Securing the Management Plane

To increase the security of our IOS devices, we can designate an interface(s) for management traffic only, like only allowing management traffic on an internal interface, implementing this feature would greatly reduce our attack surface. Using this feature along with other security features such as VTY access-class and Login Enhancements, help enforce defense in depth.

This configuration enables Management Plane Protection (MPP) on the interface FastEthernet 0/0, only SSH and SNMP management protocols are allowed on FastEthernet 0/0, all other management protocols are disabled. Also, MPP can be configured on multiple interfaces, also, interfaces without MPP don’t allow any management protocols.

Here we will configure FastEthernet 0/0 as a management interface, and permit only SSH and SNMP.

control-plane host
  management-interface FastEthernet 0/0 allow ssh snmp
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>