The mac-limit command configures a rule to limit the number of MAC addresses that can be learned.
The undo mac-limit command deletes the rule.
By default, the number of learned MAC addresses is not limited.
mac-limit { maximum max-num | action { discard | forward } | alarm { disable | enable } } * (Interface view)
mac-limit { maximum max-num | action { discard | forward } | alarm { disable | enable } } * (This command is supported in the VLAN view only on the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, and S5720-EI.)
mac-limit { maximum max-num | alarm { disable | enable } } * (This command is supported in the VLAN view only on the devices except the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, and S5720-EI. When the number of learned MAC address entries reaches the limit on a device, the device still forwards packets with new source MAC addresses, but does not add the new MAC addresses to the MAC address table.)
undo mac-limit
Parameter |
Description |
Value |
|---|---|---|
action { discard | forward } |
Indicates the action performed when the number of learned MAC address entries reaches the limit.
|
If no action is specified in the command, the default action discard is used. NOTE:
On the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S6720-HI, S6730-H, S6730S-H, S6730-S, and S6730S-S, running a version earlier than V200R019C10, the action parameter is unavailable. When the number learned of MAC addresses reaches the limit, the system takes the forward action by default. |
alarm { disable | enable } |
Indicates whether the system generates an alarm when the number of learned MAC address entries reaches the limit.
|
If you do not set this parameter in the command, the alarm function is enabled by default. |
maximum max-num |
Sets the maximum number of MAC addresses that can be learned. NOTE:
If maximum is not set, you must run the mac-limit command with maximum specified. If you have run the mac-limit command to set the maximum number of MAC addresses that can be learned, you do not need to set maximum max-num when running this command again. |
The value is a decimal integer that ranges from 0 to 4096. The value 0 indicates that the highest rate of MAC address learning is not limited. |
VLAN view, Ethernet interface view, 100GE interface view, 40GE interface view, GE interface view, XGE interface view, MultiGE interface view, Eth-Trunk interface view, port group view, 25GE interface view
Usage Scenario
The mac-limit command limits the number of access users and prevents attacks to the MAC address tables. You can enable the function to improve network security.
Precautions
The mac-limit command configuration takes effect only for dynamically learned MAC addresses. If some MAC addresses have been learned, run the undo mac-address dynamic command to delete the learned MAC address entries. If you do not delete them, less new MAC addresses can be learned than the value configured using the mac-limit command.
After the port-security enable command is configured on an interface, mac-limit cannot take effect. Do not configure mac-limit and port-security enable simultaneously.
The MAC address limiting function and NAC conflict on an interface; therefore, the mac-limit and mac-authen, dot1x enable, web-auth-server or authentication-profile commands cannot be used on the same interface.
# Set the maximum number of MAC addresses that can be learned by GigabitEthernet0/0/2 to 30. Configure the device to generate an alarm when the number learned of MAC addresses reaches the limit.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] mac-limit maximum 30 alarm enable