No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section provides several configuration examples of MAC address.

Example for Configuring the MAC Address Table

Networking Requirements

As shown in Figure 7-12, The MAC address of the server is 0004-0004-0004. The server is connected to GE0/0/1 of the AP, which belongs to VLAN 101. The network requires the following configurations:

  • To prevent hackers from stealing user information by forging the MAC address of the server, configure a static MAC address entry on the AP for the server.

Figure 7-12  Network diagram

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs on the AP and add the interfaces to the VLANs.

  2. Configure static MAC address entries.

  3. Set the aging time for the dynamic MAC address entries.

Procedure

  1. Add static MAC address entries.

    # Create VLAN 101 and add GigabitEthernet0/0/1 to VLAN 101.

    <Huawei> system-view
    [Huawei] vlan 101
    [Huawei-vlan101] quit
    [Huawei] interface gigabitethernet 0/0/1
    [Huawei-GigabitEthernet0/0/1] port hybrid pvid vlan 101
    [Huawei-GigabitEthernet0/0/1] port hybrid untagged vlan 101
    [Huawei-GigabitEthernet0/0/1] quit
    

    # Configure static MAC address entries.

    [Huawei] mac-address static 0004-0004-0004 gigabitethernet 0/0/1 vlan 101

  2. Set the aging time for the dynamic MAC address entries.

    [Huawei] mac-address aging-time 500

  3. Verify the configuration.

    # Run the display mac-address command in any view to check whether the static MAC address entries are successfully added to the MAC address table.

    [Huawei] display mac-address static vlan 101
    ------------------------------------------------------------------------------- 
    MAC Address    VLAN/VSI                          Learned-From        Type       
    ------------------------------------------------------------------------------- 
    0004-0004-0004    101/-                   GE0/0/1                    static     
    
    -------------------------------------------------------------------------------
    Total items displayed = 1
    

    # Run the display mac-address aging-time command to check whether the aging time for dynamic entries is set successfully.

    [Huawei] display mac-address aging-time
      Aging time: 500 second(s)

Configuration Files

Configuration file of the AP

#
vlan batch 101
#
 mac-address aging-time 500
#
interface GigabitEthernet0/0/1
 port hybrid pvid vlan 101
 port hybrid untagged vlan 101
#
 mac-address static 0004-0004-0004 GigabitEthernet0/0/1 vlan 101
#
return

Example for Configuring MAC Address Limiting Rules on Interfaces

Networking Requirements

As shown in Figure 7-13, GE0/0/1 of the AP is connected to switch. To prevent MAC address attacks on the AP, configure MAC address limiting rules on GE0/0/1.

Figure 7-13  Network diagram for MAC address limiting on interfaces

Configuration Roadmap

The configuration roadmap is as follows:

  1. Set the limit on the number of MAC addresses learned by the interfaces.

  2. Set the action performed when the limit is reached.

Procedure

  1. Configure MAC address limiting rules on the interfaces.

    <Huawei> system-view
    [Huawei] interface gigabitethernet 0/0/1
    [Huawei-GigabitEthernet0/0/1] mac-limit maximum 100 action discard alarm enable
    [Huawei-GigabitEthernet0/0/1] quit
    

  2. Verify the configuration.

    # Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.

    [Huawei] display mac-limit
    MAC limit is enabled                                                            
    Total MAC limit rule count : 1                                                  
                                                                                    
    PORT                 VLAN/VSI         SLOT Maximum Rate(ms) Action  Alarm       
    ----------------------------------------------------------------------------    
    GE0/0/1              -                -    100     -        discard enable      
    
    

Configuration Files

Configuration file of the AP

#
interface GigabitEthernet0/0/1
 mac-limit maximum 100
#
return

Example for Configuring a MAC Address Learning Rule in a VLAN

Networking Requirements

As shown in Figure 7-14, the AP provides wireless networks with SSIDs admin and guest. A few STAs connect to the wireless network with SSID admin. The service VLAN of these STAs is VLAN 100. Many STAs connect to the wireless network with SSID guest. The service VLAN of these STAs is VLAN 200. To prevent MAC address attacks and save MAC address table space, limit the number of MAC addresses learned in VLAN 200.

Figure 7-14  Networking diagram for MAC address limiting in a VLAN

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs on the AP and add the interfaces to the VLANs.

  2. Set the limit on the number of MAC addresses learned in the VLAN 200.

Procedure

  1. Configure WLAN services for the AP.

    Configure VAP1 with SSID admin and VAP2 with SSID guest on the AP, and configure VLAN 100 and VLAN 200 respectively as the service VLANs for VAP1 and VAP2. After the configurations are complete, the AP can provide two wireless networks and STAs can associate with the APs through the wireless networks.

  2. Configure a MAC address limiting rule in the VLAN 200.

    # Configure the following MAC address limiting rule in VLAN 200:
    • A maximum of 100 MAC addresses can be learned.
    • When the number of learned MAC address entries reaches the limit, the AP forwards packets with new source MAC addresses and generates an alarm, but does not add the new MAC addresses to the MAC address table.
    <Huawei> system-view
    [Huawei] vlan 200
    [Huawei-vlan200] mac-limit maximum 100 alarm enable
    [Huawei-vlan200] quit

  3. Verify the configuration.

    # Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.

    [Huawei] display mac-limit
    MAC limit is enabled                                                            
    Total MAC limit rule count : 1                                                  
                                                                                    
    PORT                 VLAN/VSI         SLOT Maximum Rate(ms) Action  Alarm       
    ----------------------------------------------------------------------------    
    -                    200              -    100     -        forward enable      

Configuration Files

Configuration file of the AP

#
vlan batch 100 200
#
vlan 200
 mac-limit maximum 100
#
return
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118771

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next