mac-limit vlan

Function

The mac-limit vlan command applies a global MAC address learning limit rule to a VLAN to which the specified interface belongs.

The undo mac-limit vlan command deletes a global MAC address learning limit rule applied to a VLAN to which the specified interface belongs.

By default, no global MAC address learning limit rule is applied to any VLAN to which the specified interface belongs.

Format

mac-limit vlan vlanBegin [ to vlanEnd ] { maximum maxValue [ rate interval ] | action { discard | forward } | alarm { disable | enable } } ^*

undo mac-limit vlan vlanBegin [ to vlanEnd ]

Parameters

Parameter	Description	Value
vlanBegin	Specifies the VLAN ID associated with an Ethernet sub-interface. If the vlanBegin [ to vlanEnd ] parameters are run more than once, all configurations take effect. This parameter is only supported on Layer 2 interfaces.	The value is an integer ranging from 1 to 4094.
to vlanEnd	Specifies the VLAN ID associated with an Ethernet sub-interface. If the vlanBegin [ to vlanEnd ] parameters are run more than once, all configurations take effect. This parameter is only supported on Layer 2 interfaces.	The value is an integer ranging from 1 to 4094.
maximum maxValue	Specifies the maximum number of MAC address entries that can be learned.	The value is an integer ranging from 0 to 262144. When the value is 0, the number of MAC addresses that can be learned is not set.
rate interval	Indicates the interval at which MAC addresses are learned. The parameter must be configured when configuring the global MAC address learning limit rule.	The value is an integer ranging from 0 to 1000, in milliseconds. When the value is 0, no limitation is set on the address learning interval.
action	Specifies an action to be taken when the number of MAC address entries in the MAC address table reaches the limit.	-
discard	The packet with the source MAC address not contained in the MAC address table is discarded.	-
forward	The packet with the source MAC address not contained in the MAC address table is forwarded but its MAC address is not recorded.	-
alarm	Specifies whether an alarm is generated when the number of the MAC address entries in the MAC address table reaches the limit.	-
disable	No alarm is generated.	-
enable	An alarm is generated.	-

Views

Layer 2 100GE interface view, Layer 2 10GE interface view, 25GE-L2 view, 400GE-L2 view, Layer 2 40GE interface view, Layer 2 50GE interface view, Eth-Trunk interface view, Layer 2 GE interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
mac	write

Usage Guidelines

Usage Scenario

To control the number of users and protect a MAC address table against attacks, you can limit the number of MAC addresses that a device can learn. You can also configure the system to discard packets or generate an alarm to improve network security.

Configuring interface-based MAC address learning limit rule can control the number of access users on an interface. When the number of MAC addresses reaches the limit, no new MAC addresses will be learned. You can also configure the system to discard packets or generate an alarm to improve network security.

Configuration Impact

After a MAC address learning limit rule is configured on an interface using the mac-limit command, a global MAC address learning limit rule cannot be applied on the interface using the mac-limit rule-name (interface view) command.

Trustworthy MAC addresses may not be recorded after the number of learned MAC addresses reaches the limit. If an enterprise or a family is attacked by different source MAC addresses, only the network of the enterprise or family, not the whole network is affected.

Precautions

MAC address limitation is not supported on VE interfaces.

Before configuring a MAC address learning limit rule, run the reset mac-address command to clear the learned MAC addresses to ensure that the number of MAC addresses that can be learned is limited accurately.

Before running this command in the tunnel interface view, run the tunnel-protocol command to specify the GRE tunnel mode for the tunnel interface.

Ethernet interfaces, GE interfaces, and Eth-Trunk interfaces must be Layer 2 interfaces.

Example

# In configuring VLAN scenarios, GE 0/1/2 allows learning up to 1000 MAC addresses, with a learning interval of 100 milliseconds. After reaching the limit, messages using the new MAC address are forwarded.

<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] quit
[*HUAWEI] interface GigabitEthernet 0/1/2
[*HUAWEI-GigabitEthernet0/1/2] portswitch
[*HUAWEI-GigabitEthernet0/1/2] port default vlan 100
[*HUAWEI-GigabitEthernet0/1/2] mac-limit action forward alarm enable maximum 1000 rate 100

# In configuring VPLS scenarios, GE 0/1/2 allows learning up to 1000 MAC addresses, with a learning interval of 100 milliseconds. After reaching the limit, messages using the new MAC address are forwarded.

<HUAWEI> system-view
[~HUAWEI] mpls
[*HUAWEI-mpls] quit
[*HUAWEI] mpls l2vpn
[*HUAWEI-l2vpn] quit
[*HUAWEI] vsi vsa
[*HUAWEI-vsi-vsa] pwsignal ldp
[*HUAWEI-vsi-vsa-ldp] vsi-id 1
[*HUAWEI-vsi-vsa-ldp] quit
[*HUAWEI-vsi-vsa] quit
[*HUAWEI] interface GigabitEthernet 0/1/2
[*HUAWEI-GigabitEthernet0/1/2] l2 binding vsi vsa
[*HUAWEI-GigabitEthernet0/1/2] mac-limit action forward alarm enable maximum 1000 rate 100

# Configuring GE 0/1/2 allows learning up to 1000 MAC addresses.

<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/2
[*HUAWEI-GigabitEthernet0/1/2] portswitch
[*HUAWEI-GigabitEthernet0/1/2] mac-limit action forward alarm enable maximum 1000