No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a VLAN-based MAC Address Learning Limit Rule

Example for Configuring a VLAN-based MAC Address Learning Limit Rule

Configuring a VLAN-based MAC address learning limit rule can control the number of users in a VLAN. If the number of learned MAC addresses reaches the maximum, no additional MAC addresses will be learned. In addition, the packet discarding and alarm functions can be configured to prevent MAC address attacks and improve network security.

Networking Requirements

Networks with poor security management such as community networks are vulnerable to hackers' MAC address attacks. The capacity of a MAC address table is limited. When hackers forge a large number of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device will be filled up. Even if the device can receive valid packets, it cannot learn the source MAC addresses of the packets.

As shown in Figure 2-5, user network 1 connects to the CE through S1. S1 connects to interface1 on the CE. User network 2 connects to the CE through S2. S2 connects to interface2 on the CE. interface1 and interface2 belong to VLAN 2. To prevent MAC address attacks and control the number of users in VLAN 2, configure a MAC address learning limit for VLAN 2.

Figure 2-5 Networking diagram of a VLAN-based MAC address learning limit rule
NOTE:

Interfaces 1 through 2 in this example are GE 0/1/1, GE 0/2/1, respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and add the interfaces to the VLAN.

  2. Configure a VLAN-based MAC address learning limit rule to control the number of users in the VLAN, preventing MAC address attacks and improving network safety.

Data Preparation

To complete the configuration, you need the following data:

  • ID of the VLAN to which the interfaces belong

  • Number of each user interface

  • Maximum number of MAC addresses that can be learned

Procedure

  1. Configure a MAC address learning limit rule.

    # Add GE 0/1/1 and GE 0/2/1 to VLAN 2.

    <HUAWEI> system-view
    [~HUAWEI] sysname CE
    [*HUAWEI] commit
    [~CE] vlan 2
    [*CE-vlan2] quit
    [*CE] interface gigabitethernet 0/1/1
    [*CE-GigabitEthernet0/1/1] undo shutdown
    [*CE-GigabitEthernet0/1/1] portswitch
    [*CE-GigabitEthernet0/1/1] port link-type trunk
    [*CE-GigabitEthernet0/1/1] port trunk allow-pass vlan 2
    [*CE-GigabitEthernet0/1/1] quit
    [*CE] interface gigabitethernet 0/2/1
    [*CE-GigabitEthernet0/2/1] undo shutdown
    [*CE-GigabitEthernet0/2/1] portswitch
    [*CE-GigabitEthernet0/2/1] port link-type trunk
    [*CE-GigabitEthernet0/2/1] port trunk allow-pass vlan 2
    [*CE-GigabitEthernet0/2/1] quit

    # Configure the MAC address learning limit rule for VLAN 2: a maximum of 100 MAC addresses can be learned; additional packets are forwarded but their MAC addresses cannot be added to the MAC address table.

    [*CE] vlan 2
    [*CE-vlan2] mac-limit maximum 100 rate 50 action forward
    [*CE-vlan2] commit
    [~CE-vlan2] quit

  2. Verify the configuration.

    Run the display mac-limit command to check whether the MAC address learning limit rule is configured successfully.

    [*CE] display mac-limit
    MAC limit is enabled
    Total MAC limit rule count : 1
    
    PORT     VLAN/BD/VSI      SLOT Maximum Rate(ms) Action  Alarm
    ----------------------------------------------------------------------------
    -        2                -    100     50       forward disable

Configuration Files

#
 sysname CE
#
 vlan batch 2
#
vlan 2
 mac-limit maximum 100 rate 50 action forward
#
interface GigabitEthernet0/1/1
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 2
#
interface GigabitEthernet0/2/1
 portswitch
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 2
#
return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 17013

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next