Example for Configuring MAC Address Limiting on an Interface

Created: Feb 28, 2019 16:18:05 17 0 0 0

Overview

The switch limits the number of MAC address entries based on VLANs or interfaces. In offices where clients seldom change, you can configure MAC address limiting to control user access. This can protect against certain attacks. For example, if an attacker forges a large number of packets with different source MAC addresses and sends the packets to the device, finite MAC address entries in the MAC address table of the device may be exhausted. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets. As a result, the device broadcasts the valid packets, wasting bandwidth resources.

MAC address limiting on an interface can be used in scenarios where users connected to an interface in small and medium-sized enterprises are fixed and seldom change.

Configuration Notes

  • After port-security enable is configured on an interface, MAC address limiting cannot be configured on the interface.
  • This example applies to all versions of all S series switches.

Networking Requirements

In Figure 6-4, user network 1 and user network 2 connect to the switch through the LSW, and GE1/0/1 of the switch connects to the LSW. User network 1 and user network 2 belong to VLAN 10 and VLAN 20 respectively. On the switch, MAC address limiting can be configured on GE1/0/1 to control the number of access users.

Figure 6-4  Networking of MAC address limiting on an interface 
imgDownload?uuid=985c88f9af3a4d59ac51854

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create VLANs and add interfaces to the VLANs to implement Layer 2 forwarding.

  2. Configure MAC address limiting on an interface to control the number of access users.

Procedure

  1. Create VLAN 10 and VLAN 20 and add GE1/0/1 to VLAN 10 and VLAN 20.

    <HUAWEI> system-view[HUAWEI] sysname Switch[Switch] vlan batch 10 20   //Create VLAN 10 and VLAN 20.[Switch] interface gigabitethernet 1/0/1[Switch-GigabitEthernet1/0/1] port link-type trunk   //Configure the link type of the interface as trunk.[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20   //Add GE1/0/1 to VLAN 10 and VLAN 20.[Switch-GigabitEthernet1/0/1] quit

  2. Configure the switch to learn a maximum of 100 MAC address entries on GE1/0/1. When the number of learned MAC address entries reaches the limit, the switch discards the packets with new source MAC address entries and generates an alarm.

    [Switch] interface gigabitethernet 1/0/1[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard   //The default action taken for packets in different versions is different. You are advised to manually specify the action. The alarm function is enabled by default, so you do not need to specify it manually.[Switch-GigabitEthernet1/0/1] quit

  3. Verify the configuration.

    # Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.

    [Switch] display mac-limitMAC limit is enabled                                                            
    Total MAC limit rule count : 1                                                  
                                                                                    
    PORT                 VLAN/VSI         SLOT Maximum Rate(ms) Action  Alarm       
    ----------------------------------------------------------------------------    
    GE1/0/1              -                -    100     -        discard enable      

Configuration Files

Switch configuration file

#
sysname Switch#
vlan batch 10 20
#
interface GigabitEthernet1/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10 20
 mac-limit maximum 100
#
return

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top