TSHOOT – Management Plane vs Control Plane vs Data Plane, MPP (Management Plane Protection) review for exam day!


This graphic that I created to help myself understand CEF Hardware Packet Switching is also very similar to the Management Plane vs Control Plane vs Data (Forwarding) plane.

Management Protocols run at the Management Plane (hence the name Mgmt Plane) is where Management Protocols such as SSH / Telnet / SNMP / HTTP / HTTPS / FTP / TFTP run at, though when we configure Access-Control at the “Control Plane” as that is the plane which handles those traffic calculations, the Management Plane is where they run!

So whether its SSH, Telnet, ASDM, a Web GUI – Management Traffic always runs at the Management Plane of a Cisco Device!

The configurations made at the Management Plane are to the Control Plane to manipulate traffic forwarding / filtering, which is also where Dynamic Routing protocols processes perform route selection (OSPF LSDB / EIGRP Topology Table / Etc).

The Data Plane is AKA the Forwarding Plane because this is where the bulk of network traffic stays (is forwarded at), because routes / protocols to determine routes has been entered via the Mgmt Plane which was then calculated by the Control Plane, and optimized by the specialized Hardware for Packet Processing at the Data plane!

Management Plane Protection (MPP) aka Securing your Mgmt Protocols!

You may see the acronym MPP on exam day, and this refers to securing your management protocols, such as restricting access to your NTP device via ACL / restricting access for SNMP Traffic except to the NMS Servers / Securing SSH and Telnet access to the local device.

One critical concept to understand, is that security is configured at the Control Plane, however it is to secure the Management Plane!

As explained above and shown below, the configuration is entered into the “Control Plane” as that is where the Router does its routing / filtering making, however when restricting access of ANY management protocol it is securing the management plane.

SSH and Telnet are secured at the “Control Plane” by using ACL’s to either apply to the VTY Lines via “access-class in/out” or to a specific interface via “access-group in/out” after defining an ACL to be used, also there is a more direct command I was unaware of in labbing until just recently: “control-plane host” configuration

  • When applying an “access-class” a standard ACL should be used, as the protocol will be defined via “transport input (ssh/telnet/any)”
  • In / Out direction is very important to understand as inbound traffic permitted while outbound is not can mean that outside hosts will connect but the local  device cannot initiate telnet / ssh traffic
  • “control-plane host” is a one stop configuration to lock down these management protocols without a whole lot of confusion, but you must read them literally

Whether using an ACL or the “control-plane host” command, both are being entered into the Control Plane, but they are securing the Management Plane if they are securing a Management Protocol.

This might be an example question:

A network administrator is implementing MPP on a company router to restrict SSH and SNMP Access to the Local Area Network with the following configuration:

Router# config t
Enter configuration commands, one per line. End with CNTL/Z.

Router(config)# control-plane host
Router(config-cp-host)# management-interface FastEthernet 0/0 allow ssh snmp

Which of the following statements are true? (Select all that apply)

A. Only interface Fa0/0 will be allowed SSH traffic
B. SNMP will only be allowed to the IP Address of Fa0/0
C. The Management Plane is being secured with this configured
D. SSH traffic destined for interface Fa0/0 will be allowed
E. An ACL must also be configured to finish securing the specified protocols
F. Interface Fa0/0 can receive and send normal network data traffic

Take a moment to see if you can identify the correct answers here!



Correct answers: C, D, and F are true! (Be care to watch for true / not true!)

Walking though the possible answers:

A: Not True! This configuration does not impact any interface outside of Fa0/0

B: Not True! This command defines the interface itself, NOT the IP Address of the interface, so this MPP policy will be tied to Fa0/0 even if it changes IP Addresses

C: True! Management protocols, key words “management-interface” in the command, lots of bells ringing that this is Management Related so Management Plane it is!

D: True! This command is identifying the interface Fa0/0 (not its IP Address), so any SSH / SNMP traffic coming into this interface will be allowed!

E: Not True! In some cases there may be additional ACL’s needed to secure different things in different places, however given only this output, this is a complete security configuration to lock down SSH and SNMP given the information we have!

F: True! The command is only configuring MPP for interface Fa0/0, it is not impacting any control-plane or data-plane traffic given the output, so normal network traffic can still flow in / out of this interface!

This is a very powerful command for deploying MPP / Restricting Access to a specific interface, as there is no implicit deny like an ACL, there is no confusion with certain directions of an ACL (In / Out).

This should be enough understanding for exam day (I hope!)

I wanted to really bonk this topic over the head for exam day, as I expect to see the term MPP to come up with possibly a configuration that may lead an unprepared candidate to believe the Control Plane is being secured, but because you read this article and understand its content you will not lose these points on the exam 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s