Advanced Validation - Lenovo CN4093 Application Manual

Advanced Validation

© Copyright Lenovo 2015
This mode provides VM-based validation by mapping a switch port to a VM MAC
address. It is suitable for environments in which spoofing, MAC reassignment, or
MAC duplication is possible.
When the switch receives frames from a VM, it first validates the VM interface
based on the VM MAC address, VM Universally Unique Identifier (UUID), Switch
port, and Switch ID available in the hello message information. Only if all the four
parameters are matched, the VM MAC address is considered valid.
In advanced validation mode, if the VM MAC address validation fails, an ACL can
be created to drop the traffic received from the VM MAC address on the switch
port. Use the following command to specify the number of ACLs to be used for
dropping traffic:
CN 4093(config)# virt vmcheck acls max <1-256>
Use the following command to set the action to be performed if the switch is
unable to validate the VM MAC address:
CN 4093(config)# virt vmcheck action advanced {log|link|acl}
Following are the other VMcheck commands:
Table 26.
VMcheck Commands
Command
CN 4093(config)# virt vmware hello {ena|
hport <port number>|haddr|htimer}
CN 4093(config)# no virt vmware hello
{enable|hport <port number>}
CN 4093(config)# [no] virt vmcheck trust
<port number>
CN 4093# no virt vmcheck acl [mac-address
[<port number>]|port]
Description
Hello messages setting:
enable/add
port/advertise this IP
address in the hello
messages instead of the
default management IP
address/set the timer to
send the hello messages
Disable hello
messages/remove port
Mark a port as trusted;
Use the no form of the
command to mark port as
untrusted
Delete ACL(s): all
ACLs/an ACL by MAC
address ((optional) and
port number) /all ACLs
installed on a port
Chapter 16: VMready
265