No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring VLAN Security Attributes

Configuring VLAN Security Attributes

Configuring VLAN security attributes ensures reliable transmission of user data. Currently, the NE20E supports two security attributes. You can configure security attributes as required.

Applicable Environment

Table 8-4 lists VLAN security attribute schemes.

Table 8-4 Security schemes for VLANs

Security Scheme

Description

Advantage

Disadvantage

Usage Scenario

Disabling a port from broadcasting packets to other ports in the same VLAN

If a port in a VLAN receives a broadcast or unknown unicast packet, it will broadcast the packet to other ports in the VLAN. If the broadcast or unknown unicast packet is malicious, system resources waste and device performance deteriorates or even the device malfunctions. Disabling the port from broadcasting packets to other ports in the VLAN prevents malicious attacks.

-

-

This security scheme is applicable to topology-stable networks or networks on which MAC addresses are configured and forwarding paths are specified.

Disabling MAC address learning in a VLAN

If a device has only one inbound port and one outbound port, MAC address learning in a VLAN can be disabled.

  • MAC address entries are saved.

  • Security is guaranteed.

This security scheme requires that the network has fixed users and forwarding paths have been established by using dynamic MAC address learning or by manually configuring MAC addresses.

If there are a large number of users connected to a switch, each user needs to be configured with a static forwarding path. This imposes a configuration burden on network administrators.

This security scheme prohibits new users from visiting the network.

This security scheme is applicable to topology-stable networks or networks on which MAC addresses are configured and forwarding paths are specified.

Pre-configuration Tasks

Before configuring VLAN security attributes, complete the following task:
  • Creating VLANs

Configuration Procedures

Disabling a Port from Broadcasting Packets to Other Ports in the Same VLAN

Disabling a port from broadcasting packets to other ports in the same VLAN prevents malicious attacks and improves network security.

Context

If a port in a VLAN receives a broadcast or unknown unicast packet, it will broadcast the packet to other ports in the VLAN. If the broadcast or unknown unicast packet is malicious, system resources waste and device performance deteriorates or even the device malfunctions. Disabling the port from broadcasting packets to other ports in the VLAN prevents malicious attacks.

This security scheme is applicable to topology-stable networks or networks on which MAC addresses are configured and forwarding paths are specified.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vlan vlan-id

    The VLAN view is displayed.

    NOTE:

    If a device is configured with multiple VLANs, do as follows to configure a name for each VLAN:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run broadcast discard

    The port is disabled from broadcasting packets to other ports in the same VLAN.

  4. Run commit

    The configuration is committed.

Disabling MAC Address Learning in a VLAN

If a device has only one inbound port and one outbound port, or the network topology is stable, MAC address learning in a VLAN can be disabled.

Context

A company has multiple departments located in different stories of a building. It is required that PCs of one department be grouped into a VLAN and PCs in different departments be grouped into different VLANs.

On the network shown in Figure 8-12, department 1 belongs to VLAN 2; department 2 belongs to VLAN 3; the public sector belongs to VLAN 10. Users in VLANs 2 and 3 can access VLAN 10. Users in VLAN 2 or 3 can communicate with each other. Users in VLAN 2 cannot communicate with users in VLAN 3. To reduce the number of MAC address entries saved on the core switching device and prevent visitors from accessing the company's network, you can disable MAC address learning in a VLAN on CE 1 and CE 5.

NOTE:

Disabling MAC address learning in a VLAN is suitable for a device that has only one inbound port and one outbound port or a network with a stable topology.

Figure 8-12 Networking diagram for disabling MAC address learning in a VLAN

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vlan vlan-id

    The VLAN view is displayed.

    NOTE:

    If a device is configured with multiple VLANs, do as follows to configure a name for each VLAN:

    Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.

  3. Run mac-address learning disable

    MAC address learning in a VLAN is disabled.

  4. Run commit

    The configuration is committed.

Verifying the VLAN Security Attribute Configuration

After VLAN security attributes are configured, you can check whether a VLAN is enabled with the broadcast function and the MAC address learning function.

Prerequisites

The configurations of VLAN security attributes are complete.

Procedure

  • Run the display vlan [ vlan-id [ verbose ] ] command to check information about all VLANs or a specified VLAN.

Example

Run the display vlan command. The command output shows that VLANs have been enabled with the broadcast function and the MAC address learning function. For example:

<HUAWEI> display vlan
The total number of vlans is : 2
VID  Type     Status  Property  MAC-LRN STAT    BC  MC  UC  Description
--------------------------------------------------------------------------------
1    common   enable  default   enable  disable FWD FWD FWD VLAN 0001
2    common   enable  default   enable  disable FWD FWD FWD VLAN 0002
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 16715

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next