1. Run the security anti-dos enable command to globally enable DoS anti-attack.
2. Run the security anti-dos control-packet policy command to configure a
protocol packet processing policy that will be used when a DoS attack occurs.
3. Run the security anti-dos control-packet rate command to configure the
threshold for the rate of sending protocol packets to the CPU.
– Enable IP address anti-attack on both the OLT and ONUs.
Run the security anti-ipattack enable command to enable IP address anti-attack.
l Configure user security.
– Enable MAC address anti-flapping on both the OLT and ONUs.
Run the security anti-macduplicate enable command to enable MAC address anti-
flapping.
– Enable MAC address anti-spoofing on both the OLT and ONUs.
1. In global config mode, run the security anti-macspoofing enable command to
globally enable MAC address anti-spoofing.
2. Enable MAC address anti-spoofing at VLAN level in global config mode or
service profile mode:
a. In global config mode, run the security anti-macspoofing vlan command
to enable MAC address anti-spoofing.
b. Perform the following operations to enable MAC address anti-spoofing in
service profile mode:
a. In global config mode, run the vlan service-profile command to create
a VLAN service profile.
b. Run the security anti-macspoofing enable command to enable MAC
address anti-spoofing at VLAN level.
c. Run the commit command to make the profile configuration take
effect.
d. Run the quit command to quit the VLAN service profile mode.
e. Run the vlan bind service-profile command to bind the created VLAN
service profile to a VLAN.
3. (Optional) Run the security anti-macspoofing max-mac-count command to set
the maximum number of MAC addresses that can be bound to a service flow.
4. (Optional) Run the security anti-macspoofing exclude command to configure
the types of packets for which MAC address anti-spoofing does not take effect,
such as Internet Group Management Protocol (IGMP) packets.
– Enable IP address anti-spoofing on ONUs.
IP address anti-spoofing can be enabled or disabled at three levels: global, VLAN,
and service port levels. This function takes effect only after it is enabled at the three
levels. Among the three levels, IP address anti-spoofing is disabled only at the global
level by default.
1. In global config mode, run the security anti-ipspoofing enable command to
enable IP address anti-spoofing at the global level.
2. In VLAN service profile mode, run the security anti-ipspoofing enable
command to enable IP address anti-spoofing at the VLAN level.
SmartAX MA5600T/MA5603T/MA5608T Multi-service
Access Module
Commissioning and Configuration Guide
13 FTTO Configuration (Large-sized Enterprise Access)
Issue 01 (2014-04-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1280
To Next Page
Loading...
Need help?
General
