Perimeter L3 Switch Security Technical Implementation Guide - Cisco
|Perimeter L3 Switch Security Technical Implementation Guide - Cisco|
|No Change 1|
|Findings ID:||NET0745||Rule ID:||SV-79295r1_rule||Severity:||low||CCI:||CCI-000381|
DiscussionThe Maintenance Operations Protocol (MOP) was developed by Digital Equipment Corporation to be used for remote communications. Cisco IOS software routers implement MOP to gather configuration information when communicating with DECNet networks. By default, MOP is enabled on all Ethernet, FastEthernet, and GigabitEthernet interfaces, and disabled on all other type of interfaces. The MOP RC data is carried directly over L2 frames, with no L3 addressing at all, so any RC session is limited to devices that are either on the same physical network segment or in separate network segments that are bridged. It is possible to connect to a Cisco IOS device using a MOP RC client and, with a valid set of credentials, establish an interactive remote session.
Since this is a Cisco default setting, it will not display in the configuration when enabled. The MOP service must be disabled on each interface by using the "no mop enabled" interface configuration command.System AdministratorSwitch Administrator
ChecksReview the device configuration; if the statement "no mop enabled" is not present on every enabled Ethernet, FastEthernet, and GigabitEthernet interface, this is a finding.
Not all releases of Cisco IOS support this capability and this does not apply to Cisco NX OS. If the "no mop enabled" statement is not present in the device configuration, determine if the IOS version and feature set support Maintenance Operations Protocol. If it does not, this is not a finding.
FixConfigure the device to disable Maintenance Operation Protocol (MOP). Issue the following command on all Ethernet, FastEthernet, and GigabitEthernet interfaces:
(config-if) no mop enable
Not all releases of Cisco IOS support this capability and this does not apply to Cisco NX OS. Document the IOS release and feature set; if the device IOS does not support Maintenance Operation Protocol, no configuration change is necessary.