topic That was it. I just checked in Network Security

Management Plane Protection

Rowan Smith — Fri, 21 Feb 2020 13:40:33 GMT

Where has the configuration:

Router(config)# control-plane host
Router(config-cp-host)# management-interface FastEthernet 0/0 allow ssh snmp

gone in IOS 15.4?

This used to allow one to secure management plane traffic to specific interfaces so that the Cisco wouldn't listen on all interfaces for SSH etc traffic.

In IOS 15.4 I can't find an equivalent command and my VRFs are accepting SSH connections which the only way I can stop is with a ACL on each interface of the VRF.

The process is described here: http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html#anc33

Thanks

What kind of device are you

Philip D'Ath — Fri, 01 Jan 2016 20:59:19 GMT

What kind of device are you doing this on?

Hi.

Rowan Smith — Sat, 02 Jan 2016 02:57:28 GMT

Hi.

It's a 2921 running 15.4(3)M4

Thanks

I just trued this on a Cisco

Philip D'Ath — Sat, 02 Jan 2016 05:23:17 GMT

I just trued this on a Cisco 2911 running 15.4(3)M2. So I doesn't look like it is removed to me.

You're not using TACAS, role based cli, or anything else that might hide the commands from you?

cisco2911(config)#control-plane host
cisco2911(config-cp-host)#management-interface ?
Auto-Template Auto-Template interface
Dialer Dialer interface
Embedded-Service-Engine cisco embedded service engine module
FastEthernet FastEthernet IEEE 802.3

No, it's just a standard

Rowan Smith — Sat, 02 Jan 2016 06:05:28 GMT

No, it's just a standard local username/password. Command certainly isn't there for me...

rtr1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
rtr1(config)#con
rtr1(config)#cont
rtr1(config)#control-plane host
rtr1(config-cp-host)#?
Control Plane host configuration commands:
exit Exit from control-plane host configuration mode
no Negate or set default values of a command
service-policy Configure QOS Service Policy

rtr1(config-cp-host)#management-interface ?
% Unrecognized command
rtr1(config-cp-host)#management-interface
^
% Invalid input detected at '^' marker.

rtr1(config-cp-host)#^Z
rtr1#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.4(3)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Sun 27-Sep-15 06:34 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M6, RELEASE SOFTWARE (fc1)

rtr1 uptime is 10 hours, 1 minute
System returned to ROM by reload at 20:28:19 UTC Fri Jan 1 2016
System image file is "flash:c2900-universalk9-mz.SPA.154-3.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID XXXXXXXXXX
3 Gigabit Ethernet interfaces
1 terminal line
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*1 CISCO2921/K9 XXXXXXXXX

Technology Package License Information for Module:'c2900'

------------------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data datak9 RightToUse datak9
NtwkEss None None None
CollabPro None None None

Configuration register is 0x2102

I just tried that exact image

Philip D'Ath — Sat, 02 Jan 2016 06:10:07 GMT

I just tried that exact image (15.4(3)m4) on a 2911 and it worked fine.

I notice you have IP Base and Data, while the router I am testing is licenced for more features.

ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data datak9 Permanent datak9
NtwkEss None None None
CollabPro None None None

Let me check the CIsco feature navigator.

That was it. I just checked

Philip D'Ath — Sat, 02 Jan 2016 06:27:02 GMT

That was it. I just checked the Cisco Feature Navigator, and Management Plane Protection requires the security licence. It is not part of IP Base or Data.

Thanks for your time.

Rowan Smith — Sat, 02 Jan 2016 06:27:03 GMT

Thanks for your time.