You want to configure a router so that networkbased CLI access is limited to SSH connections that are received
on a specified interface.
Which of the following Cisco IOS features should you configure to achieve your goal? (Select the best answer.)
A.
CoPP
B.
CPPr
C.
MPP
D.
uRPF
Explanation:
You should configure Management Plane Protection (MPP) on a Cisco router to ensure that networkbased
commandline interface (CLI) access is limited to Secure Shell (SSH) connections that are received on a
specified interface. MPP enables you to specify one or more interfaces as management interfaces. A
management interface is an interface that is permitted to receive management traffic, which is traffic from a
specific set of network protocols that is destined for the router. Once MPP is enabled, only specified types of
management traffic are permitted on their respective management interfaces. For example, you could configure
a router’s FastEthernet 0/0 interface to permit SSH and Secure Hypertext Transfer Protocol (HTTPS) traffic and
its FastEthernet 0/1 interface to permit Trivial File Transfer Protocol (TFTP) traffic. Without MPP, you would
need to create the appropriate access control lists (ACLs) and apply them in the inbound direction to every
interface on the router if you wanted to limit access to one or more interfaces and management protocols.
You should not configure Control Plane Policing (CoPP). CoPP is a Quality of Service (QoS) feature that can be
used to limit the type and amount of traffic that reaches the control plane. Control plane traffic is traffic that is
destined to the router and that requires CPU intervention for processing. Examples of control plane traffic are
routing protocol updates, SSH sessions, and Hypertext Transfer Protocol (HTTP) connections. Because control
plane traffic requires CPU intervention, it is possible to overload the CPU with a surge of traffic. When the CPU
is overloaded, the router might be unable to update its routing information and transit traffic can be affected.
CoPP enables you to configure QoS rates for various traffic types to ensure that sufficient processing time is
available for critical protocols. CoPP policies are applied globally and cannot be limited to a single router
interface.
You should not configure Control Plane Protection (CPPr). CPPr enhances the capabilities of CoPP by
providing more granular control over control plane traffic. With CPPr, traffic is classified into three levels of
control instead of the single level of control provided by CoPP. In addition, CPPr provides the ability to drop
packets that are destined to Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) router
ports that are either close or not listening. CPPr can also limit the number of packets from a particular protocol
that are permitted into the control plane IP input queue. Like CoPP, CPPr policies are applied globally and
cannot be limited to a single router interface. You should not configure unicast Reverse Path Forwarding
(uRPF). uRPF is an antispoofing mechanism that verifies that the source address of a packet is reachable from
the interface on which the packet was received. If uRPF is used in conjunction with an ACL, it can cause
packets to become packetswitched. Packet switching requires CPU intervention and can create a burden on
the control plane.Cisco: Management Plane Protection