Hi everyone, I'm preparing my routers for IPv6. Along with v6 support comes the requirement to secure router management / services for v6.
Currently I've inbound access-lists on all inbound interfaces blocking management traffic (ssh, telnet, ftp, http, etc.) and things like SIP, etc. to all router v4 addresses. You can imagine that this a lot of maintenance work. So my idea was to use the new management-plane (control-plane) protection in IOS 12.4 T. http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html Is there anyone using this already in ISP networks? What are the experience? You can define a loopback interface as management-interface and propagate the loopback addresses with IGP inside the management network. After that, all other interfaces are no longer accepting management traffic to the control-plane, right? Setting an inbound access-list on the loopback interface to filter management traffic may be a good idea, right? Is there any impact to BGP sessions? I sill need access-lists dropping BGP traffic to my router addresses and explicit allowing my bgp peers, right? Any suggestions / ideas welcome. Thanks and best regards Marco _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
