The Management Plane Access Control (MPAC) function protects devices from attacks.
MPAC enables devices to filter packets destined for the CPU based on rules specified in an MPAC policy and discard unnecessary packets, which helps prevent attacks to the CPU.
On an Internet service provider (ISP) network, user-side interfaces on a local device receive a great number of packets to be forwarded to the CPU. Some packets attempt to initiate attacks to the CPU. If too many packets rush to the CPU, CPU usage increases sharply and device performance deteriorates, which affects services running on the device. Frequently sending attack packets to the CPU causes the CPU to be busy processing packets, which affects other services or even causes a system crash.
An MPAC policy can be configured on sub-interfaces, physical interfaces, and the entire device to allow the device to send valid packets to the CPU and to discard attack packets, which prevents attacks to the CPU. MPAC is enabled to protect TCP/IP-based control plane protocols from Denial of Service (DoS) attacks. For example, an attacker keeps sending packets to a device by simulating a routing protocol. The device receives and processes the attack packets as valid packets. As a result, the device becomes extremely busy, and its CPU usage increase. To prevent CPU overload, you can set an MPAC rule to enable the device to drop forged packets destined for the CPU.