Configuring Management and Service Plane Protection

This section describes how to configure management and service plane protection. This function allows only specified protocol packets to be sent to CPUs, and reduces malicious packet attacks on these CPUs to ensure that devices work properly.

Applicable Environment

Attacks intending to paralyze TCP/IP networks, especially network devices, continue to increase at alarming rates. MPAC servers better for protecting devices against such attacks. Using MPAC is recommended.

If the router is likely to be controlled by unauthorized users through non-management interfaces or attacked by flooding packets, management and service plane protection needs to be deployed. The protection function ensures that only specified management interfaces will be allowed to receive management packets. Packets received by non-management interfaces will be directly dropped. This saves resources.

FTP, SSH, SNMP, TELNET, and TFTP are usually disabled globally on a device but enabled on some specified interfaces. If the interfaces enabled with these protocols are all Down, the global configurations will cease to take effect (that is, these protocols will be automatically enabled on other interfaces), which ensures connectivity to the device.

This configuration task is supported only on the Admin-VS.

Pre-configuration Tasks

Before configuring management and service plane protection, complete the following task:

  • Configuring link layer protocol parameters for interfaces to ensure that the link layer protocol on the interfaces is Up

Parent Topic: Local Attack Defense Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >