No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring a MAC Address Learning Limit Rule in a VSI

Example for Configuring a MAC Address Learning Limit Rule in a VSI

Configuring a MAC address learning limit rule for a Virtual Switching Instance (VSI) can control the number of access users in the VSI. When the number of MAC addresses learned in this VSI reaches the maximum number, no new MAC addresses can be learned. You can also configure the system to discard packets to defend against MAC address attacks and therefore improve network security.

Networking Requirements

Networks with poor security management, such as community networks, are vulnerable to hackers' MAC address attacks. The capacity of a MAC address table is limited. When hackers forge a large number of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device will be filled up. Even if the device can receive valid packets, it cannot learn the source MAC addresses of the packets.

As shown in Figure 2-6, user network 1 accesses the VPLS network through S1, and user network 2 accesses the VPLS network through S2. A VSI named huawei is created on the VPLS network. A MAC address learning limit rule is configured for the VSI to control the number of users in this VSI and defend against MAC address attacks.

Figure 2-6 Networking for configuring a MAC address learning limit rule in a VSI

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VSI.

  2. Configure a MAC address learning limit rule for the VSI.

Data Preparation

To complete the configuration, you need the following data:

  • VSI name

  • Maximum number of MAC addresses that can be learned

Procedure

  1. Create a VSI.

    # Create a VSI named huawei.

    <HUAWEI> system-view
    [~HUAWEI] sysname PE1
    [*HUAWEI] commit
    [*PE1] vsi huawei static

  2. Configure a MAC address learning limit rule for this VSI.

    # Configure a MAC address learning limit rule for the VSI: A maximum of 300 MAC addresses can be learned; the packets received after the maximum number of MAC addresses have been learned are immediately discarded.

    [*PE1-vsi-huawei] mac-limit maximum 300 rate 100 action discard
    [*PE1-vsi-huawei] commit
    [~PE1-vsi-huawei] quit

  3. Verify the configuration.

    Run the display mac-limit command in any view to check whether the MAC address learning limit rule is configured successfully.

    [*PE1] display mac-limit
    MAC limit is enabled
    Total MAC limit rule count : 1
    
    PORT                    VLAN/BD/VSI/EVPN      SLOT Maximum Rate(ms) Action  Alarm
    ----------------------------------------------------------------------------
    -                       huawei                -    300     100      discard disable

Configuration Files

#
 sysname PE1
#
vsi huawei static
 mac-limit maximum 300 rate 100
#  
return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 16956

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next