Example for Configuring MAC Address Limiting in a VLAN

38 0 0 0

Example for Configuring MAC Address Limiting in a VLAN

Overview

The switch limits the number of MAC address entries based on VLANs or interfaces. In offices where clients seldom change, you can configure MAC address limiting to control user access. This can protect against certain attacks. For example, if an attacker forges a large number of packets with different source MAC addresses and sends the packets to the device, finite MAC address entries in the MAC address table of the device may be exhausted. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets. As a result, the device broadcasts the valid packets, wasting bandwidth resources.

MAC address limiting in a VLAN can limit the number of MAC address entries on multiple interfaces in a VLAN.

Configuration Notes

  • After the port-security enable command is configured on an interface, MAC address limiting cannot take effect on the interface. Do not configure port security and MAC address limiting on the same interface simultaneously.
  • This example applies to all versions of all S series switches.
  • After the number of learned MAC address entries reaches the limit, SA cards of S series and F series cards of chassis devices and box devices (excluding the S5720EI) cannot discard packets with nonexistent source MAC addresses.

Networking Requirements

In Figure 6-3, user network 1 is connected to GE1/0/1 of the switch through LSW1, user network 2 is connected to GE1/0/2 of the switch through LSW2, and GE1/0/1 and GE1/0/2 belong to VLAN 2. To control the number of access users, configure MAC address limiting in VLAN 2.

Figure 6-3  Networking of MAC address limiting in a VLAN 
imgDownload?uuid=876413185a8e4a309c346b3

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and add interfaces to the VLAN to implement Layer 2 forwarding.

  2. Configure MAC address limiting in a VLAN to prevent MAC address attacks and control the number of access users.

Procedure

  1. Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.

    <HUAWEI> system-view[HUAWEI] sysname Switch[Switch] vlan batch 2[Switch] interface gigabitethernet 1/0/1[Switch-GigabitEthernet1/0/1] port link-type trunk   //Configure the link type of the interface as trunk.[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2   //Add GE1/0/1 to VLAN 2.[Switch-GigabitEthernet1/0/1] quit[Switch] interface gigabitethernet 1/0/2   //The configuration of GE1/0/2 is similar to the configuration of GE1/0/1.[Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2[Switch-GigabitEthernet1/0/2] quit

  2. Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC addresses can be learned. When the number of learned MAC address entries reaches the limit, the device forwards the packets with new source MAC address entries and generates an alarm.

    [Switch] vlan 2[Switch-vlan2] mac-limit maximum 100 action forward   //The default action taken for packets in different versions is different. You are advised to manually configure the action. For fixed switches, the action parameter can be set in the VLAN view only on the S5720EI. On other fixed switches, the forward action is used in the VLAN view by default, and the action parameter does not need to be set. The alarm function is enabled by default, so you do not need to configure the alarm function manually.[Switch-vlan2] quit

  3. Verify the configuration.

    # Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.

    [Switch] display mac-limitMAC limit is enabled
    Total MAC limit rule count : 1
    
    PORT                 VLAN/VSI      SLOT Maximum Rate(ms) Action  Alarm
    ----------------------------------------------------------------------------
    -                    2                -    100     -     forward enable  

Configuration Files

Switch configuration file

#
sysname Switch#
vlan batch 2
#
vlan 2
 mac-limit maximum 100 action forward#
interface GigabitEthernet1/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 2  
#
interface GigabitEthernet1/0/2
 port link-type trunk                                                           
 port trunk allow-pass vlan 2  
#
return

See more please click 

https://support.huawei.com/enterprise/en/doc/EDOC1000069520/9aadccc0/comprehensive-configuration-examples


  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login