IOS 12.4T: Management-Plane Protection

While working through a CCIE Security practice lab, I came across a task that read (in essence): “Only allow SSH and SNMP access to the router through interface Gig0/1.  Do not use an interface or VTY ACL to accomplish this.”   A search through the IOS configuration guides and command references was unhelpful, including the last-resort tactic of “go to the Master Index and use Ctrl-F to search for likely keywords.”  Finally, I resorted to asking on GroupStudy.  Within minutes, the answer came back:  use management-plane protection.  What on earth is that?  To quote Cisco:

The Management Plane Protection (MPP) feature in Cisco IOS software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces. Device management traffic is permitted to enter a device only through these management interfaces. After MPP is enabled, no interfaces except designated management interfaces will accept network management traffic destined to the device.

This feature was added in 12.4(6)T but only seems to be documented under Feature Guides, not in the main IOS command reference or configuration guides.  Gee, thanks Cisco!

A configuration example (based on the practice lab task above):

control-plane host
  management-interface GigabitEthernet0/1 allow ssh snmp

When this configuration is applied to the router (assuming SSH has been previously configured), remote SSH and SNMP connections to the router will only be accepted when entering through Gi0/1.  This is based on the interface, not on the IP address.  SSH and SNMP connections to Gi0/1’s IP address entering through other interfaces will fail.  In addition, other management traffic (telnet, etc.) entering through Gi0/1 will also fail.  The complete list of what IOS considers management traffic is:

Note that other traffic destined for the router (such as routing protocols and ARP) are not affected, nor is traffic routed through the management interface.  This is different from the management-interface functionality on an ASA, where the designated port can only be used for management traffic.

In summary, it is quite annoying that Cisco doesn’t seem to have actually documented this feature properly, since it has the potential to be a very useful tool in the network administrator’s toolbox.  Depending on the network design, enabling MPP makes it less likely that a management protocol becomes accessible on an interface connected to a hostile network, while simplifying interface ACLs needed to properly secure the device.