Router Spring Cleaning – No MOP Required — Again

Router#show processes | include MOP
208 Mwe 5632C4164FCE 7 66 10622408/24000 0 MOP Protocols
Router#

If the device isn’t running MOP, it will return nothing as shown in the following example:

   Router#show processes | include MOP
   Router#

The platform will accept MOP RC sessions only if it is running MOP.

Controlling MOP RC Sessions on the VTY Lines

Once we have determined that the image supports MOP and that the MOP process is running, how do we control MOP usage and access? The following question came up on the external forum, and it was mentioned in the original blog: Why is MOP RC traffic even accepted when the VTY lines were configured with transport input ssh, which should drop all management protocols other than SSH over the VTY lines, especially when transport input does include the keyword option of mop?

The answer is that this is a bug and it has been addressed with Cisco Bug ID CSCwa57951. The !x will be included in Cisco IOS XE Software releases 17.9(1) and later. After you implement the !x, if you do have the recommended configuration of transport input ssh on the VTY lines, then even if MOP is running, no connections that use MOP RC will be permitted.

Note: MOP RC sessions still are subject to whatever authentication options are configured on the VTY lines.

Recommendations for MOP

The current advice really hasn’t changed from what was recommended way back in 2010 and as per the hardening guide. Go ahead and disable MOP on all interfaces; unless your business requires it to be enabled.

Recently, the MOP protocol has been disabled by default in Cisco IOS XE releases but, unfortunately, that varies from platform type to platform type and even license levels.

Regardless of how you are configuring the device – via templates, API, scripts, or manually – ensure that you apply no mop enable on all interfaces. The command will be rejected if the release or license level doesn’t support MOP, but it won’t impact to the device.