Disabling Specific Service Interfaces from Sending Management Protocol Packets to the Management Plane Using MPAC

Networking Requirements

Specific service interfaces are disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the other service interfaces.

Configuration Roadmap

Procedure

1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.

   [~HUAWEI] service-security policy ipv4 global
   [*HUAWEI-service-sec-global] commit
   [*HUAWEI-service-sec-global] quit
   [~HUAWEI] service-security policy ipv4 interface
   [*HUAWEI-service-sec-interface] commit
   [*HUAWEI-service-sec-global] quit

2. Disable FTP, SNMP, SSH, Telnet, and TFTP protocol packets from being sent to the management plane in the profile for global application, and allow only FTP, SNMP, SSH, Telnet, and TFTP protocol packets to be sent to the management plane in the profile for interface application.

   [*HUAWEI-service-sec-global] rule deny protocol ftp
   [*HUAWEI-service-sec-global] rule deny protocol snmp
   [*HUAWEI-service-sec-global] rule deny protocol ssh
   [*HUAWEI-service-sec-global] rule deny protocol telnet
   [*HUAWEI-service-sec-global] rule deny protocol tftp
   [*HUAWEI-service-sec-global] commit
   [~HUAWEI-service-sec-global] quit
   [*HUAWEI-service-sec-interface] rule permit protocol ftp
   [*HUAWEI-service-sec-interface] rule permit protocol snmp
   [*HUAWEI-service-sec-interface] rule permit protocol ssh
   [*HUAWEI-service-sec-interface] rule permit protocol telnet
   [*HUAWEI-service-sec-interface] rule permit protocol tftp
   [*HUAWEI-service-sec-interface] commit
   [~HUAWEI-service-sec-interface] quit

3. Apply the former policy globally and the latter policy to GE 0/1/17 and the management network interface GigabitEthernet0/0/0.

   [~HUAWEI] interface GigabitEthernet0/0/0
   [*HUAWEI-GigabitEthernet0/0/0] service-security binding ipv4 interface
   [*HUAWEI-GigabitEthernet0/0/0] commit
   [~HUAWEI-GigabitEthernet0/0/0] quit
   [~HUAWEI] interface GigabitEthernet 0/1/17
   [*HUAWEI-GigabitEthernet0/1/17] service-security binding ipv4 interface
   [*HUAWEI-GigabitEthernet0/1/17] commit
   [~HUAWEI-GigabitEthernet0/1/17] quit
   [*HUAWEI] service-security global-binding ipv4 global
   [*HUAWEI] commit

4. Verify the configuration.

   [~HUAWEI] display service-security binding ipv4 
     Configured : Global
     Policy Name: global
     
   Interface  : GigabitEthernet0/0/0
     Policy Name: interface
     
   Interface  : GigabitEthernet0/1/17
     Policy Name: interface
   [~HUAWEI] display service-security policy ipv4
     Policy Name : global
     Step        : 5
      rule 5 deny protocol ftp
      rule 10 deny protocol snmp
      rule 15 deny protocol ssh
      rule 20 deny protocol tftp
      rule 25 deny protocol telnet
   
   Policy Name : interface
   Step        : 5
    rule 5 permit protocol ftp
    rule 10 permit protocol snmp
    rule 15 permit protocol ssh
    rule 20 permit protocol tftp
    rule 25 permit protocol telnet

5. Check whether all management protocol packets are dropped and whether all service interfaces do not send management protocol packets to the management plane.

   [~HUAWEI] display service-security statistics ipv4 
     Policy Name : global
     Step        : 5
      rule 5 deny protocol ftp (9 times matched)
      rule 10 deny protocol snmp (0 times matched)
      rule 15 deny protocol ssh (0 times matched)
      rule 20 deny protocol tftp (0 times matched)
      rule 25 deny protocol telnet (20 times matched)
     
   Policy Name : interface
   Step        : 5
    rule 5 permit protocol ftp (100 times matched)
    rule 10 permit protocol snmp (0 times matched)
    rule 15 permit protocol ssh (0 times matched)
    rule 20 permit protocol tftp (0 times matched)
    rule 25 permit protocol telnet (652 times matched)