Zte ZXA10 C300 - 14.3 Configuring the ARP Anti-Spoofing

To Next Page

To Previous Page

ZXA10C300CongurationManual(CLI)

mac-move-report:enable

mac-move-reportinterval:30[minutes]

mac-anti-spoofing:enable

uplink-protect:enable

4.(Optional)QuerytheMACmovelog.

ZXAN#showsecuritymac-move-log

Flag*--macMoveisforbiddenbysystem.

thetotalmac-move-lognum:2

-------------------------------------------------------------------------

mac-addressvlancfgMacProtectmoveToPortmoveToIfIdmoveCount

indextrapFlagdetectorqueryPortmoveFromPortmoveFromIfIdtrapCount

-------------------------------------------------------------------------

0002.0304.0506100UNNEEDinner-port_1/12/1unknown(0)1

1SENDEDMPUNNEEDinner-port_1/5/1unknown(0)1

-------------------------------------------------------------------------

0002.0304.0507100UNNEEDinner-port_1/12/2unknown(0)1

2*SENDEDMPUNNEEDinner-port_1/5/1unknown(0)1

–EndofSteps–

14.3ConguringtheARPAnti-Spoong

TheARPanti-spoongpreventstheARPspoongonuserside.

Context

TheZXA10C300supportsuser-sideARPanti-spoongfunction,whichisimplemented

basedonthefollowingARPentries:

lTheARPentriesinsertedbytheDHCPmodule

lTheARPentriesofDHCPsnoopingstaticbindingitemconguredbytheIPsource

Guardmodule

ARPanti-spoongfunctionisbasedonbothVLANandserviceport.Onlywhenthe

ARPanti-spoongfunctionsonbothVLANandserviceportareenabled,thesystemcan

implementARPanti-spoongonARPpacketswiththespecicVLANtag.

WhenreceivinganARPpacket,theZXA10C300comparesthepacketwiththeknown

ARPentries.IfthesourceIPaddressofthereceivedARPpacketandtheVLANexist

intheARPtable,theZXA10C300checkswhethertheMACaddressesarethesame.If

theyaredifferent,theZXA10C300considersthepacketasanARPspoongbehaviorand

discardsit.

TheARPanti-spoongfunctioncanbeconguredwithupto256VLANs.

14-10

SJ-20130520164529-007|2013-06-30(R1.0)ZTEProprietaryandCondential

Other manuals for Zte ZXA10 C300