Zte ZXA10 C300 - 14.2 MAC Address Anti-Spoofing Configuration

To Next Page

To Previous Page

ZXA10C300CongurationManual(CLI)

Result

WhenthesubscribersendsNDPprotocolpackets,thesystemaddsthefollowingLIOeld

tothepackets:

Circuit-id:ZXA10-C300/ZTEeth5/1/1/0/1:10

//where,10isoriginaluserVLAN.

14.2MACAddressAnti-SpoongConguration

TheZXA10C300supportstheMACaddressanti-spoongfunctiontopreventmalicious

MACaddressspoong,whichaffectsthenetworksecurity.

TheZXA10C300MACaddressanti-spoongfunctionhasthefollowingfeatures:

lThisfunctionconstrainstheuserportthatlearnstheMACaddress.WhenoneMAC

addressislearntbyoneuserport,theaddresscannotbelearntbyotheruserports.

Thus,thesameMACaddresscannotoatbetweendifferentports.

lOnceauserportisdetectedtryingMACaddressspoong,analarmmessage

includingtheportandMACaddresswillbereported.

lThisfunctionsupportsuplinkportprotection.AuserportMACaddresscanoatto

anuplinkport,whereasanuplinkportaddresscannotoattoauserport.AMAC

addresscanoatbetweenuplinkports,thustoprotectthegatewayMACaddressof

theuplinkports.

14.2.1ConfiguringtheUserPortMACAddressAnti-Spoofing

User-portMACaddressanti-spoongpreventsmaliciousMACaddressspoongbetween

userports.

Context

Theuser-portMACaddressanti-spoonghasthefollowingfeatures:

lWhenoneMACaddressislearntbyoneuserport,theaddresscannotbelearntby

otheruserports.

lOncethereisaMACmoveeventatthersttime,thesystemwillgenerateanotication

includingtheMACaddress,VLAN,move-to-portandmove-from-port.

lThenoticationreportintervalofthesameMACmoveeventscanbecongured.

Steps

1.EnableglobalMACaddressanti-spoongfunction.

ZXAN(config)#securitymac-anti-spoofingenable

2.EnableMACmovenoticationcontrol.

ZXAN(config)#securitymac-move-reportenable

3.(Optional)CongurethenoticationreportintervalofthesameMACmovelog.

ZXAN(config)#securitymac-move-reportinterval30

14-8

SJ-20130520164529-007|2013-06-30(R1.0)ZTEProprietaryandCondential

Other manuals for Zte ZXA10 C300