Huawei SmartAX MA5616 Configuration Manual page 104

SmartAX MA5616 Multi-service Access Module
Configuration Guide
l
----End
Example
To enable anti-IP spoofing for VLAN 10, do as follows:
huawei(config)#security anti-ipspoofing enable
huawei(config)#vlan service-profile profile-id 2
huawei(config-vlan-srvprof-2)#security anti-ipspoofing enable
Info: Please use the commit command to make modifications take effect
huawei(config-vlan-srvprof-2)#commit
Issue 04 (2011-10-30)
CAUTION
To ensure device security, it is recommended that you enable this function.
The anti-MAC spoofing function can be enabled or disabled at three levels. The anti-MAC
spoofing function is enabled only when it is enabled at all the three levels.
– Global function: Run the security anti-macspoofing command to configure the global
function. By default, the global function is disabled.
– VLAN-level function:
1. Run the vlan service-profile command to create a VLAN service profile and enter
the VLAN service profile mode.
2. Run the security anti-macspoofing command to configure the VLAN-level
function. By default, the VLAN-level function is disabled.
3. Run the commit command to make the profile configuration take effect. The
configuration of the VLAN service profile takes effect only after this command is
executed.
4. Run the quit command to quit the VLAN service profile mode.
5. Run the vlan bind service-profile command to bind the VLAN service profile
configured in 1
– Service-port-level function: Run the security anti-macspoofing max-mac-count
command to configure the maximum number of MAC addresses that can be bound to
the service port. By default, up to eight MAC addresses can be bound.
NOTE
When anti-MAC spoofing is enabled after a user is already online, the MAC address of this user is not
bound by the system. As a result, the service of this user is interrupted, this user goes offline, and the user
needs to go online again. Only the user who goes online after anti-MAC spoofing is enabled can have the
MAC address bound.
Configure the anti-MAC-duplicate function.
After the anti-MAC-duplicate function is enabled and before the dynamic MAC address
learned by the system is aged, the packets transmitted from other ports will be discarded if
the packets carry the same MAC address.
NOTE
By default, the anti-MAC-duplicate function is disabled.
1. Run the security anti-macduplicate command to enable anti-MAC duplicate.
2. Run the display security config command to query the configuration.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
to the VLAN.
3 Basic Configuration
93