No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Parameters for Dynamic MAC Address Entries

Configuring Parameters for Dynamic MAC Address Entries

Parameters that can be configured for dynamic MAC address entries include the aging time and MAC address learning limit rule.

Usage Scenario

Table 2-2 shows the usage scenario of the parameters of dynamic MAC address entries.
Table 2-2 Parameters for dynamic MAC address entries
Parameter Usage Scenario
Aging time of dynamic MAC address entries

Dynamic MAC address entries are automatically generated on a device. They are not always valid. The system starts an aging timer for each MAC address entry. If a MAC address entry is not updated until its double aging time expires, the MAC address entry is deleted. If the MAC address entry is updated before the double aging time expires, the aging time will be recalculated. The shorter the aging time is, the more sensitive a device is to network changes.

As network topologies change constantly, a device learns more and more MAC addresses. To avoid the explosive growth of MAC address entries, set a proper aging time for dynamic MAC address entries to have invalid MAC address entries deleted regularly.

MAC address learning limit rule

As shown in Figure 2-2, networks with poor security management, such as community networks, are vulnerable to hackers' MAC address attacks. The capacity of a MAC address table is limited. When hackers forge a large number of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device may be filled to its full capacity. After the MAC address table of the device is filled up, the device cannot learn the source MAC addresses of valid packets it receives.

After a MAC address learning limit rule is configured, the number of access users can be controlled. When the number of learned MAC address entries reaches the maximum number allowed by the system, the system cannot learn any additional MAC addresses. The packet discarding and alarm functions can be configured to prevent MAC address attacks and improve network security.

Figure 2-2 Networking for configuring a MAC address learning limit rule

MAC address learning limit rules can be configured in the following modes:
  • Configure a MAC address learning limit rule on an interface to control the number of users connected to the interface.

  • Configure a MAC address learning limit rule in a VLAN to control the number of users in the VLAN.

  • Configure a MAC address learning limit rule on an interface in a VLAN to control the number of VLAN users connected to the interface.

  • Configure a MAC address learning limit rule in a VSI to control the number of users in the VSI.

Pre-configuration Tasks

Before configuring parameters for dynamic MAC address entries, connect interfaces and set their physical parameters to ensure that the interfaces are Up.

Configuration Procedures

Perform one or more of the following configurations as required:

Configuring an Aging Time for Dynamic MAC Address Entries

Dynamic MAC address entries do not need to be created manually and they will be aged automatically. An aging time can be configured for dynamic MAC address entries to prevent the explosive growth of MAC address entries.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-address aging-time seconds [ vlan vlan-id1 [ to vlan-id2 ] &<1-10> ]

    An aging time is set for dynamic MAC address entries.

  3. (Optional)Run mac-address phy-port synchronize

    Immediate MAC address synchronization is enabled on the physical interface.

    This command is supported only on the Admin-VS.

  4. Run commit

    The configuration is committed.

Configuring a MAC Address Learning Limit Rule

Configuring a MAC address learning limit rule can control the number of access users. If the number of learned MAC addresses reaches the maximum number, no additional MAC addresses will be learned. In addition, the packet discarding and alarm functions can be configured to prevent MAC address attacks and improve network security.

Context

NOTE:

Before configuring a MAC address learning limit rule, run the reset mac-address command to clear the learned MAC addresses to ensure that the number of MAC addresses that can be learned is limited accurately.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Perform one or more of the following configurations as required.

    • Configure a MAC address learning limit rule on an interface to control the number of users connected to the interface. Choose one of the following configuration modes:

      Table 2-3 Configure a MAC address learning limit rule on an interface

      Configuring a MAC Address Learning Limit Rule

      Operation

      Specifying a rule name

      1. Run the mac-limit rule-name rule-name { action { discard | forward } | alarm { disable | enable } | maximum max [ rate interval ] } * command to create the global MAC address learning limit rule.

      2. Run the interface interface-type interface-number command to enter the Ethernet interface view.

      3. Run the mac-limit rule-name rule-name command to apply the global MAC address learning limit rule on the interface.

      Without specifying a rule name

      1. Run the interface interface-type interface-number command to enter the interface view.

      2. Run the mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max } * command to configure the MAC address learning limit rule.

    • Configure a MAC address learning limit rule in a VLAN to control the number of users in the VLAN.

      1. Run the vlan vlan-id command to enter the VLAN view.

      2. Run the mac-limit { action { discard | forward } | maximum max [ rate interval ] } * command to configure the MAC address learning limit rule.

    • Configure a MAC address learning limit rule on an interface in a VLAN to control the number of VLAN users connected to the interface. Choose one of the following configuration modes:

      Table 2-4 Configuring a MAC address learning limit on an interface in a VLAN

      Configuring a MAC Address Learning Limit Rule

      Operation

      Specifying a rule name

      1. Run the mac-limit rule-name rule-name { action { discard | forward } | alarm { disable | enable } | maximum max [ rate interval ] } * command to create the global MAC address learning limit rule.

      2. Run the interface interface-type interface-number command to enter the Ethernet interface view.

      3. Run the mac-limit vlan vlan-id1 [ to vlan-id2 ] rule-name rule-name command to apply the global MAC address learning limit rule to the VLAN to which the interface belongs.

      Without specifying a rule name

      1. Run the interface interface-type interface-number command to enter the interface view. Currently, the value can be Ethernet interface view, GE interface view, Eth-Trunk interface view, VE interface view, or global-VE interface view, or port group view.

      2. Run the mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max } * command to configure the MAC address learning limit rule.

    • Configure a MAC address learning limit rule in a virtual switching instance (VSI) to control the number of users in the VSI.

      1. Run the vsi vsi-name [ static ] command to enter the VSI view.

      2. Run the mac-limit { action { discard | forward } | maximum max [ rate interval ] } * command to configure the MAC address learning limit rule.

      3. Run the mac-limit up-threshold up-threshold down-threshold down-threshold command to configure alarm rising and falling thresholds for MAC address learning.

    • Configure a MAC address learning limit rule on a pseudo wire (PW) to control the number of users on the PW.

      1. Run the vsi vsi-name [ static ] command to display the VSI view.

      2. Run the pwsignal ldp command to display the VSI LDP view.

      3. Run the vsi-id vsi-id command to configure the VSI ID.

      4. Run the peer peer-address command to configure the IP address of a VSI peer.

      5. Run the peer peer-address pw pw-name command to creat a PW.

      6. Run the mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max-number [ rate interval ] } * command to configure a MAC address learning limit rule.

  3. Run commit

    The configuration is committed.

Verifying the Configuration of Parameters for Dynamic MAC Address Entries

After parameters for dynamic MAC address entries are configured, you can check detailed information about the aging time and the MAC address learning limit rule.

Prerequisites

Parameters for dynamic MAC address entries have been configured.

Procedure

  • Run the display mac-address aging-time command to check the aging time of dynamic MAC address entries.
  • After a MAC address learning limit rule is configured, check the configuration as follows.

    Type of a MAC Address Learning Limit Rule

    Command for Checking the Rule

    MAC address learning limit rule on an interface

    • Checking the configuration by specifying a rule name

      Run the display mac-limit rule-name [ rule-name ] command to check the global MAC address learning limit rule.

    • Checking the configuration without specifying a rule name

      Run the display mac-limit [ interface-type interface-number ] [ vlan vlan-id ] command to check the MAC address learning limit rule.

    MAC address learning limit rule for a VLAN

    Run the display mac-limit [ interface-type interface-number ] [ vlan vlan-id ] command to check the MAC address learning limit rule.

    MAC address learning limit rule on a specified interface in a specified VLAN

    Run the display mac-limit rule-name [ rule-name ] command to check the global MAC address learning limit rule.

Example

Run the display mac-address aging-time command to view the aging time of dynamic MAC address entries.

<HUAWEI> display mac-address aging-time
  Aging time: 500 second(s)
Run the display mac-limit rule-name [ rule-name ] command to view detailed information about the global MAC address learning limit rule.
<HUAWEI> display mac-limit rule-name name1
Total Global MAC Limit rule count : 1 
RuleName      Maximum  Rate(ms)  Action    Alarm   PortNum  Port          Vlan 
-------------------------------------------------------------------------------
name1         1        21        discard   enable  6      
                                                           Eth-Trunk2.1     - 
                                                           GE1/0/1.1      -    
                                                           GE1/0/2.1      -    
                                                           GE1/0/3.1      -    
                                                           GE1/0/4.1      -    
                                                           GE1/0/5.1      -    

Run the display mac-limit command to view MAC address learning limit rules.

<HUAWEI> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1

PORT                        VLAN/BD/VSI/EVPN      SLOT Maximum Rate(ms) Action  Alarm
----------------------------------------------------------------------------
GigabitEthernet1/1/13/0/3.1      -                     -    100     -        forward enable
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059440

Views: 26430

Downloads: 18

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next