Locking down and identifying potential router vulnerabilities these days is a fairly simple task thanks to new features such as ‘one click lockdown’ and ‘security audits’ which can be performed straight from the SDM/GUI. Using these tools you can easily secure the router with the tick of a ‘fix it’ checkbox, I would like to bring another feature into the general public domain which I think is a great addition to the above and is available with IOS version 12.4(6)T and above.
MPP (Management Plane Protection) – Simply put, the management plane is the part of the router that deals with the routing of management connections and associated protocols (management traffic) such as FTP, SSH version 1 or 2, TELNET, SNMP and HTTP(S). By applying protection to the management plane we can restrict access to the router to trusted sources only. There are numerous benefits of using the management plane protection features, some of which are;
- No Acl config. needed for VTY lines
- The Router Processor is not interrupted by DDOS attacks against the router as the packets are prevented from reaching the CPU
-Its also a very handy piece of config if you share your router and want to restrict management access to your port only.
To configure the MPP feature you first need to select a dedicated management port and ensure that IP Cisco Express Forwarding is enabled on this port, then proceed as follows:
Router(config)# control plane host
Router(config-cp-host)# management-interface Fastethernet 0/0 allow ssh snmp ftp
Once an interface has been configured as a management interface then all other interfaces will not accept management traffic (defined above) directed to the router and “yes” you can designate multiple interfaces. To remove the specified interface as management simply use the ‘no’ word as per usual Cisco.
To verify the specified management traffic hitting the designated interface use the command:
Router# show management-interface
Simple but effective, Enjoy!
Entries (RSS)