Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
5
Helpful
7
Replies

MPP (Management Plane Protection) with access-Class on VTY clarification

bernardo81
Level 1
Level 1

‎09-26-2018 05:25 AM - edited ‎03-10-2019 01:05 AM

Hello,
We would like to implement MPP on our Routers and Switches to limit Mgmt Protocols to specific interfaces.

I was reading about the advantages of MPP over regular ACL applied to interfaces that when a Management Protocol traffic arrived to an untrusted interface, the CPU is not punted thus preventing DOS attacks
 
The thing is that we want also to limit the source subnet that is allowed to SSH the Routers for Managing the devices via :

ip access-list extended ACL-Src-Subnet
 permit tcp 10.10.77.0 0.0.255 eq 22
 
line vty 0 4
 access-class ACL-Src-Subnet in

Will this configuration punt the CPU and defeat the purpose of MPP ?

Please advise

 

 

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎09-26-2018 05:57 AM

how is your configuration for the MPP, any specific interface ? do you have any specific OOB in place ?

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

bernardo81
Level 1
Level 1
In response to balaji.bandi

‎09-26-2018 06:44 AM

Hello, I still did not configure MPP.

currently we have only the following:

ip access-list extended ACL-Src-Subnet
permit tcp 10.10.77.0 0.0.255 eq 22

line vty 0 4
access-class ACL-Src-Subnet in

I want to use MPP to avoid CPU Punting in case of attacks and to tighten the security.
The question is not how to configure MPP but will MPP with access-class configured punt the CPU in case someone outside 10.10.77.0/24 is trying to access the routers on an MPP configured interface that allows SSH ?
0 Helpful

Rob Ingram
VIP
VIP
In response to bernardo81

‎09-26-2018 07:59 AM

Hi,
If you are using an ACL on the VTY line and the ACL blocks the traffic then the local CPU would be used to indicate that the remote device the connection had been refused. Only using CoPP/CPPr would the CPU be protected, no indication that access was denied would be sent to the remote device (silently blocked).

If this device is on the inside of the network, therefore not on the internet edge, with modern hardware I doubt that the CPU is going to be impacted, so I personally wouldn't over complicate the configuration with CoPP/CPPr.

HTH
0 Helpful

bernardo81
Level 1
Level 1
In response to Rob Ingram

‎09-26-2018 08:17 AM

HI RJI,

Thank you for the reply.
So in brief you suggest to either use access-class on vty or MPP but not both together.
And preferably use access-class on VTY.
Right?

0 Helpful

Rob Ingram
VIP
VIP
In response to bernardo81

‎09-26-2018 08:21 AM

Just an ACL on the VTY lines should suffice.
MPP does meet your requirement of not punting to the CPU, but as I indicated earlier, it's overkill in my opinion.

HTH

bernardo81
Level 1
Level 1
In response to Rob Ingram

‎09-26-2018 11:50 PM

Hello,

 

Thank you for the clarification , really helpful.

 

 

0 Helpful

rreed2010
Level 1
Level 1
In response to Rob Ingram

‎12-06-2019 08:18 PM

I just watch a video over at networklessons.com where they enforce MPP and show that it silently drops the denied packets.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents