Got it

Three Plane Isolation Design

Latest reply: Dec 25, 2018 17:54:02 1097 4 10 0 0

Hello everyone,

Today I will share with you the three plane isolation design.

Router products by default do not isolate the control, service, and management planes, owing to some reasons, such as historical inheritance and management. Users can log in to and manage routers through service interfaces. This poses the risk of a larger attack scope. Attackers easily exploit service interfaces to initiate attacks on the management plane. To prevent attacks on planes, it is recommended that configure isolation for the control, service, and management planes.

In this project, we have deployed the VPN-Instance in the management interface and management loopback interface.

In order to improve the security of the device, we can deploy MPAC to enable the three plane isolation of the device.

Management Plane Access Control (MPAC) enhances system security by protecting devices against Denial of Service (DoS) attacks.

In a common deployment scenario, the router may run multiple services at the same time, such as routing services OSPF and BGP, MPLS services LDP and RSVP, system service TFTP server, and diagnostic functions ping and tracert.

This enables attackers to send various attack packets to the router. Unless protective features such as MPAC are enabled, the router sends packets destined for its interfaces (including the loopback interface) directly to the CPU without any filtering. As a result, CPU and system resources are wasted and the system comes under DoS attacks.

To prevent such attacks, define an MPAC policy to filter packets.

For example, we can specific service interfaces are disabled from sending management protocol packets to the management plane so that the management plane receives management protocol packets only from the other service interfaces.

Create two MPAC policy views, one for global application, and the other for interface application. Configure a rule to disable management protocol packets from being sent to the management plane in the globally applied profile. Configure a rule to allow only specific management protocol packets to be sent to the management plane in the profile applied to an interface.

The configuration roadmap is as follows:

1. Create two MPAC policy profiles in the system view, with one being applied globally and the other being applied to an interface.

2. Disable management protocol packets from being sent to the management plane in the profile for global application, and allow only specific management protocol packets to be sent to the management plane in the profile for interface application.

3. Apply the former policy globally and the latter policy to GE 3/0/1 and the management network interface GE 0/0/0.

4. Check the configurations and the number of dropped packets.

The configuration template is as below:

Table 1-1 NE05/NE20/NE40/NE9000 MPAC Configuration


service-security   policy ipv4 global  //Configure the   globacl policy, deny the management protocol

rule   deny protocol ftp

rule   deny protocol snmp

rule   deny protocol ssh

rule   deny protocol telnet

rule   deny protocol tftp


service-security   policy ipv4 interface  //Configure the   interface policy, permit the management protocol

rule   permit protocol ftp

rule   permit protocol snmp

rule   permit protocol ssh

rule   permit protocol telnet

rule   permit protocol tftp


interface   GigabitEthernet 0/0/0  //Enable the   interface policy first

service-security   binding ipv4 interface

interface   GigabitEthernet 3/0/1

service-security   binding ipv4 interface


service-security   global-binding ipv4 global  //After   enable the interface policy, then enable the global policy




That is all I want to share with you!


  • x
  • convention:

Created Dec 22, 2018 08:38:34

In order to improve the security of the device
View more
  • x
  • convention:

Created Dec 22, 2018 09:39:46

That's what I need
View more
  • x
  • convention:

Created Dec 22, 2018 09:40:34

I thought we assign different VLAN or IP subnet would be fine, this post really expanded my view.
View more
  • x
  • convention:

Created Dec 25, 2018 17:54:02

No idea
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.