We would like to implement MPP on our Routers and Switches to limit Mgmt Protocols to specific interfaces.
I was reading about the advantages of MPP over regular ACL applied to interfaces that when a Management Protocol traffic arrived to an untrusted interface, the CPU is not punted thus preventing DOS attacks
The thing is that we want also to limit the source subnet that is allowed to SSH the Routers for Managing the devices via :
ip access-list extended ACL-Src-Subnet
permit tcp 10.10.77.0 0.0.255 eq 22
line vty 0 4
access-class ACL-Src-Subnet in
Will this configuration punt the CPU and defeat the purpose of MPP ?
how is your configuration for the MPP, any specific interface ? do you have any specific OOB in place ?
I just watch a video over at networklessons.com where they enforce MPP and show that it silently drops the denied packets.