mac-limit (VLAN view)

Function

The mac-limit command configures a MAC address learning limit rule for a VLAN.

The undo mac-limit command deletes a MAC address learning limit rule applied to a VLAN.

The mac-limit up-threshold down-threshold command sets the threshold percentage of MAC addresses that have alarms generated and cleared.

The undo mac-limit up-threshold down-threshold command deletes the preceding setting.

By default, the threshold percentage of MAC addresses that have alarms generated and cleared is not set.

Format

mac-limit { maximum max [ rate hours ] | action { discard | forward } } ^*

mac-limit up-threshold up-threshold down-threshold down-threshold

undo mac-limit

undo mac-limit up-threshold up-threshold down-threshold down-threshold

Parameters

Parameter	Description	Value
maximum max	Specifies the maximum number of MAC address that can be learned.	The value is an integer ranging from 0 to 131072. When the value is 0, no limitation is set on the address learning number.
rate hours	Indicates the interval at which MAC addresses are learned. The parameter must be configured when configuring the global MAC address learning limit rule.	The value is an integer ranging from 0 to 1000, in milliseconds. When the value is 0, no limitation is set on the address learning interval.
action	Specifies an action to be taken when the number of MAC address entries in the MAC address table reaches the limit.	-
discard	The packet with the source MAC address not contained in the MAC address table is discarded.	-
forward	The packet with the source MAC address not contained in the MAC address table is forwarded but its MAC address is not recorded.	-
up-threshold up-threshold	Specifies the upper alarm threshold for the number of MAC addresses. This value indicates the percentage of the number of learned MAC addresses to the maximum number of MAC addresses that can be learned during alarm generation.	The value is an integer ranging from 1 to 100.
down-threshold down-threshold	Specifies the lower alarm threshold for the number of MAC addresses. This value indicates the percentage of the number of learned MAC addresses to the maximum number of MAC addresses that can be learned during alarm clearing. downPercent must be smaller than upPercent.	The value is an integer ranging from 1 to 100.

Views

VLAN view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
mac	write

Usage Guidelines

Usage Scenario

You can configure the number of MAC addresses that can be learned based on VLAN to control the number of users accessing a VLAN. When the number of learned MAC addresses exceeds the limit, no more MAC addresses are learned to prevent MAC address attacks. To improve network security, you can run this command to specify the percentage of the number of learned MAC addresses to the maximum number of MAC addresses that can be learned. When the number of learned MAC addresses exceeds the upper alarm threshold, an alarm is generated. When the number of learned MAC addresses falls below the lower alarm threshold, an alarm is cleared.

Prerequisites

Before running this command, ensure that the mac-limit command has been run to set the maximum number of MAC addresses that can be learned in a specified VLAN.

Precautions

If mac-limit up-threshold down-threshold command has been configured, you cannot delete the mac-limit configuration or execute the mac-limit maximum 0 command. Instead, you must first run the undo mac-limit up-threshold up-threshold down-threshold down-threshold command to cancel the configured threshold percentage of the number of MAC addresses that generates or clears a alarm.

Example

# Set the alarm generation and clearance thresholds for the number of MAC addresses on the VLAN2.

<HUAWEI> system-view
[~HUAWEI] vlan 2
[*HUAWEI-vlan2] mac-limit maximum 100
[*HUAWEI-vlan2] mac-limit up-threshold 80 down-threshold 60