Service interfaces on switches support management protocols by default, and management protocols can be used to log in to switches through dedicated management network interfaces. If the customer network has planned a management plane that manages devices only through dedicated management network interfaces, you can prohibit device login using management protocols over service interfaces.
To prohibit service plane access using management protocols for a switch with a dedicated management network interface, run the deny command in the attack defense policy view to set the action on Telnet\SSH\HTTP\SNMP\FTP\Ping(ICMP) packets sent to the CPU to discard.
<HUAWEI> system-view [HUAWEI] cpu-defend policy 1 [HUAWEI-cpu-defend-policy-1] deny packet-type telnet [HUAWEI-cpu-defend-policy-1] deny packet-type ssh [HUAWEI-cpu-defend-policy-1] deny packet-type http [HUAWEI-cpu-defend-policy-1] deny packet-type snmp [HUAWEI-cpu-defend-policy-1] deny packet-type ftp [HUAWEI-cpu-defend-policy-1] deny packet-type icmp [HUAWEI-cpu-defend-policy-1] quit [HUAWEI] cpu-defend-policy 1 global
For a switch that does not have a dedicated management network interface, configure ACLs supported by management protocols to restrict login IP addresses.
Use Telnet as an example. Configure ACL 2000 on the Telnet server to reject login requests from 10.1.1.1.
<HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0 [HUAWEI-acl-basic-2000] quit [HUAWEI] telnet server acl 2000