No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Management and Service Plane Protection

Configuring Management and Service Plane Protection

This section describes how to configure management and service plane protection. This function allows only specified protocol packets to be sent to CPUs, and reduces malicious packet attacks on these CPUs to ensure that devices work properly.

Applicable Environment

If the router is likely to be controlled by unauthorized users through non-management interfaces or attacked by flooding packets, management and service plane protection needs to be deployed. The protection function ensures that only specified management interfaces will be allowed to receive management packets. Packets received by non-management interfaces will be directly dropped. This saves resources.

By default, management and service plane protection is disabled.

NOTE:

FTP, SSH, SNMP, TELNET, and TFTP are usually disabled globally on a device but enabled on some specified interfaces. If the interfaces enabled with these protocols are all Down, the global configurations will cease to take effect (that is, these protocols will be automatically enabled on other interfaces), which ensures connectivity to the device.

NOTE:

This configuration task is supported only on the Admin-VS.

Pre-configuration Tasks

Before configuring management and service plane protection, complete the following task:

  • Configuring link layer protocol parameters for interfaces to ensure that the link layer protocol on the interfaces is Up

Configuration Procedures

You can choose one or more configuration tasks (excluding "Checking the Configuration" ) as required.

Configuring a Global Policy for Management and Service Plane Protection

A global policy for management and service plane protection can be applied to the entire device to filter packets of certain types.

Context

Perform the following steps on the device.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ma-defend global-policy

    A global policy for management and service plane protection is created.

  3. Run protocol { { bgp | ftp | isis | ldp | ospf | pimsm | rip | rsvp | snmp | ssh | telnet | tftp } | ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } { permit | deny }

    A rule about whether to send the packets of specified protocols to the CPU is configured in the global policy.

    NOTE:

    If FTP, SSH, SNMP, TFTP, or TELNET is disabled globally by running the protocol command and is not enabled on any active interface, connectivity to the device will be interrupted. (An active interface is an interface that can properly receive and send packets.)

    To ensure connectivity to the device, configure additional active interfaces and enable these protocols on them.

  4. Run enable

    The global policy is enabled.

  5. Run commit

    The configuration is committed.

Configuring an interface board-based Policy for Management and Service Plane Protection

An interface board-based policy for management and service plane protection can be applied to an interface board to filter packets of certain types.

Context

An interface board-based policy takes effect only on the specified interface board.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ma-defend slot-policy slot-policy-id

    An interface board-based policy for management and service plane protection is created.

  3. Run protocol { { bgp | ftp | isis | ldp | ospf | pimsm | rip | rsvp | snmp | ssh | telnet | tftp } | ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } { permit | deny }

    The rule about whether to send the packets of specified protocols to the CPU is configured in the interface board-based policy.

    NOTE:

    If FTP, SSH, SNMP, TFTP, or TELNET is disabled globally by running the protocol command and is not enabled on any active interface, connectivity to the device will be interrupted. (An active interface is an interface that can properly receive and send packets.)

    To ensure connectivity to the device, configure additional active interfaces and enable these protocols on them.

  4. Run quit

    Return to the system view.

  5. Run slot slot-id

    The slot view is displayed.

  6. Run ma-defend-slot slot-policy-id

    The configured interface board-based policy is applied to the interface board in the slot.

  7. Run commit

    The configuration is committed.

Configuring an Interface-based Policy for Management and Service Plane Protection

An interface-based policy for management and service plane protection can be applied to an interface to filter packets of certain types.

Context

An interface-based policy takes effect only on the specified interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ma-defend interface-policy interface-policy-id

    An interface-based policy for management and service plane protection is created.

  3. Run protocol { { bgp | ftp | isis | ldp | ospf | pimsm | rip | rsvp | snmp | ssh | telnet | tftp } | ipv6 { bgp4plus | ftp | ospfv3 | ssh | telnet | pimsm } } { permit | deny }

    A rule about whether to send the packets of specified protocols to the CPU is configured in the interface-based policy.

    NOTE:
    If all the active interfaces enabled with FTP, SSH, SNMP, TFTP, or TELNET are Down, connectivity to the device will be interrupted. (An active interface is an interface that can properly receive and send packets.) To ensure connectivity to the device, configure additional active interfaces and enable these protocols on them.

  4. Run quit

    Return to the system view.

  5. Run interface interface-type interface-number

    The interface view is displayed.

  6. Run ma-defend-interface interface-policy-id

    The configured interface-based policy is applied to the interface.

  7. Run commit

    The configuration is committed.

Verifying the Configuration of Management and Service Plane Protection

After configuring management and service plane protection, you can run display commands to check the configuration.

Procedure

  • Run the display ma-defend { all | global-policy | interface-policy interface-policy-id | slot-policy slot-policy-id } command to check information about policies for management and service plane protection.

Example

Run the display ma-defend global-policy command to view information about management and service plane protection on the router.

<HUAWEI> display ma-defend global-policy
MA-defend policy type: global-policy
----------------------------------------------------
  The global-policy is enabled
  --------------------------------------------------
  protocol       rule
  --------------------------------------------------
  FTP            deny
  BGP            permit
---------------------------------------------------- 

Run the display cpu-defend ma-defend statistics command to view statistics on packets processed by the management and service plane protection function.

<HUAWEI> display cpu-defend ma-defend statistics slot 1
Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
--------------------------------------------------------------------------------
1         MA-Defend                             0              0               0
--------------------------------------------------------------------------------
          FTP SERVER                            0              0               0
          SSH SERVER                            0              0               0
          SNMP                                  0              0               0
          TELNET SERVER                         0              0               0
          TFTP                                  0              0               0
          BGP                                   0              0               0
          LDP                                   0              0               0
          RSVP                                  0              0               0
          OSPF                                  0              0               0
          RIP                                   0              0               0
          ISIS                                  0              0               0
          PIMSM                                 0              0               0
          BGP4PLUS                              0              0               0
          IPv6 FTP SERVER                       0              0               0
          IPv6 OSPFv3                           0              0               0
          IPv6 PIM                              0              0               0
          IPv6 SSH SERVER                       0              0               0
          IPv6 TELNET SERVER                    0              0               0
--------------------------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 26038

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next