Disabling the Service Plane from Sending Management Protocol Packets to the Management Plane Using MPAC

Networking Requirements

The service plane is disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the management network interface.

Configuration Roadmap

Procedure

1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.

   [~HUAWEI] service-security policy ipv4 global
   [*HUAWEI-service-sec-global] commit
   [~HUAWEI] service-security policy ipv4 interface
   [*HUAWEI-service-sec-interface] commit

2. Disable FTP, SNMP, SSH, Telnet, and TFTP protocol packets from being sent to the management plane in the profile for global application, and allow only FTP, SNMP, SSH, Telnet, and TFTP protocol packets to be sent to the management plane in the profile for interface application.

   [*HUAWEI-service-sec-global] rule deny protocol ftp
   [*HUAWEI-service-sec-global] rule deny protocol snmp
   [*HUAWEI-service-sec-global] rule deny protocol ssh
   [*HUAWEI-service-sec-global] rule deny protocol telnet
   [*HUAWEI-service-sec-global] rule deny protocol tftp
   [*HUAWEI-service-sec-global] commit
   [~HUAWEI-service-sec-global] quit
   [*HUAWEI-service-sec-interface] rule permit protocol ftp
   [*HUAWEI-service-sec-interface] rule permit protocol snmp
   [*HUAWEI-service-sec-interface] rule permit protocol ssh
   [*HUAWEI-service-sec-interface] rule permit protocol telnet
   [*HUAWEI-service-sec-interface] rule permit protocol tftp
   [*HUAWEI-service-sec-interface] commit
   [~HUAWEI-service-sec-interface] quit

3. Apply the former policy globally and the latter policy to the management network interface GigabitEthernet0/0/0.

   [~HUAWEI] interface GigabitEthernet0/0/0
   [*HUAWEI-GigabitEthernet0/0/0] service-security binding ipv4 interface
   [*HUAWEI-GigabitEthernet0/0/0] commit
   [~HUAWEI-GigabitEthernet0/0/0] quit
   [*HUAWEI] service-security global-binding ipv4 global
   [*HUAWEI] commit

4. Verify the configuration.

   [~HUAWEI] display service-security binding ipv4 
   Configured : Global
   Policy Name: global
   
   Interface  : GigabitEthernet0/0/0
   Policy Name: interface
   [~HUAWEI] display service-security policy ipv4
   Policy Name : global
   Step        : 5
    rule 5 deny protocol ftp
    rule 10 deny protocol snmp
    rule 15 deny protocol ssh
    rule 20 deny protocol tftp
    rule 25 deny protocol telnet
   
   Policy Name : interface
   Step        : 5
    rule 5 permit protocol ftp
    rule 10 permit protocol snmp
    rule 15 permit protocol ssh
    rule 20 permit protocol tftp
    rule 25 permit protocol telnet

5. Check whether all management protocol packets are dropped and whether all service interfaces do not send management protocol packets to the management plane.

   [~HUAWEI] display service-security statistics ipv4 
   Policy Name : global
   Step        : 5
    rule 5 deny protocol ftp (9 times matched)
    rule 10 deny protocol snmp (0 times matched)
    rule 15 deny protocol ssh (0 times matched)
    rule 20 deny protocol tftp (0 times matched)
    rule 25 deny protocol telnet (15 times matched)
   
   Policy Name : interface
   Step        : 5
    rule 5 permit protocol ftp (74 times matched)
    rule 10 permit protocol snmp (0 times matched)
    rule 15 permit protocol ssh (0 times matched)
    rule 20 permit protocol tftp (0 times matched)
    rule 25 permit protocol telnet (237 times matched)
   

If only a global policy profile is configured and management protocol packets are disabled from being sent to the management plane in the profile, the device fails to be managed. To resolve this problem, allow specific service interfaces to send management protocol packets to the management plane first. Ensure that these interfaces are Up.