cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
687
Views
5
Helpful
7
Replies
Beginner

MPP (Management Plane Protection) with access-Class on VTY clarification

Hello,
We would like to implement MPP on our Routers and Switches to limit Mgmt Protocols to specific interfaces.

I was reading about the advantages of MPP over regular ACL applied to interfaces that when a Management Protocol traffic arrived to an untrusted interface, the CPU is not punted thus preventing DOS attacks
 
The thing is that we want also to limit the source subnet that is allowed to SSH the Routers for Managing the devices via :

ip access-list extended ACL-Src-Subnet
 permit tcp 10.10.77.0 0.0.255 eq 22
 
line vty 0 4
 access-class ACL-Src-Subnet in

Will this configuration punt the CPU and defeat the purpose of MPP ?

Please advise

 

 

7 REPLIES 7
Highlighted
VIP Advisor

Re: MPP (Management Plane Protection) with access-Class on VTY clarification

how is your configuration for the MPP, any specific interface ? do you have any specific OOB in place ?

 

 

 

 

BB
*** Rate All Helpful Responses ***
Highlighted
Beginner

Re: MPP (Management Plane Protection) with access-Class on VTY clarification

Hello, I still did not configure MPP.

currently we have only the following:

ip access-list extended ACL-Src-Subnet
permit tcp 10.10.77.0 0.0.255 eq 22

line vty 0 4
access-class ACL-Src-Subnet in

I want to use MPP to avoid CPU Punting in case of attacks and to tighten the security.
The question is not how to configure MPP but will MPP with access-class configured punt the CPU in case someone outside 10.10.77.0/24 is trying to access the routers on an MPP configured interface that allows SSH ?
Highlighted
RJI Advisor
Advisor

Re: MPP (Management Plane Protection) with access-Class on VTY clarification

Hi,
If you are using an ACL on the VTY line and the ACL blocks the traffic then the local CPU would be used to indicate that the remote device the connection had been refused. Only using CoPP/CPPr would the CPU be protected, no indication that access was denied would be sent to the remote device (silently blocked).

If this device is on the inside of the network, therefore not on the internet edge, with modern hardware I doubt that the CPU is going to be impacted, so I personally wouldn't over complicate the configuration with CoPP/CPPr.

HTH
Highlighted
Beginner

Re: MPP (Management Plane Protection) with access-Class on VTY clarification

HI RJI,

Thank you for the reply.
So in brief you suggest to either use access-class on vty or MPP but not both together.
And preferably use access-class on VTY.
Right?

Highlighted
RJI Advisor
Advisor

Re: MPP (Management Plane Protection) with access-Class on VTY clarification

Just an ACL on the VTY lines should suffice.
MPP does meet your requirement of not punting to the CPU, but as I indicated earlier, it's overkill in my opinion.

HTH
Highlighted
Beginner

Re: MPP (Management Plane Protection) with access-Class on VTY clarification

Hello,

 

Thank you for the clarification , really helpful.

 

 

Highlighted
Beginner

Re: MPP (Management Plane Protection) with access-Class on VTY clarification

I just watch a video over at networklessons.com where they enforce MPP and show that it silently drops the denied packets.