VPRN Service Configuration Commands
Page 1298 7750 SR OS Services Guide
Interface Anti-Spoofing Commands
anti-spoof
Syntax anti-spoof {ip | mac | ip-mac | nh-mac}
no anti-spoof-type
Context config>service>vprn>if>sap
config>service>vprn>sub-if>grp-if>sap
Description This command enables anti-spoof filtering and optionally changes the anti-spoof matching type for
the interface.
The type of anti-spoof filtering defines what information in the incoming packet is used to generate
the criteria to lookup an entry in the anti-spoof filter table. The type parameter (ip, mac, ip-mac, nh-
mac) defines the anti-spoof filter type enforced by the SAP when anti-spoof filtering is enabled.
The no form of the command disables anti-spoof filtering on the SAP.
Default Filter type default types:
• Non-Ethernet encapsulation default anti-spoof filter type — When enabled on a non-Ethernet
encapsulated SAP, the anti-spoof filter default type is ip.
• Ethernet encapsulated default anti-spoof filter type — When enabled on an Ethernet encapsulated
SAP, the anti-spoof default type is ip-mac.
• Default anti-spoof filter state — Anti-spoof filtering is disabled by default on the SAP.
Parameters ip — Configures SAP anti-spoof filtering to use only the source IP address in its lookup. If a static
host exists on the SAP without an IP address specified, the anti-spoof type ip command will fail.
mac — Configures SAP anti-spoof filtering to use only the source MAC address in its lookup.
Setting the anti-spoof filter type to mac is not allowed on non-Ethernet encapsulated SAPs. If a
static host exists on the SAP without a specified MAC address, the anti-spoof type mac
command will fail. The anti-spoof type mac command will also fail if the SAP does not support
Ethernet encapsulation.
ip-mac — Configures SAP anti-spoof filtering to use both the source IP address and the source MAC
address in its lookup. If a static host exists on the SAP without both the IP address and MAC
address specified, the anti-spoof type ip-mac command will fail. This is also true if the default
anti-spoof filter type of the SAP is ip-mac and the default is not overridden. The anti-spoof type
ip-mac command will also fail if the SAP does not support Ethernet encapsulation.
nh-mac — Indicates that the ingress anti-spoof is based on the source MAC address and the egress
anti-spoof is based on the nh-ip-address.
To Next Page
Loading...
