No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Traffic Isolation Between the Service and Management planes Configuration Commands

Traffic Isolation Between the Service and Management planes Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

management-plane isolate enable

Function

The management-plane isolate enable command enables management plane separation.

The undo management-plane isolate enable command disables the function.

By default, management plane separation is enabled.

Format

management-plane isolate enable

undo management-plane isolate enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The management-plane isolate enable command enables separation of the management plane to prevent unauthorized users from attacking the management network through the service network. After the command is run, the switch prevents unauthorized users from accessing the management interface through a service interface. That is, if the destination address of a packet received by a service interface is the management interface address, the user cannot access the switch. The access from the management interface to service interface is not restricted.

Precautions

The management-port isolate enable and management-plane isolate enable command functions are different. The management-port isolate enable command isolates traffic between the management and service interfaces by marking the network segment routes with the outbound interfaces being the management interface as the blackhole route, whereas the management-plane isolate enable command isolates service interfaces from the management interface by marking the host and broadcast routes with the outbound interfaces being the management interface as the blackhole route.

If the system software of a switch in a version earlier than V200R006C00 is upgraded to V200R006C00 or later version, an undo management-plane isolate enable configuration is automatically generated.

Example

# Enables management plane separation.

<HUAWEI> system-view
[HUAWEI] management-plane isolate enable

management-port isolate enable

Function

The management-port isolate enable command isolates management interfaces from service interfaces.

The undo management-port isolate enable command disables the function.

By default, management interface separation is enabled.

Format

management-port isolate enable

undo management-port isolate enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

The management-port isolate enable command enables separation of the management interface to prevent unauthorized users from attacking the packet forwarding service. After the command is run, the switch forbids packet exchange between the management and service interfaces. That is, the packets received by the management interface will not be sent out through a service interface, and the packets received by a service interface will not be sent out through the management interface.

The interval between management-port isolate enable and undo management-port isolate enable command must be longer than 30 seconds.

If the system software of a switch in a version earlier than V200R006C00 is upgraded to V200R006C00 or later version, an undo management-port isolate enable configuration is automatically generated.

Example

# Isolate management interfaces from service interfaces.
<HUAWEI> system-view
[HUAWEI] management-port isolate enable
Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 26597

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next