The ma-defend interface-policy command creates an interface-based policy for management and service plane protection and enter the interface-based policy view.
The undo ma-defend interface-policy command deletes a created interface-based policy.
By default, no interface-based policy is created.
Usage Scenario
To help the device defend against attacks or unauthorized logins initiated by sending protocol packets, management and service plane protection is used to prevent packets of a specified protocol or all protocols from being sent to the CPU. Using management and service plane protection improves device security and reliability and ensures normal network operation.
An interface-based policy takes effect on a specified interface. It allows finer grained and more accurate management than a global or board-based policy. To configure an interface-based policy, run the ma-defend interface-policy command.Configuration Impact
After an interface-based policy has been configured and its rule has also been configured to prevent packets of a specified protocol or all protocols from being sent to the CPU, specified packets will be directly discarded after arriving at the specified interface.
Follow-up Procedure
Run the protocol command to create a rule for an interface-based policy to accept or discard specified packets before the packets are sent to the CPU.
Run the ma-defend-interface command to apply the configured policy to a specified interface. You can also configure a global policy and apply it to the device, or configure a board-based policy and apply it to a specified board.Precautions
In VS mode, this command is supported only by the admin VS.
<HUAWEI> system-view [~HUAWEI] ma-defend interface-policy 7 [*HUAWEI-app-sec-interface-7] protocol snmp permit [*HUAWEI-app-sec-interface-7] quit [*HUAWEI] interface GigabitEthernet 0/1/20 [*HUAWEI-GigabitEthernet0/1/20] ma-defend-interface 7