Usage Scenario
To help the device defend against attacks or unauthorized logins initiated by sending protocol packets, management and service plane protection is used to prevent packets of a specified protocol or all protocols from being sent to the CPU. Using management and service plane protection improves device security and reliability and ensures normal network operation.
An interface-based policy takes effect on a specified interface. It allows finer grained and more accurate management than a global or board-based policy.
To configure an interface-based policy, run the ma-defend interface-policy command.
Configuration Impact
After an interface-based policy has been configured and its rule has also been configured to prevent packets of a specified protocol or all protocols from being sent to the CPU, specified packets will be directly discarded after arriving at the specified interface.
Follow-up Procedure
Run the protocol command to create a rule for an interface-based policy to accept or discard specified packets before the packets are sent to the CPU.
Run the
ma-defend-interface command to apply the configured policy to a specified interface.
You can also configure a global policy and apply it to the device, or configure a board-based policy and apply it to a specified board.
Precautions
In VS mode, this command is supported only by the admin VS.