No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring EVC Security Attributes

Configuring EVC Security Attributes

The NE20E supports various security attributes that can be deployed in a bridge domain to help devices securely transmit packets.

Usage Scenario

Table 10-4 describes the security functions deployed in a bridge domain to help devices securely transmit packets.

Table 10-4 Security functions

Security Function

Description

Usage Scenario

Limit on packet transmission between EVC Layer 2 sub-interfaces within a bridge domain

An EVC Layer 2 sub-interface can be disabled from broadcasting received broadcast packets, unknown unicast packets, and unknown multicast packets to other EVC Layer 2 sub-interfaces in the same bridge domain.

Forwarding malicious unknown unicast packets increases device resource consumption. As a result, device performance deteriorates, or a device breaks down. Preventing an EVC Layer 2 sub-interface from broadcasting received packets to other EVC Layer 2 sub-interfaces in the same bridge domain prevents attacks initiated using unknown packets.

This function applies to networks without user changes or networks with static MAC address-based forwarding paths.

Limit on MAC address learning within a bridge domain

If a bridge domain has only one inbound interface and one outbound interface, to save MAC address entries, the MAC address learning function can be disabled in a bridge domain.

This function helps efficiently use the MAC address table space. The network has high security.

This function applies to networks without user changes or networks with static MAC address-based forwarding paths.

If static MAC addresses are used and a great number of users access a switch, information about each user must be configured to establish a forwarding path. This increases the workload of the network administrator. New users cannot access a device that has this function enabled.

Split horizon

A bridge domain is a broadcast domain, in which an EVC Layer 2 sub-interface broadcasts received packets within the domain. To reduce the broadcast volume, EVC Layer 2 sub-interfaces that do not need to communicate can be isolated from one another in the same bridge domain. To meet this requirement, enable split horizon to isolate EVC Layer 2 sub-interfaces from one another in the bridge domain.

Split horizon applies to all Layer 2 networks.

Pre-configuration Tasks

Before configuring EVC security attributes, create a bridge domain.

Configuration Procedures

Perform one or more of the following configurations as required.

Disabling an Interface from Broadcasting Packets to Other Interfaces in a Bridge Domain

You can disable an EVC Layer 2 sub-interface from broadcasting packets to other EVC Layer 2 sub-interfaces in a bridge domain. This function helps devices from being attacked and improves network security.

Context

An EVC Layer 2 sub-interface can be disabled from broadcasting received broadcast packets, unknown unicast packets, and unknown multicast packets to other EVC Layer 2 sub-interfaces in the same bridge domain.

Forwarding malicious unknown unicast packets increases device resource consumption. As a result, device performance deteriorates, or a device breaks down. Preventing an EVC Layer 2 sub-interface from broadcasting received packets to other EVC Layer 2 sub-interfaces in the same bridge domain prevents attacks initiated using unknown packets.

This function applies to networks without user changes or networks with static MAC address-based forwarding paths.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The bridge domain view is displayed.

  3. Perform one of the following steps to disable an interface from broadcasting packets to other interfaces in a bridge domain:

    • Disable an interface from broadcasting packets to other interfaces in a bridge domain, run broadcast discard.
    • Disable an interface from forwarding unknown unicast packets to other interfaces in a bridge domain, run unknown-unicast discard.
    • Disable an interface from forwarding multicast packets to other interfaces in a bridge domain, run unknown-multicast discard.

  4. Run commit

    The configuration is committed.

Disabling Devices in a Bridge Domain from Learning One Another's MAC Addresses

If a bridge domain has only one inbound interface and one outbound interface, the MAC address learning function can be disabled in the bridge domain.

Context

On the network shown in Figure 10-5, an enterprise has departments on different floors. Department 1 is assigned to VLAN2, department 2 is assigned to VLAN3, and the public department is assigned to VLAN10. All these departments are within a bridge domain with ID 10. After network deployment, VLAN2 and VLAN3 users can access VLAN10, VLAN2 users can communicate with each other, and VLAN2 and VLAN3 are isolated from each other. After the enterprise network is running a period of time, the network becomes stable, and no new users access this network. To help efficiently use MAC address table capacity on core devices and prevent unauthorized users from accessing the enterprise network, disable CE1 and CE2 from learning MAC addresses.

NOTE:

CEs can also be disabled from MAC addresses in a specified VLAN. If a great number of VLANs are configured on CEs, manually disabling the VLAN-specific MAC address learning increases the maintenance expenditure.

Figure 10-5 Networking diagram for preventing devices in a bridge domain from learning one another's MAC addresses

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The bridge domain view is displayed.

  3. Run mac-address learning disable

    A device in a bridge domain is disabled from learning one another's MAC addresses.

  4. Run commit

    The configuration is committed.

Configuring Split Horizon in a Bridge Domain

A bridge domain is a broadcast domain, in which bridge domain members broadcast received packets within the domain. To reduce the broadcast traffic volume, enable split horizon in the bridge domain, which isolates bridge domain member interfaces from one another if they do not need to communicate.

Context

Split horizon can be configured in either bridge domain or EVC Layer 2 sub-interface view:
  • If split horizon is configured in the bridge domain view, this function takes effect on all bridge domain member interfaces. All bridge domain member interfaces are isolated from one another.
  • If split horizon is configured in the EVC Layer 2 sub-interface view, this function takes effect only on the specified interface. The split horizon-enabled EVC Layer 2 sub-interface is isolated with other EVC Layer 2 sub-interfaces.

    Split horizon must be configured on each EVC Layer 2 sub-interface that needs to be isolated.

Procedure

  • Configure split horizon in the bridge domain view.

    1. Run system-view

      The system view is displayed.

    2. Run bridge-domain bd-id

      The bridge domain view is displayed.

    3. Run split-horizon enable

      Split horizon is enabled.

    4. Run commit

      The configuration is committed.

  • Configure split horizon in the EVC Layer 2 sub-interface view.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number.subnum mode l2

      An EVC Layer 2 sub-interface is created, and the sub-interface view is displayed.

    3. Run split-horizon

      Split horizon is enabled.

    4. Run commit

      The configuration is committed.

Checking the Configurations

After configuring EVC security attributes, you can check bridge domain configurations, including whether the broadcast forwarding, MAC address learning, and split horizon are enabled.

Prerequisites

The EVC security attributes have been configured.

Procedure

  • Run the display bridge-domain [ bd-id [ brief | verbose ] ] command to check bridge domain configurations.

Example

Run the display bridge-domain [ bd-id [ brief | verbose ] ] command to view bridge domain configurations. The command output helps you verify that the broadcast forwarding, MAC address learning, and split horizon are enabled.

<HUAWEI> display bridge-domain
The total number of bridge-domains is : 3
--------------------------------------------------------------------------------
MAC_LRN: MAC learning;         STAT: Statistics;         SPLIT: Split-horizon;
BC: Broadcast;                 MC: Unknown multicast;    UC: Unknown unicast;
*down: Administratively down;  FWD: Forward;             DSD: Discard;
--------------------------------------------------------------------------------

BDID  State MAC-LRN STAT    BC  MC  UC  SPLIT   Description
--------------------------------------------------------------------------------
10    up    enable  enable  DSD DSD DSD enable  VPLS
20    up    enable  disable FWD FWD FWD disable VLAN
30    up    enable  disable DSD DSD DSD disable VSI
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 16929

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next