cisco IOS routers that accomplishes two things: Restrict the interfaces where the router permits packets from network management protocols. Restrict the network management protocols that the router permits. The management plane is the logic


Without MPP

Let me show you what happens behind the scenes when MPP is disabled. I’ll configure R1 so it only accepts SSH traffic on the VTY lines:

R1(config)#line vty 0 4
R1(config-line)#transport input ssh

To see what is going on, we enable a debug:

R1#debug ip packet
IP packet debugging is on

Let’s try to telnet from H2 to R1:

H2#telnet 192.168.2.254
Trying 192.168.2.254 ...  
% Connection refused by remote host

We see that the connection is refused, this is expected because we don’t accept telnet on the VTY lines of R1. When you look at R1 you see it sends two packets to H2:

R1# 
IP: tableid=0, s=192.168.2.254 (local), d=192.168.2.2 (GigabitEthernet3), routed via FIB 
IP: s=192.168.2.254 (local), d=192.168.2.2 (GigabitEthernet3), len 40, sending

R1 responds to H2, refusing the connection. Transmit enough telnet packets from H2 and you can perform a denial of service attack on R1.

With MPP

Let’s see if we can improve this situation. First, let’s enable telnet on the VTY lines of R1:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

528 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. The control-plane command is not recognized on
    3560CX iOS version 15.2
    nor on a
    3850 IOS-XE version 16.6.6
    Is there an alternative?

  2. Hello Bradley

    According to this Cisco Documentation, the Cisco IOS Release 15M&T supports these features.


    Now for your specific IOS version, you can take a look at Cisco’s Feature Navigator to see which versions support which features.

    I hope this has been helpful!

    Laz

Ask a question or join the discussion by visiting our Community Forum