ZXR10 8900E series Core Switch Product Description
ZTE Confidential Proprietary
© 2013 ZTE CORPORATION. All rights reserved.
65
1.
Static binding: binding table item generated by manual configuration is used to
implement port control service. This method is suitable for one host or LAN where
there are less hosts.
2.
Dynamic binding: implement port control service by getting the binding table items of
DHCP Snooping or DHCP Relay automatically. It is suitable for the LAN where there
are lots of hosts. Using DHCP to implement dynamic host configuration can
effectively avoid conflict IP address and IP address spoofing.when DHCP allocates
one entry to the user, the dynamic binding service will add one more binding table
entry to allow this user to access the network. If one user sets IP address privately, it
will not allowed to access the network as DHCP is not initated to allocate table entry
the dynamic binding service does not add related access rule.
ZXR10 8900E supports IP Source Guard service based upon IPv4 and IPv6.
3.8.3.4
DAI
DAI (Dynamic ARP Inspection) service sends ARP message to CPU to see its validity.
Then this message will be discarded or forwarded. If the ARP message source MAC
address, source IP address, port number and port VLAN are the same as DHCP
Snooping table or manual IP static binding table entry, this message which is considered
as legal ARP message will be forwarded. Otherwise, it will be discarded as illegal ARP
message. As ARP message is sent to CPU, lots of ARP messages will lead to DoS attack.
In real application, DoS attack to ARP message should be defended. ARP message is
only suitable for IPv4 protocol. For IPv6 protocol, ND message will be monitored.
3.8.4
MFF
Based upon RFC 4562, MFF is applied on user access device. It aims at isolating user at
user access side while providing effective IP address distribution. All streams are
forwarded to uplink access gateway, then the gateway will determine the forwarding
direction of these streams (L2 switching stream in one broadcasting domain is included).
In the past, these streams were directly forwarded by access devices, which leaves
potential security risks. MFF ensures user isolation, satisfies Broadband Forum (DSL
Forum in the past) and matches the requirements for access node interconnection and
security in TR101 report demanded by broadband access network.
Compared with PVLAN, MFF not only can realize user’s L2 isolation, but also saves
some user’s information. So it is safer in processing and forwarding messages. At the
same time, the communication between users in the same segment of layer 2 is
controlled by gateway router, which makes the network more secure by realizing
integrated control.
Содержание ZXR10 8900E series
Страница 1: ...Operator Logo ZXR10 8900E series Core Switch Product Description ...
Страница 2: ......
Страница 10: ......