1.9 Management plane protection

Information

The Management Plane Protection (MPP) feature provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.

The MPP protection feature, as well as all the management protocols under MPP, are disabled by default. When you configure an interface as either out-of-band or inband, it automatically enables MPP. Consequently, this enablement extends to all the protocols under MPP. If MPP is disabled and a protocol is activated, all interfaces can pass traffic.

When MPP is enabled with an activated protocol, the only default management interfaces allowing management traffic are the route processor (RP) and standby route processor (SRP) Ethernet interfaces. You must manually configure any other interface for which you want to enable MPP as a management interface.

This is part of the MPP setup.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Configure the management plane so that only certain protocols connectced to certain interfaces can access this IOS-XR device.

IOSXR(config)#control-plane
IOSXR(config-ctrl)#management-plane
IOSXR(config-mpp)#inband
IOSXR(config-mpp-inband)#interface {interface} allow {protocol} peer address ipv4 {IP_address}
IOSXR(config-mpp)#out-of-band
IOSXR(config-mpp-outband)#interface {interface} allow {protocol} peer address ipv4 {IP_address}

Impact:

The following restrictions are listed for implementing Management Plane Protection (MPP):

Currently, MPP does not keep track of the denied or dropped protocol requests.

MPP configuration does not enable the protocol services. MPP is responsible only for making the services available on different interfaces. The protocols are enabled explicitly.

Management requests that are received on inband interfaces are not necessarily acknowledged there.

Both Route Processor (RP) and distributed route processor (DRP) Ethernet interfaces are by default out-of-band interfaces and can be configured under MPP.

The changes made for the MPP configuration do not affect the active sessions that are established before the changes.

Currently, MPP controls only the incoming management requests for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), Secure Shell (SSH), XML , HTTP and Netconf.

MPP does not support MIB.

See Also

https://workbench.cisecurity.org/benchmarks/10473

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17

Plugin: Cisco

Control ID: dac122259f30ed74efea8f0cc91ee86f31a59b38f29bd10661423747ed7533d8