No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Ethernet Switching

AR650, AR1600, and AR6100 V300R003

This document describes how to configure the components for LAN services, including link aggregation groups, VLANs, voice VLANs, MAC address tables, transparent bridging, as well as GVRP, STP/RSTP, and MSTP protocols.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the MAC Address Limiting Function

Configuring the MAC Address Limiting Function

Context

The MAC address limiting function controls the number of access users to prevent MAC addresses from hackers.

An insecure network is vulnerable to MAC address attacks. When hackers send a large number of forged packets with different source MAC addresses to the router, the MAC address table of the router will be filled with useless MAC address entries. As a result, the router cannot learn source MAC addresses of valid packets.

You can limit the number of MAC address entries learned on the router. When the number of learned MAC address entries reaches the limit, the router does not learn new MAC address entries. You can also configure an action to take when the number of MAC address entries reaches the limit. This prevents MAC address attacks and improves network security.

NOTE:

The AR650, AR1600, and AR6100 series do not support limiting the number of MAC addresses learned in a VLAN.

The AR651U-A4, and AR651F-Lite do not support limiting the number of MAC addresses learned in a port.

Procedure

  • Limit the number of MAC address entries learned on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run mac-limit maximum max-num

      The maximum number of MAC address entries that can be learned on the interface is set.

      By default, the number of MAC address entries learned on an interface is not limited.

    4. Run mac-limit action { discard | forward }

      The action to take when the number of learned MAC address entries reaches the limit is configured.

      By default, the router discards packets with new MAC addresses when the number of learned MAC address entries reaches the limit.

    5. Run mac-limit alarm { disable | enable }

      The router is configured to or not to generate an alarm when the number of learned MAC address entries reaches the limit.

      By default, the router generates an alarm when the number of learned MAC address entries reaches the limit.

Verifying the Configuration

Run the display mac-limit command to check limiting on MAC address learning.

Download
Updated: 2019-04-12

Document ID: EDOC1100041791

Views: 59259

Downloads: 40

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next