Hi everyone,

I'm preparing my routers for IPv6. Along with v6 support comes the requirement to secure router management / services for v6.

Currently I've inbound access-lists on all inbound interfaces blocking management traffic (ssh, telnet, ftp, http, etc.) and things like SIP, etc. to all router v4 addresses.

You can imagine that this a lot of maintenance work. So my idea was to use the new management-plane (control-plane) protection in IOS 12.4 T.

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecmpp.html

Is there anyone using this already in ISP networks? What are the experience?

You can define a loopback interface as management-interface and propagate the loopback addresses with IGP inside the management network. After that, all other interfaces are no longer accepting management traffic to the control-plane, right? Setting an inbound access-list on the loopback interface to filter management traffic may be a good idea, right?

Is there any impact to BGP sessions? I sill need access-lists dropping BGP traffic to my router addresses and explicit allowing my bgp peers, right?

Any suggestions / ideas welcome. Thanks and best regards Marco