The management-plane isolate enable command enables management plane separation.
The undo management-plane isolate enable command disables the function.
By default, management plane separation is enabled.
Usage Scenario
The management-plane isolate enable command enables separation of the management plane to prevent unauthorized users from attacking the management network through the service network. After the command is run, the switch prevents unauthorized users from accessing the management interface through a service interface. That is, if the destination address of a packet received by a service interface is the management interface address, the user cannot access the switch. The access from the management interface to service interface is not restricted.
Precautions
The management-port isolate enable and management-plane isolate enable command functions are different. The management-port isolate enable command isolates traffic between the management and service interfaces by marking the network segment routes with the outbound interfaces being the management interface as the blackhole route, whereas the management-plane isolate enable command isolates service interfaces from the management interface by marking the host and broadcast routes with the outbound interfaces being the management interface as the blackhole route.
When a version earlier than V200R005C02 (except V200R005C00SPC500) is upgraded to V200R005C02, a version later than V200R005C02, or V200R005C00SPC500, the undo management-plane isolate enable configuration is automatically generated.