Example for Configuring MPAC

This section provides Management Plane Access Control (MPAC) configuration examples.

Networking Requirements

To prevent an attacker from sending various types of TCP/IP attack packets to paralyze Device A, MPAC is deployed on Device A, as shown in Figure 1.

Figure 1 MPAC networking

Interface 1 in this example is GE 0/1/0.


Configuration Notes

None.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure an IP address and routes for each interface to ensure network connectivity.

  2. Configure an IPv4 MPAC policy named test on Device A.

  3. Apply the IPv4 MPAC policy named test to GE 0/1/0.

  4. Apply the IPv4 MPAC policy named test to Device A.

Data Preparation

To complete the configuration, you need the following data:

  • IP address and routes on each interface

  • Name of the policy with which the rate for sending packets to the CPU is restricted

  • IPv4 MPAC policy applied to Device A

  • IPv4 MPAC policy applied to GE 0/1/0

Procedure

  1. Configure an IP address and routes for each interface to ensure network connectivity. For configuration details, see "Configuration Files" in this section.
  2. Configure an IPv4 MPAC policy named test on Device A. 

    <DeviceA> system-view
[DeviceA] service-security policy ipv4 test
[DeviceA-service-sec-test] rule 10 deny protocol ip source-ip 10.10.1.1 0
[DeviceA-service-sec-test] step 10
[DeviceA-service-sec-test] description rule 10 is deny ip packet which from 10.10.1.1
[DeviceA-service-sec-test] commit
[DeviceA-service-sec-test] quit

  3. Apply the IPv4 MPAC policy named test to Device A. 

    [DeviceA] service-security global-binding ipv4 test
[DeviceA] commit

  4. Apply the IPv4 MPAC policy named test to GE 0/1/0 on Device A. 

    [DeviceA] interface gigabitethernet 0/1/0
[DeviceA-GigabitEthernet0/1/0] service-security binding ipv4 test
[DeviceA-GigabitEthernet0/1/0] commit
[DeviceA-GigabitEthernet0/1/0] quit

  5. Verify the configuration.

    After completing the configurations, run the display service-security statistics command to view the statistics about the IPv4 MPAC policy.

    [DeviceA] display service-security statistics ipv4 test
Policy Name : test
Description : rule 10 is deny ip packet which from 10.10.1.1
Step        : 10
 rule 10 deny protocol ip source-ip 10.10.1.1 0 (10 times matched)

Configuration Files

  • Device A configuration file

    #
sysname DeviceA
#
service-security global-binding ipv4 test
#
service-security policy ipv4 test
 description rule 10 is deny ip packet which from 10.10.1.1
 step 10
 rule 10 deny protocol ip source-ip 10.10.1.1 0
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.10.1.2 255.255.255.0
 service-security binding ipv4 test
#
Parent Topic: Configuration Examples for MPAC
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.