Configuring the MAC Address Limiting Function

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Context

The MAC address limiting function controls the number of access users to protect MAC addresses from hackers. When hackers send a large number of forged packets with different source MAC addresses to the switch, the MAC address table of the switch will be filled with useless MAC address entries. As a result, the switch cannot learn source MAC addresses of valid packets.

You can limit the number of MAC address entries learned on the switch. When the number of learned MAC address entries reaches the limit, the switch does not learn new MAC address entries. You can also configure an action to take when the number of MAC address entries reaches the limit. This prevents exhaustion of MAC address entries and improves network security.

Procedure

Limit the number of MAC address entries learned on an interface.
1. Run:
```
system-view
```
  The system view is displayed.
2. Run:
```
interface interface-type interface-number
```
  The interface view is displayed.
3. Run:
```
mac-limit maximum max-num
```
  The maximum number of MAC address entries that can be learned on the interface is set.
  
  By default, the number of MAC address entries learned on an interface is not limited.
4. Run:
```
mac-limit action { discard | forward }
```
  The action to take when the number of learned MAC address entries reaches the limit is configured.
  
  By default, the switch discards packets with new MAC addresses when the number of learned MAC address entries reaches the limit.
5. Run:
```
mac-limit alarm { disable | enable }
```
  The switch is configured to or not to generate an alarm when the number of learned MAC address entries reaches the limit.
  
  By default, the switch generates an alarm when the number of learned MAC address entries reaches the limit.
Limit the number of MAC address entries learned in a VLAN.
1. Run:
```
system-view
```
  The system view is displayed.
2. Run:
```
vlan vlan-id
```
  The VLAN view is displayed.
3. Run:
```
mac-limit maximum max-num
```
  The maximum number of MAC address entries learned in the VLAN is set.
  
  By default, the number of MAC address entries learned in a VLAN is not limited.
4. Run:
```
mac-limit action { discard | forward }
```
  The action to take when the number of learned MAC address entries reaches the limit is configured.
  
  By default, the switch discards packets with new MAC addresses when the number of learned MAC address entries reaches the limit.
  
  SA boards of S series cards do not support the discard action.
5. Run:
```
mac-limit alarm { disable | enable }
```
  The switch is configured to or not to generate an alarm when the number of learned MAC address entries reaches the limit.
  
  By default, the switch generates an alarm when the number of learned MAC address entries reaches the limit.
Limit the number of MAC address entries learned in a VSI.
1. Run:
```
system-view
```
  The system view is displayed.
2. Run:
```
vsi vsi-name
```
  The VSI view is displayed.
3. Run:
```
mac-limit maximum max-num
```
  The maximum number of MAC address entries learned in the VSI is set.
  
  By default, the number of MAC address entries learned in a VSI is not limited.
  
  Only the E series cards, X series cards support this configuration.
4. Run:
```
mac-limit action { discard | forward }
```
  The action to take when the number of learned MAC address entries reaches the limit is configured.
  
  By default, the switch discards packets with new MAC addresses when the number of learned MAC address entries reaches the limit.
5. Run:
```
mac-limit alarm { disable | enable }
```
  The switch is configured to or not to generate an alarm when the number of learned MAC address entries reaches the limit.
  
  By default, the switch sends an alarm when the number of learned MAC address entries reaches the limit.
Limit the number of MAC address entries learned in a slot.
1. Run:
```
system-view
```
  The system view is displayed.
2. Run:
```
mac-limit slot slot-id maximum max-num
```
  The maximum number of MAC address entries learned in a slot is set.
  
  By default, the number of MAC address entries learned in a slot is not limited.
3. Run:
```
mac-limit slot slot-id action { discard | forward }
```
  The action to take when the number of learned MAC address entries reaches the limit is configured.
  
  By default, the switch discards packets with new MAC addresses when the number of learned MAC address entries reaches the limit.
4. Run:
```
mac-limit slot slot-id alarm { disable | enable }
```
  The switch is configured to or not to generate an alarm when the number of learned MAC address entries reaches the limit.
  
  By default, the switch sends an alarm when the number of learned MAC address entries reaches the limit.

Checking the Configuration

Run the display mac-limit command to check limiting on MAC address learning.

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

This document describes the configuration of Ethernet services, including configuring link aggregation, VLANs, Voice VLAN, VLAN mapping, QinQ, GVRP, MAC table, STP/RSTP/MSTP, SEP, and so on.

Context

Procedure

Checking the Configuration

Related Version

Related Documents

Digital Signature File