How to configure MAC address limiting on interfaces

0

When configuring MAC address limiting on an interface, pay attention to the following points: port security and MAC address limiting cannot be configured on the same interface. Earlier versions do not have this restriction.

The following steps are performed in V100R005.

Procedure
Run the system-view command to enter the system view.
Run the interface interface-type interface-number command to enter the interface view.
Run the mac-limit maximum max-num command to set the maximum number of MAC addresses learned on the interface.

By default, the number of MAC addresses learned on an interface is not limited. The interface discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses reaches the limit.

The port-security protect-action { protect | restrict | shutdown } command configures the port protection action performed by the interface. Before configuring the protection action, run the port-security enable command to enable the port security function on the interface. The protection actions are as follows:
protect

The interface discards packets with new source MAC addresses.

restrict

The interface discards packets with new source MAC addresses and sends a trap message.

shutdown

The interface is shut down.

For example, set the maximum number of MAC addresses learned by an interface to 1 and configure the protection action to protect.

system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action protect

Other related questions:
How to configure an AR to limit the rate of traffic based on MAC addresses
You can configure a traffic policy to limit the rate of traffic based on MAC addresses as follows: # traffic classifier mac1 operator and if-match source-mac 0015-c50d-0001 //Configure a matching rule based on the source MAC address 0015-c50d-0001 in the traffic classifier mac1. traffic classifier mac2 operator and if-match source-mac 0015-c50d-0002 //Configure a matching rule based on the source MAC address 0015-c50d-0002 in the traffic classifier mac2. traffic classifier mac3 operator and if-match source-mac 0015-c50d-0003 //Configure a matching rule based on the source MAC address 0015-c50d-0003 in the traffic classifier mac3. # traffic behavior d1 car cir 3000 cbs 564000 pbs 939000 mode color-blind green pass yellow pass red discard //Create the traffic behavior d1 and configure the rate limit to 3000 kbit/s. # traffic policy myqos //Configure the traffic policy myqos. classifier mac1 behavior d1 //Bind the traffic classifier mac1 to the traffic behavior d1. classifier mac2 behavior d1 //Bind the traffic classifier mac2 to the traffic behavior d1. classifier mac3 behavior d1 //Bind the traffic classifier mac3 to the traffic behavior d1. # interface GigabitEthernet 0/0/0 ip address 10.1.1.1 255.255.255.0 traffic-policy myqos inbound //Apply the traffic policy myqos to the inbound interface. #

How to bind the IP address, MAC address, and interface
The Switch implements binding between an interface and a MAC address through the traffic policy and DHCP snooping. Then the interface allows only the packets with the bound MAC address and packets matching the DHCP snooping binding table to pass through. The Switch does support binding of IP address + MAC address + interface. For example, to configure Ethernet 0/0/1 to allow only the packets with the source MAC address being 0-02-02 apart from of the packets matching the DHCP snooping binding table, and discard other packets, do as follows: # Enable DHCP snooping globally. [HUAWEI] dhcp snooping enable# Create an ACL that permits only the packets with the source MAC address being 0-02-02. [HUAWEI] acl 4000 [HUAWEI-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff-ffff [HUAWEI-acl-L2-4000] rule deny# Create a traffic classifier that matches ACL 4000. [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 4000# Create a traffic behavior and a traffic policy. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] permit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1# Apply the traffic policy to Ethernet 0/0/1 so that the interface allows only the packets with the source MAC address 0-02-02 to pass through apart from of the packets matching the DHCP snooping binding table. In V100R005C00 and later versions, the configuration is as follows: [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 4094 [HUAWEI-Ethernet0/0/1] ip source check user-bind enable [HUAWEI-Ethernet0/0/1] traffic-policy p1 inbound

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top