No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Traffic Suppression on a Specified Interface in a VLAN

Example for Configuring Traffic Suppression on a Specified Interface in a VLAN

This section provides an example for configuring traffic suppression on a specified interface in a VLAN, including the networking requirements, configuration roadmap, configuration procedure, and configuration files. Traffic suppression on a specified interface in a VLAN helps prevent interface+VLAN-based MAC address attacks and control the number of access users.

Networking Requirements

On the Ethernet, on the one hand, you need to manage user traffic and properly allocate bandwidths to users; on the other hand, for the sake of security, you need to suppress the unknown unicast traffic, multicast traffic, and broadcast traffic to ensure the normal forwarding of unicast traffic and proper utilization of network bandwidths. If you do not suppress the preceding traffic, the traffic mounts and consumes more network bandwidths, which degrades network performance or even interrupts communications.

As shown in Figure 15-1, interface1 and interface2 of the router belong to VLAN 10. PC1 and PC2 connect to the router. To improve network security, configure unknown unicast traffic suppression on interface1 and multicast and broadcast traffic suppression on interface2.

Figure 15-1 Networking for traffic suppression on a specified interface in a VLAN or VLANs
NOTE:

interface1, and interface2 in this example are GE0/1/0, and GE0/2/0 respectively.



Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and add the interfaces to it.

  2. Configure the suppression rules.

Data Preparation

To complete the configuration, you need the following data:

  • VLAN ID (10)

  • Interface numbers (GE 0/1/0 and GE 0/2/0)

  • Committed information rate (CIR) for unknown traffic

Procedure

  1. Add the interfaces to the VLAN.

    <HUAWEI> system-view
    [~HUAWEI] sysname Device
    [*HUAWEI] commit
    [~Device] interface gigabitethernet 0/1/0
    [~Device-GigabitEthernet0/1/0] undo shutdown
    [*Device-GigabitEthernet0/1/0] portswitch
    [*Device-GigabitEthernet0/1/0] quit
    [*Device] interface gigabitethernet 0/2/0
    [*Device-GigabitEthernet0/2/0] undo shutdown
    [*Device-GigabitEthernet0/2/0] portswitch
    [*Device-GigabitEthernet0/2/0] quit
    [*Device] vlan 10
    [*Device-vlan10] port gigabitethernet 0/1/0
    [*Device-vlan10] port gigabitethernet 0/2/0
    [*Device-vlan10] commit

  2. Configure traffic suppression on the interfaces.

    [~Device-vlan10] suppression inbound enable
    [*Device-vlan10] commit
    [~Device-vlan10] quit
    [~Device] interface gigabitethernet 0/1/0
    [~Device-GigabitEthernet0/1/0] broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10
    [*Device-GigabitEthernet0/1/0] multicast-suppression cir 38400 cbs 7200000 inbound vlan 10
    [*Device-GigabitEthernet0/1/0] unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10
    [*Device-GigabitEthernet0/1/0] quit
    [*Device] interface gigabitethernet 0/2/0
    [*Device-GigabitEthernet0/2/0] broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10
    [*Device-GigabitEthernet0/2/0] multicast-suppression cir 38400 cbs 7200000 inbound vlan 10
    [*Device-GigabitEthernet0/2/0] unknown-unicast-suppression cir cbs 7200000 38400 inbound vlan 10
    [*Device-GigabitEthernet0/2/0] quit
    [*Device] commit

  3. Verify the configuration.

    Run the display this command in the interface view to view the configurations.

    For example, the configurations on GE 0/1/0 are displayed as follows:

    [*Device-GigabitEthernet0/1/0] display this
    #
    interface GigabitEthernet0/1/0
     portswitch
     undo shutdown
     port default vlan 10
     broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10
     multicast-suppression cir 38400 cbs 7200000 inbound vlan 10
     unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10
    #

Configuration Files

#
 sysname Device
#
 vlan batch 10
#
 vlan 10
 suppression inbound enable
#
interface GigabitEthernet0/1/0
 undo shutdown
 portswitch
 port default vlan 10
 broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10
 multicast-suppression cir 38400 cbs 7200000 inbound vlan 10
 unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10
#
interface GigabitEthernet0/2/0
 undo shutdown
 portswitch
 port default vlan 10
 broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10
 multicast-suppression cir 38400 cbs 7200000 inbound vlan 10
 unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10
#
return
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19587

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next