< Home

MPAC

Attack Behavior

Packets from the user side may have the following impacts on switches:
  • Excess packets cause a high CPU usage and degrade CPU performance. Therefore, services cannot be processed properly.
  • Malicious attack packets cause a system breakdown.

Security Policy

To defend against the preceding attacks, configure MPAC policies on sub-interfaces, interfaces, and the entire system. MPAC policies include permitting or forbidding packets of certain protocols to be sent to the CPU, and permitting or prohibiting packets that match with certain source or destination IP addresses to be sent to the CPU.

MPAC protects switches against attacks. An MPAC-enabled switch filters packets destined for the CPU based on MPAC policies and discards unnecessary packets to prevent attacks to the CPU.

Configuration Method

Configure an IPv4 MPAC policy.

<HUAWEI> system-view 
[HUAWEI] service-security policy ipv4 test  //Create an IPv4 MPAC policy named test.
[HUAWEI-service-sec-test] rule 10 deny protocol ip source-ip 10.10.1.1 0
[HUAWEI-service-sec-test] quit
[HUAWEI] service-security global-binding ipv4 test  //Apply the test polcy globally. You can configure MPAC policy rules globally or on sub-interfaces or interfaceds as required.

Configure an IPv6 MPAC policy.

<HUAWEI> system-view 
[HUAWEI] service-security policy ipv6 huawei  //Create an IPv6 MPAC policy named huawei.
[HUAWEI-service-sec-huawei] rule 10 deny protocol ip source-ip fc00::1/64
[HUAWEI-service-sec-huawei] quit
[HUAWEI] service-security global-binding ipv6 huawei  //Apply the huawei polcy globally. You can configure MPAC policy rules globally or on sub-interfaces or interfaceds as required.
Parent Topic: Management Plane
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic