MPP vs ACLs


Management Plane Protection (MPP) is a security feature for Cisco IOS routers that accomplishes two things:

- Restricts the interfaces where the router permits packets from network management protocols.
- Restrict the network management protocols that the router permits.

The management plane is the logical path of all traffic related to the management of the router. For example:

- [Telnet](/telnet)
- [SSH](/ssh)
- [SNMP](/snmp-simple-network-management-protocol)
- HTTP
- HTTPS

MPP makes it easier to protect management traffic. You need fewer [access lists](/acl) because you can restrict most of the network management traffic with MPP. It also prevents network management packet flood attacks since it drops denied packets and does not forward them to the CPU. It’s a good tool to permit/deny most of your network management traffic. You can still use access-lists if you need to permit/deny specific subnets and/or IP addresses.

MPP is considered a subset of [Control Plane Policing (CoPP)](/control-plane-policing-copp).

You can achieve [similar results using only ACLs](/mpp-vs-acls), but the implementation compared to MPP is somewhat different.


Links:

https://forum.networklessons.com/t/management-plane-protection-mpp/5599/18?u=lagapidis

https://networklessons.com/cisco/ccie-routing-switching-written/management-plane-protection-mpp



Management Plane Policing (MPP)

MPLS Bytes Label Switched in the LFIB

MPLS Customer Edge Router

MPLS L3VPN Inter-AS Options

MPLS LDP Label Filtering

MPLS LDP Session Protection

MPLS LDP Targeted Hellos

MPLS LSR ID

MPLS Label Distribution Protocol

MPLS Label Distribution and Swapping

MPLS Label Edge Router

MPLS Label Switch Router

MPLS Layer 3 VPN communication between CE and PE routers

MPLS Layer 3 VPN communication between CE routers

MPLS Local Label Allocation Filtering

MPLS Penultimate hop popping

MPLS Route Distinguisher

MPLS Route Target

MPLS TE - Affinity attribute flag assignment best practices

MPLS TE - TE Tunnels

MPLS TE setup and hold priority

MPLS Troubleshooting

MPLS VPN extranet route leaking unique addressing

MPLS VRF names locally significant

MPLS addresses bound to peer LDP Ident output

MPLS advertising multiple customer subnets

MPLS entropy label

MPLS explicit NULL

MPLS implicit NULL

MPLS mandatory use of CEF

MPLS traffic engineering

MPLS-TE - why are IGPs necessary

MPLS

MQTT return codes

MST - Root port selection for switches outside MST topology

MST configuration revision number

MTU - Adjusting MTU to accommodate additional headers

MTU - Interface MTU configuration considerations

MTU - Interface MTU vs IP MTU

MTU - MSS and Jumbo Frames

MTU - Path MTU Discovery (PMTUD)

MTU - Understanding L2 MTU and Frame Handling in Network Switches

MTU - default interface MTU

MTU adjusting the MSS for TCP

MTU ip mtu allowed values

MTU on Etherchannel links

MTU on router subinterfaces

MTU size in Cisco IOS XR and IOS software

Media Access Control (MAC)

Memory - CAM and TCAM

Memory - TCAM Lookups

MetroEthernet - VLAN design considerations

MetroEthernet - Virtual Private LAN service

MetroEthernet - Virtual Private Wire Service

MetroEthernet

Multi-Topology Routing

Multicast - ASM and SSM on same network

Multicast - Any Source Multicast (ASM)

Multicast - AutoRP

Multicast - Bootstrap Router (BSR)

Multicast - GLOP address space

Multicast - HSRP-aware PIM

Multicast - Local Network Control Block

Multicast - MSDP

Multicast - NX-OS and IOS config comparison

Multicast - PIM Bootstrap (BSR)

Multicast - PIM Snooping platform support

Multicast - PIM Snooping

Multicast - PIM dense vs sparse mode

Multicast - PIM join message during register stop suppression timer

Multicast - PIM

Multicast - Routing Table Timers

Multicast - Source Specific Multicast (SSM)

Multicast - Sparse Mode register suppression timer

Multicast - Upstream and Downstream

Multicast - generating a routing table entry

Multicast - ip igmp join-group vs ip igmp static-group

Multicast - reading the multicast routing table

Multicast - route-map on IOS-XE 16.9.4

Multicast - routing over the Internet

Multicast - troubleshooting multicast routing

Multicast Anycast RP

Multicast Cisco Group Management Protocol

Multicast IGMPv3 include and exclude modes

Multicast IPv4 address space

Multicast MAC addresses

Multicast Mapping Agent and RP placement

Multicast OIL IIF mroute table

Multicast PIM Assert and dense mode

Multicast PIM Auto RP and Mapping Agent single device

Multicast PIM Bidirectional mode traffic between sources and RPs

Multicast PIM Bootstrap (BSR) election

Multicast PIM Designated Router sparse mode

Multicast PIM dense mode

Multicast PIM neighbors are stateless

Multicast PIM send-rp-announce-scope

Multicast PIM sparse mode Rendezvous Point (RP)

Multicast PIM sparse mode

Management Plane Policing (MPP)

Links to this page: