Method used to configure the MAC address learning restriction on USG firewalls

52

The MAC address learning restriction indicates a function of configuring rules for restricting the dynamic MAC address learning. This function is applicable to a network that supports user access but is not safe enough, for example, a cell access network or an enterprise intranet that is lack of security management.
When the number of accessed user reaches a limit, the MAC addresses of new accessed users are not learned, and packets from these users are discarded.
Before configuring the MAC address learning restriction, if a port has learned MAC addresses, run the undo mac-address dynamic command in the system view to clear these MAC addresses. Otherwise, the limit for the MAC address learning restriction becomes inaccurate.
To configure the MAC address learning restriction, run the mac-limit { maximum max | action { discard | forward } } *, command in the L2 interface view.

Other related questions:
Whether USG firewalls support MAC address learning restriction
The USG2000 and USG5000 support MAC address learning restriction.

Method used to modify the MAC address on USG firewalls
Method used to modify the MAC address on the USG2000, USG5000, and USG6000: USG firewalls do not support modification of the MAC address.

Method used to configure dynamic MAC address entries on USG firewalls
Dynamic MAC address entries are manually configured or learned by a device. They can be aged based on the configuration. To configure a dynamic MAC address entry, in the system or interface view, run the mac-address dynamic mac-address interface-type interface-number vlan vlan-id command.

Method used to configure blackhole MAC address entries on USG firewalls
Blackhole MAC address entries are a special type of MAC addresses that are manually configured. A device discards a packet if the destination MAC address in the packet is a blackhole MAC address. To configure a blackhole MAC address entry, in the system or interface view, run the mac-address blackhole mac-address interface-type interface-number vlan vlan-id command.

Method used to view the MAC address of a device on USG firewalls
The method used to view the MAC address of a device on the USG2000, USG5000, and USG6000 is as follows: You cannot view the MAC address of a device on the web UI on USG firewalls. You can run the display arp command in the command line to view the local MAC address and peer MAC address. [USG]display arp IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPNINSTANCE VLAN/PVC 1.1.2.2 3400-a3d8-f023 I Vlanif300 100.1.1.1 3400-a3d8-f023 I Vlanif200 6.6.6.6 3400-a3d8-f023 I Vlanif2 192.168.108.111 3400-a3d8-f01f I GE0/0/0 192.168.108.222 3400-a3d8-f01f I GE0/0/0 192.168.108.100 d46a-b330-c311 6 D GE0/0/0 192.168.108.113 3400-a3da-e1b0 12 D GE0/0/0 192.168.108.115 200b-c73b-6300 16 D GE0/0/0 192.168.108.114 200b-c73b-5b00 16 D GE0/0/0 I indicates the MAC address of the interface, and D indicates a dynamic entry obtained using the ARP packet. You can learn the local interface address in I, including the VLANIF interface and L3 interface (WAN interface).

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top