Cisco Cisco IOS Software Release 12.4(6)T
Management Plane Protection
Information About Management Plane Protection
3
Cisco IOS Security Configuration Guide
Control Plane Protection Overview
A control plane is a collection of processes that run at the process level on a route processor and
collectively provide high-level control for most Cisco IOS software functions. All traffic directly or
indirectly destined to a router is handled by the control plane.
collectively provide high-level control for most Cisco IOS software functions. All traffic directly or
indirectly destined to a router is handled by the control plane.
Control Plane Policing (CoPP) is a Cisco IOS control-plane feature that offers rate limiting of all
control-plane traffic. CoPP allows you to configure a quality of service (QoS) filter that manages the
traffic flow of control plane packets. This QoS filter helps to protect the control plane of Cisco IOS
routers and switches against denial-of-service (DoS) attacks and helps to maintain packet forwarding
and protocol states during an attack or during heavy traffic loads.
control-plane traffic. CoPP allows you to configure a quality of service (QoS) filter that manages the
traffic flow of control plane packets. This QoS filter helps to protect the control plane of Cisco IOS
routers and switches against denial-of-service (DoS) attacks and helps to maintain packet forwarding
and protocol states during an attack or during heavy traffic loads.
Control Plane Protection is a framework that encompasses all policing and protection features in the
control plane. The Control Plane Protection feature extends the policing functionality of the CoPP
feature by allowing finer policing granularity. Control Plane Protection also includes a traffic classifier,
which intercepts control-plane traffic and classifies it in control-plane categories. Management Plane
Protection operates within the Control Plane Protection infrastructure.
control plane. The Control Plane Protection feature extends the policing functionality of the CoPP
feature by allowing finer policing granularity. Control Plane Protection also includes a traffic classifier,
which intercepts control-plane traffic and classifies it in control-plane categories. Management Plane
Protection operates within the Control Plane Protection infrastructure.
For more information about the Control Plane Policing feature in Cisco IOS software, see the
For more information about the Control Plane Protection feature in Cisco IOS software, see the
.
Management Plane
The management plane is the logical path of all traffic related to the management of a routing platform.
One of three planes in a communication architecture that is structured in layers and planes, the
management plane performs management functions for a network and coordinates functions among all
the planes (management, control, data). The management plane also is used to manage a device through
its connection to the network.
One of three planes in a communication architecture that is structured in layers and planes, the
management plane performs management functions for a network and coordinates functions among all
the planes (management, control, data). The management plane also is used to manage a device through
its connection to the network.
Examples of protocols processed in the management plane are Simple Network Management Protocol
(SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for
monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is
critical.
(SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for
monitoring and for CLI access. Restricting access to devices to internal sources (trusted networks) is
critical.
Management Plane Protection Feature
The MPP feature in Cisco IOS software provides the capability to restrict the interfaces on which
network management packets are allowed to enter a device. The MPP feature allows a network operator
to designate one or more router interfaces as management interfaces. Device management traffic is
permitted to enter a device through these management interfaces. After MPP is enabled, no interfaces
except designated management interfaces will accept network management traffic destined to the device.
Restricting management packets to designated interfaces provides greater control over management of
a device.
network management packets are allowed to enter a device. The MPP feature allows a network operator
to designate one or more router interfaces as management interfaces. Device management traffic is
permitted to enter a device through these management interfaces. After MPP is enabled, no interfaces
except designated management interfaces will accept network management traffic destined to the device.
Restricting management packets to designated interfaces provides greater control over management of
a device.
The MPP feature is disabled by default. When you enable the feature, you must designate one or more
interfaces as management interfaces and configure the management protocols that will be allowed on
those interfaces. The feature does not provide a default management interface. Using a single CLI
interfaces as management interfaces and configure the management protocols that will be allowed on
those interfaces. The feature does not provide a default management interface. Using a single CLI