mac-spoofing-defend enable (interface view)

Usage Scenario

User behaviors are uncontrollable; therefore, a user device may send bogus packets with the server MAC address to prevent other users from accessing the real server. To prevent such attacks, you can use the mac-spoofing-defend enable command to configure the network-side interface connected to the server as a trusted interface. The MAC address learned by the interface will not be learned by other interfaces. This prevents the attacks of bogus packets with the server MAC address.

Prerequisites

The MAC spoofing defense function has been enabled by using the mac-spoofing-defend enable command in the system view.

Precautions

• After the device connected to the trusted interface is powered off, the MAC address entry matching the device MAC address is aged out after a certain period. After another device is connected to the interface, the MAC address of this device will not be learned by other interfaces.
• On the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, when the TPID configured by the qinq protocol command on the inbound interface is different from the TPID in received packets and the mac-spoofing-defend enable command is also used on the inbound interface, the MAC address of packets in the VLAN specified by the PVID is learned, but not the MAC address-based VLAN, protocol-based VLAN, IP subnet-based VLAN, or policy VLAN. For example, the TPID on port A is 0x9100, the PVID is 10, MAC address-based VLAN is VLAN 20, received packet A contains VLAN 30 and TPID of 0x8100 that matches the MAC address-based VLAN. Because TPID values are different, the interface considers that packet A is untagged and adds VLAN 20 to packet A. The MAC address in VLAN 20 is therefore learned. If the mac-spoofing-defend enable command is configured on port A, the MAC address in VLAN 10 is incorrectly learned.