After the configuration, only the users with specified IP addresses can access the network,
preventing malicious users from forging the IP addresses of authorized users.
l
The procedure for configuring anti-IP address spoofing is as follows:
Anti-IP address spoofing can be enabled or disabled at two levels. This function takes effect
only when it is enabled at both levels.
–
Global level:
Run the
security anti-ipspoofing
command to configure global anti-IP address
spoofing. By default, this level is disabled.
–
VLAN level:
1.
Run the
vlan service-profile
command to create a virtual local area network
(VLAN) service profile and enter VLAN service profile mode.
2.
Run the
security anti-ipspoofing
command to configure VLAN-level anti-IP
address spoofing. By default, this level is disabled.
3.
Run the
commit
command to make the profile configuration take effect. The
configuration of the VLAN service profile takes effect only after this command is
executed.
4.
Run the
quit
command to exit the VLAN service profile mode.
5.
Run the
vlan bind service-profile
command to bind the VLAN service profile
created in step 1 to the VLAN.
NOTE
If a user goes online before anti-IP address spoofing is enabled, the system does not bind the IP address
of this user. As a result, the service of this user will be interrupted, and this user needs to go offline and
then go online again. Only the IP address of the user who goes online after anti-IP address spoofing is
enabled can be bound.
----End
Example
To bind IP address 10.1.1.245 to service port 2 so that service port 2 allows only the packets
with IP address 10.1.1.245 to pass, do as follows:
huawei(config)#
bind ip service-port 2 10.1.1.245
To enable anti-IP address spoofing in VLAN 10, do as follows:
huawei(config)#
security anti-ipspoofing enable
huawei(config)#
vlan service-profile profile-id 2
huawei(config-vlan-srvprof-2)#
security anti-ipspoofing enable
Info: Please use the commit command to make modifications take effect
huawei(config-vlan-srvprof-2)#
commit
huawei(config-vlan-srvprof-2)#
quit
huawei(config)#
vlan bind service-profile 10 profile-id 2
3.10.4 Configuring the Anti-MAC Address Attack
This topic describes how to configure MAC address binding and anti-MAC address spoofing to
prevent malicious users from attacking devices or authorized users by forging the MAC
addresses of the authorized users.
Context
MAC address binding refers to binding a MAC address to a service port. After the binding, only
the user with the specified MAC address can access the network through the service port. The
SmartAX MA5616 Multi-service Access Module
Configuration Guide
3 Basic Configuration
Issue 04 (2011-10-30)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
86