< Home

Configuring the MAC Address Limiting Function

Context

The MAC address limiting function controls the number of MAC address entries the switch can learn on an interface or in a VLAN. An insecure network is vulnerable to MAC address attacks. A malicious user may attempt to consume MAC address table resources and thereby prevent the switch from learning new entries by sending large numbers of packets with spurious source MAC addresses.

To address this issue, you can limit the number of MAC address entries the switch can learn on an interface or in a VLAN. You can also configure an action to take when the limit is reached.

Procedure

  • Limit the number of MAC address entries learned on an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run mac-limit maximum max-num

      The maximum number of MAC address entries that can be learned on the interface is set.

      By default, the number of MAC address entries learned on an interface is not limited.

    4. Run mac-limit action { discard | forward }

      The action to take when the number of learned MAC address entries reaches the limit is configured.

      By default, the switch discards packets with new MAC addresses when the number of learned MAC address entries reaches the limit.

    5. Run mac-limit alarm { disable | enable }

      The switch is configured to generate or not generate an alarm when the number of learned MAC address entries reaches the limit.

      By default, the switch generates an alarm when the number of learned MAC address entries reaches the limit.

  • Limit the number of MAC address entries learned in a VLAN.
    1. Run system-view

      The system view is displayed.

    2. Run vlan vlan-id

      The VLAN view is displayed.

    3. Run mac-limit maximum max-num

      The maximum number of MAC address entries learned in the VLAN is set.

      By default, the number of MAC address entries learned in a VLAN is not limited.

    4. Run mac-limit alarm { disable | enable }

      The switch is configured to generate or not generate an alarm when the number of learned MAC address entries reaches the limit.

      By default, the switch generates an alarm when the number of learned MAC address entries reaches the limit.

Verifying the Configuration

Run the display mac-limit command to check limiting on MAC address learning.

Parent Topic: Configuring MAC Address Tables
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >