Table Of ContentsManagement Plane Protection Show
Contents Prerequisites for Management Plane Protection Restrictions for Management Plane Protection Information About Management Plane Protection In-Band Management Interface Control Plane Protection Overview Management Plane Management Plane Protection Feature Benefits of the Management Plane Protection Feature How to Configure a Device for Management Plane Protection Configuring a Device for Management Plane Protection Prerequisites Examples Configuration Examples for Management Plane Protection Configuring Management Plane Protection on Gigabit Ethernet Interfaces: Example Additional References Related Documents Standards MIBs RFCs Technical Assistance Command Reference Feature Information for Management Plane Protection Management Plane ProtectionFirst Published: February 27, 2006 Last Updated: February 27, 2006 The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device. Restricting management packets to designated interfaces provides greater control over management of a device, providing more security for that device. Other benefits include improved performance for data packets on nonmanagement interfaces, support for network scalability, need for fewer access control lists (ACLs) to restrict access to a device, and management packet floods on switching and routing interfaces are prevented from reaching the CPU. Finding Feature Information in This Module Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Management Plane Protection" section. Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Contents• • • • • • • • Prerequisites for Management Plane Protection• Restrictions for Management Plane Protection• • • • • • Information About Management Plane ProtectionBefore you enable the Management Plane Protection feature, you should understand the following concepts: • • • • • In-Band Management InterfaceAn in-band management interface is a Cisco IOS physical or logical interface that processes management as well as data-forwarding packets. Loopback interfaces commonly are used as the primary port for network management packets. External applications communicating with a networking device direct network management requests to the loopback port. An in-band management interface is also called a shared management interface. Control Plane Protection OverviewA control plane is a collection of processes that run at the process level on a route processor and collectively provide high-level control for most Cisco IOS software functions. All traffic directly or indirectly destined to a router is handled by the control plane. Control Plane Policing (CoPP) is a Cisco IOS control-plane feature that offers rate limiting of all control-plane traffic. CoPP allows you to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets. This QoS filter helps to protect the control plane of Cisco IOS routers and switches against denial-of-service (DoS) attacks and helps to maintain packet forwarding and protocol states during an attack or during heavy traffic loads. Control Plane Protection is a framework that encompasses all policing and protection features in the control plane. The Control Plane Protection feature extends the policing functionality of the CoPP feature by allowing finer policing granularity. Control Plane Protection also includes a traffic classifier, which intercepts control-plane traffic and classifies it in control-plane categories. Management Plane Protection operates within the Control Plane Protection infrastructure. For more information about the Control Plane Policing feature in Cisco IOS software, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s18/gtrtlimt.htm. For more information about the Control Plane Protection feature in Cisco IOS software, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124t/124t4/htcpp.htm. Management PlaneThe management plane is the logical path of all traffic related to the management of a routing platform. One of three planes in a communication architecture that is structured in layers and planes, the management plane performs management functions for a network and coordinates functions among all the planes (management, control, data). The management plane also is used to manage a device through its connection to the network. Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is critical. Management Plane Protection FeatureThe MPP feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device. Restricting management packets to designated interfaces provides greater control over management of a device. The MPP feature is disabled by default. When you enable the feature, you must designate one or more interfaces as management interfaces and configure the management protocols that will be allowed on those interfaces. The feature does not provide a default management interface. Using a single CLI command, you can configure, modify, or delete a management interface.When you configure a management interface, no interfaces except that management interface will accept network management packets destined to the device. When the last configured interface is deleted, the feature turns itself off. Following are the management protocols that the MPP feature supports. These management protocols are also the only protocols affected when MPP is enabled. • • • • • • • • Cisco IOS features enabled on management interfaces remain available when the MPP feature is enabled. Nonmanagement packets such as routing and Address Resolution Protocol (ARP) messages for in-band management interfaces are not affected. This feature generates a syslog for the following events: • • For example, a failure will occur when the management interface cannot successfully receive or process packets destined for the control plane for reasons other than resource exhaustion. Benefits of the Management Plane Protection FeatureImplementing the MPP feature provides the following benefits: • • • • • • How to Configure a Device for Management Plane ProtectionThis section contains the following task: • Configuring a Device for Management Plane ProtectionPerform this task to configure a device that you have just added to your network or a device already operating in your network. This task shows how to configure MPP where SSH and SNMP are allowed to access the router only through the FastEthernet 0/0 interface. Prerequisites• SUMMARY STEPS1. 2. 3. 4. 5. 6. DETAILED STEPS
ExamplesThe configuration in this example shows MPP configured to allow SSH and SNMP to access the router only through the FastEthernet 0/0 interface. This configuration results in all protocols in the remaining subset of supported management protocols to be dropped on all interfaces unless explicitly permitted. BEEP, FTP, HTTP, HTTPS, Telnet, and TFTP will not be permitted to access the router through any interfaces, including FastEthernet 0/0. Additionally, SNMP and SSH will be dropped on all interfaces except FastEthernet 0/0, where it is explicitly allowed. To allow other supported management protocols to access the router, you must explicitly allow these protocols by adding them to the protocol list for the FastEthernet 0/0 interface or enabling additional management interfaces and protocols.
Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# control-plane host Router(config-cp-host)# management-interface FastEthernet 0/0 allow ssh snmp .Aug 2 15:25:32.846: %CP-5-FEATURE: Management-Interface feature enabled on Control plane host path The following is output from the show management-interface command issued after configuring MPP in the previous example. The show management-interface command is useful for verifying your configuration. Router# show management-interface Management interface FastEthernet0/0 Protocol Packets processed Configuration Examples for Management Plane ProtectionThis section provides the following configuration example: • Configuring Management Plane Protection on Gigabit Ethernet Interfaces: ExampleThe following example shows how to configure MPP where only SSH, SNMP, and HTTP are allowed to access the router through the Gigabit Ethernet 0/3 interface and only HTTP is allowed to access the router through the Gigabit Ethernet 0/2 interface. Router# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)# control-plane host Router(config-cp-host)# management-interface GigabitEthernet 0/3 allow http ssh snmp .Aug 2 17:00:24.511: %CP-5-FEATURE: Management-Interface feature enabled on Control plane host path Router(config-cp-host)# management-interface GigabitEthernet 0/2 allow http The following is output from the show management-interface command issued after configuring MPP in the previous example. The show management-interface command is useful for verifying your configuration. Router# show management-interface Management interface GigabitEthernet0/2 Protocol Packets processed Management interface GigabitEthernet0/3 Protocol Packets processed Additional ReferencesThe following sections provide references related to Management Plane Protection. Related DocumentsStandards
MIBs
RFCs
Technical Assistance
Command ReferenceThe following commands are introduced or modified in the feature or features • • For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, see the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Master Command List. Feature Information for Management Plane ProtectionTable 1 lists the release history for this feature. Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation. Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear. Note
Table 1 Feature Information for Management Plane Protection
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.© 2007 Cisco Systems, Inc. All rights reserved.Which security method can be used to secure the management plane within a network?The AutoSecure feature is used to automate a process that secures the access of a device. AutoSecure focuses on the security of the management plane and the forwarding plane, and allows them to be configured separately.
Which security method can be used to secure the management plane within a network device Mcq?The correct answer is Firewall. It is a system designed to prevent unauthorized access to or from a private network. Hence, Option 4 is correct. You can implement a firewall in either hardware or software form, or a combination of both.
How do you secure a management plane?Securing Management Traffic.. - Management Plane Best Practices.. - Options for Storing Usernames, Passwords, and Access Rules.. - Limiting the Administrator by Assigning a View.. - Using Logging Files.. Implementing Security Measures to Protect the Management Plane.. - Implementing Strong Passwords.. - User Authentication with AAA.. What is management plane security?Management Plane Protection (MPP) is a security feature for Cisco IOS routers that accomplishes two things: Restrict the interfaces where the router permits packets from network management protocols. Restrict the network management protocols that the router permits.
|