mac-limit (VSI-LDP-PW view)

Function

The mac-limit command configures a MAC address learning limit rule for the current VSI.

The undo mac-limit command deletes a MAC address learning limit rule configured for the current VSI.

By default, no MAC address learning limit rule is configured for the current VSI.

Format

mac-limit { maximum maxValue [ rate interval ] | action { discard | forward } | alarm { enable | disable } } *

undo mac-limit

Parameters

Parameter Description Value
maximum maxValue

Specifies the maximum number of MAC address that can be learned.

The value is an integer ranging from 0 to 130048.

When the value is 0, no limitation is set on the address learning number.
rate interval

Indicates the interval at which MAC addresses are learned.

The parameter must be configured when configuring the global MAC address learning limit rule.

The value is an integer ranging from 0 to 1000, in milliseconds.

When the value is 0, no limitation is set on the address learning interval.
action

Specifies an action to be taken when the number of MAC address entries in the MAC address table reaches the limit.

-
discard

The packet with the source MAC address not contained in the MAC address table is discarded.

-
forward

The packet with the source MAC address not contained in the MAC address table is forwarded but its MAC address is not recorded.

-
alarm

Specifies whether an alarm is generated when the number of the MAC address entries in the MAC address table reaches the limit.

-
enable

An alarm is generated.

-
disable

No alarm is generated.

-

Views

VSI-LDP-PW view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
mac write

Usage Guidelines

Usage Scenario

To control the number of users and protect the MAC address table against attacks, you can limit the number of MAC addresses that can be learned by a device. You can also configure the system to discard packets to improve network security.

Configuring a MAC address learning limit rule for the current VSI controls the number of users in the current VSI. When the number of MAC addresses learned in the current VSI reaches the limit, no new MAC addresses can be learned. You can also configure the system to discard packets to prevent MAC address attacks to improve network security.

Configuration Impact

Trustworthy MAC addresses may not be recorded after the number of learned MAC addresses reaches the limit. If an enterprise or a family is attacked by different source MAC addresses, only the network of the enterprise or family, not the whole network is affected.

Precautions

MAC address limitation is not supported on VE interfaces.

Before configuring a MAC address learning limit rule, run the reset mac-address command to clear the learned MAC addresses to ensure that the number of MAC addresses that can be learned is limited accurately.

Example

# Configure that a maximum of 500 MAC addresses can be learned in the VSI named huawei, and the packets with the destination MAC address not contained in the MAC address table are forwarded when the number of learned MAC addresses reaches the limit.
<HUAWEI> system-view
[~HUAWEI] vsi huawei
[*HUAWEI-vsi-huawei] pwsignal ldp
[*HUAWEI-vsi-huawei-ldp] vsi-id 100
[*HUAWEI-vsi-huawei-ldp] peer 192.168.1.1
[*HUAWEI-vsi-huawei-ldp] peer 192.168.1.1 pw pw1
[*HUAWEI-vsi-huawei-ldp-pw-pw1] mac-limit action forward maximum 500
Parent Topic: MAC Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >