Management and service plane protection supports strategy configuration in three levels: interface level, board level, and global level. By configuring the three-level policies, interface-level control can be implemented for management and application protocols.
The interfaces that can send management and service packets have been defined in advance.
After certain interfaces on the device are specified as management interfaces, the device discards all management protocol packets received through other interfaces. This prevents attackers from controlling the device through network interfaces.
You can control protocol packets at the software level.
Through configuration of three-level policies, you can specify the types of packets that can be processed on a particular interface.
Management and service plane protection supports the following management protocols: FTP, SSH, SNMP, Telnet, TFTP.
Management and service plane protection supports the following application protocols: BGP, LDP, RSVP, OSPF, RIP, IS-IS, PIM-SM.
When the device receives a packet of any of the supported protocols, the device determines whether an interface-level policy is configured. If an interface-level policy is configured and the action configured for the policy is pass, the device sends the packet directly to the control layer for further processing; if the action configured for the policy is drop, the device discards the packet.
If the action for the interface-level policy is not configured or no interface-level policy is configured, the device determines whether a board-level policy is configured. If a board-level policy is configured and the action configured for the board-level policy is pass, the device sends the packet to the control layer for processing; if the action configured for the board-level policy is drop, the device discards the packet.
If the action for the board-level policy is not configured or no board-level policy is configured, the device determines whether a global policy is configured. If a global policy is configured and the action configured for the global policy is pass, the device sends the packet directly to the control layer for processing; if the action configured for the global policy is drop, the device discards the packet.
If the action for the global policy is not configured or no global policy is configured, the device sends the packet to the control layer for processing.