Lenovo RackSwitch G8264 Application Manual page 350

Advanced Validation
350
G8264 Application Guide for ENOS 8.4
This mode provides VM‐based validation by mapping a switch port to a VM MAC
address. It is suitable for environments in which spoofing, MAC reassignment, or
MAC duplication is possible.
When the switch receives frames from a VM, it first validates the VM interface
based on the VM MAC address, VM Universally Unique Identifier (UUID), Switch
port, and Switch ID available in the hello message information. Only if all the four
parameters are matched, the VM MAC address is considered valid.
In advanced validation mode, if the VM MAC address validation fails, an ACL can
be automatically created to drop the traffic received from the VM MAC address on
the switch port. Use the following command to specify the number of ACLs to be
automatically created for dropping traffic:
RS G8264(config)# virt vmcheck acls max <1‐256>
Use the following command to set the action to be performed if the switch is
unable to validate the VM MAC address:
RS G8264(config)# virt vmcheck action advanced {log|link|acl}
Following are the other VMcheck commands:
Table 32.
VMcheck Commands
Command
RS G8264(config)# virt vmware hello {ena|
hport <port number>|haddr|htimer}
RS G8264(config)# no virt vmware hello
{enable|hport <port number>}
RS G8264(config)# [no] virt vmcheck
trust <port number or range>
RS G8264# no virt vmcheck acls
Description
Hello messages setting:
enable/add port/advertise
this IP address in the hello
messages instead of the
default management IP
address/set the timer to send
the hello messages
Disable hello mes‐
sages/remove port
Mark a port as trusted; Use
the no form of the command
to mark port as untrusted
ACLs cannot be used for
VMcheck