Router Spring Cleaning – Zero MOP Required – Again
|
|
Way in-may 18 back again, 2010, Dario Ciccarone of The Cisco Product Safety Incident Response Group (PSIRT) published a post called Router Springtime Cleaning – Simply no MOP Required . It offers since already been archived , however the key points of this weblog are captured below:
When overlooking the recommendations within the Cisco Guidebook to Harden Cisco IOS Products , over and over people are puzzled simply by this line: “Concern the simply no mop enabled command within interface configuration mode to be able to disable the Maintenance Operation Protocol (MOP) service.”
And they arrived at us with questions such as back, “What’s MOP, why perform I must disable it, and could it be relevant if We’m not operating DECnet even?”
Well, the plain point is, the MOP functionality is usually decoupled from the DECnet process stack, so even though your gadget isn’t configured for DECnet, you shall be able to set up a MOP RC program to the device, provided that MOP hasn’t already been explicitly disabled .
So, some tips to note from all this:
- The MOP process (RC and remote control load functionality) continues to be being shipped within Cisco IOS 15.x
- MOP RC is allowed automagically on ethernet interfaces (and yes, which includes GigabitEthernet and FastEthernet
- MOP (RC and dump/load) information packets are straight encapsulated on Ethernet L2 frames (Ethertype is 0x6002 for RC)
- MOP packets can’t become routed but could be bridged
- There exists a available MOP RC customer for Linux
- readily
- You do need to provide legitimate credentials for authentication before getting allowed interactive usage of the device
- A show customers WILL display anyone linked to a Cisco IOS gadget over a MOP RC program
- MOP RC packets are usually neither encrypted nor authenticated
- Getting rid of transport insight mop from the VTY lines won’t disable the MOP RC efficiency
So, you’re wondering now, “How come Cisco bring this older stuff back up once again?” Well…
This topic came up again within an external forum recently. I hope this website will get rid of some outline and inconsistencies an obvious mitigation path for clients. The contents below pertain to any router or changing platform that is working Cisco IOS Software program or Cisco IOS-XE Software program.
Identifying MOP on Systems
Over the full years, support for MOP has been completely taken out and can’t be allowed or configured in a few releases and in a few license degree sets. For all those platforms which have not removed assistance, some have gone it enabled automagically, while others deliver with it disabled automagically. We can utilize the following steps to find out if the process is both existing and allowed on the running picture.
To find if the program image on the system you are running facilitates MOP, enter
the display subsys | include mop CLI control. If the platform facilitates MOP, it shall display a range with mop Protocol , as demonstrated in the next example:
Router#display subsys | include mop mop Protocol 1.000.001 Router#
If these devices doesn’t support MOP, it’ll return absolutely nothing as shown in the next example:
Router#display subsys | include mop Router#
In case a platform doesn’t assistance MOP, then your commands to disable MOP won’t be visible in the command help and you may get an error in the event that you make an effort to configure it, as shown in the next examples:
Router(config)#interface gigabitEthernet 1
Router(config-if)#no mop ?
% Unrecognized command
Router(config-if)#simply no mop enable
^
% Invalid insight detected at '^' marker.
Router(config-if)#
Step two 2: Determine If the Platform is Working MOP
For those who have confirmed that the systems supports MOP, utilize the display procedures | include
MOP CLI command to observe if the MOP procedure is in fact running on these devices. If the system has MOP allowed (either automagically or by way of a configuration), it will display the MOP Protocols in the result, as proven in the next example:
Router#display processes | include MOP 208 Mwe 5632C4164FCE 7 66 10622408/24000 0 MOP Protocols Router#
If these devices isn’t running MOP, it’ll return absolutely nothing as shown in the next example:
Router#display processes | include MOP Router#
The system shall accept MOP RC classes only if it really is running MOP.
Managing MOP RC Periods on the VTY Outlines
After we have determined that the picture facilitates MOP and that the MOP procedure is running, just how do we manage MOP access and utilization? The next question came through to the external forum, also it was described in the initial blog: How come MOP RC traffic actually accepted once the VTY outlines had been configured with transport insight ssh , that ought to drop all administration protocols apart from SSH on the VTY lines, particularly when transportation input does are the keyword choice of mop?
The solution is that it is a bug and contains been addressed with Cisco Bug ID CSCwa57951. The !x will be contained in Cisco IOS XE Software program releases 17.9(1) and later. Once you put into action the !x, should you choose have the recommended construction of transport insight on the VTY ranges ssh, even though MOP is running after that, no connections that make use of MOP RC will be permitted.
Take note: MOP RC sessions still are at the mercy of whatever authentication options are usually configured on the VTY outlines.
Tips for MOP
The current advice actually hasn’t changed from that which was recommended way back again in 2010 2010 so when per the hardening guideline. Proceed and disable MOP upon all interfaces ahead; unless your organization requires it to end up being enabled.
Lately, the MOP protocol provides been disabled automagically within Cisco IOS XE releases yet, unfortunately, that varies from system type to system type and license amounts even.
Of how you are configuring the device – via templates regardless, API, scripts, or manually – make sure that you apply simply no mop enable upon all interfaces. The order will undoubtedly be rejected if the discharge or license degree doesn’t support MOP, nonetheless it won’t influence to the device.
As of this true point you might ask, “Hang on… isn’t right now there a worldwide command to simply disable MOP? Something such as the no cdp operate command?” The short solution is no. But an attribute request has been elevated for the support of the control via Cisco Bug ID CSCwa91505 .
Also, make sure that you possess your VTY and TTY lines configured relative to the Cisco Tutorial to Harden Cisco IOS Gadgets . Doing this will make sure that you improve your Cisco IOS XE launch beyond 17 once.9(1), you will end up protected of the MOP configuration status regardless.
THINK ABOUT MOP sysid?
This blog and the prior one centered on no mop enable . You’ll likely also start to see the no mop sysid user interface configuration order. When MOP is allowed, the MOP server will periodically multicast something ID information out to the Ethernet interfaces if mop sysid is enabled.
So if you notice frames on your own system with the Ethertype 0x6002, then there’s an excellent chance you not merely have MOP allowed but mop sysid allowed as well. Disabling MOP with the simply no mop enable user interface configuration command disables delivering MOP periodic program ID also.
Final Worries
Imagine if you disabled MOP with the simply no mop enable interface control on all interfaces, after that issued the show procedures | include MOP and you also still start to see the MOP procedure being active? Show patience. In the background, an activity operates every 8 to 12 a few minutes to check on if MOP will be disabled on all backed interfaces. If it’s, then it completely shuts down the MOP procedure and you may no longer view it in the show procedures | consist of MOP output. In the event that you wait 15 moments and still start to see the MOP procedure in the result of show procedures | consist of MOP, you then still have MOP allowed on a supported user interface.
We’d want to hear everything you think. Ask a relevant question, Comment Below, and Remain Linked to Cisco Secure on interpersonal!
Cisco Protected Social Channels
Instagram
Facebook
Twitter
LinkedIn