You can separate the management plane from the service plane to improve management network security.
Context
To improve network security, the device separates the traffic at the service and management planes by default. That is, unauthorized users cannot access the device through service interfaces, and attackers cannot attack the management network through the service network.
Procedure
- Separate the traffic at the service plane and management port.
- Run the system-view command to enter the system view.
- Run the undo management-plane isolate disable command to separate the traffic at the service and management planes.
By default, the device separates the traffic at the service and management planes.
If you need to forward service packets through the management plane or access the device through service interface, disable the separation function. It is recommended that you restore the default configuration after you complete packet forwarding or device access to ensure management network security.
- Add the management interface and service interface to different VPN instances, to separate the traffic at the service and management planes
- Add the management interface to VPN instance vpna.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpna
[*HUAWEI-vpn-instance-vpna] quit
[*HUAWEI] interface meth 0/0/0
[*HUAWEI-MEth0/0/0] ip binding vpn-instance vpna
[*HUAWEI-MEth0/0/0] commit
- Add the service interface to VPN instance vpnb.
<HUAWEI> system-view
[~HUAWEI] ip vpn-instance vpnb
[*HUAWEI-vpn-instance-vpnb] quit
[*HUAWEI] interface 10ge 1/17/1
[*HUAWEI-10GE1/17/1] undo portswitch
[*HUAWEI-10GE1/17/1] ip binding vpn-instance vpnb
[*HUAWEI-10GE1/17/1] commit
Previous
