Management Plane Policing (MPP)

Management Plane Protection (MPP) is a security feature for Cisco IOS routers that accomplishes two things:

  • Restricts the interfaces where the router permits packets from network management protocols.
  • Restrict the network management protocols that the router permits.

The management plane is the logical path of all traffic related to the management of the router. For example:

MPP makes it easier to protect management traffic. You need fewer access lists because you can restrict most of the network management traffic with MPP. It also prevents network management packet flood attacks since it drops denied packets and does not forward them to the CPU. It’s a good tool to permit/deny most of your network management traffic. You can still use access-lists if you need to permit/deny specific subnets and/or IP addresses.

MPP is considered a subset of Control Plane Policing (CoPP).

You can achieve similar results using only ACLs, but the implementation compared to MPP is somewhat different.

https://forum.networklessons.com/t/management-plane-protection-mpp/5599/18?u=lagapidis

https://networklessons.com/cisco/ccie-routing-switching-written/management-plane-protection-mpp

Links to this page: