The mac-limit up-threshold down-threshold command sets the threshold percentage of MAC addresses that have alarms generated and cleared.
The undo mac-limit up-threshold down-threshold command deletes the preceding setting.
The mac-limit command configures a MAC address learning limit rule for the current VSI.
The undo mac-limit command deletes a MAC address learning limit rule configured for the current VSI.
By default, the threshold percentage of MAC addresses that have alarms generated and cleared is not set.
| Parameter | Description | Value |
|---|---|---|
| maximum max |
Specifies the maximum number of MAC address entries that can be learned. |
The value is an integer ranging from 0 to 2048000. When the value is 0, the number of MAC addresses that can be learned is not set. |
| rate hours |
Indicates the interval at which MAC addresses are learned. The parameter must be configured when configuring the global MAC address learning limit rule. |
The value is an integer ranging from 0 to 1000, in milliseconds. When the value is 0, no limitation is set on the address learning interval. |
| action |
Specifies an action to be taken when the number of MAC address entries in the MAC address table reaches the limit. |
- |
| discard |
The packet with the source MAC address not contained in the MAC address table is discarded. |
- |
| forward |
The packet with the source MAC address not contained in the MAC address table is forwarded but its MAC address is not recorded. |
- |
| up-threshold up-threshold |
Specifies the upper alarm threshold for the number of MAC addresses. This value indicates the percentage of the number of learned MAC addresses to the maximum number of MAC addresses that can be learned during alarm generation. |
The value is an integer ranging from 1 to 100. |
| down-threshold down-threshold |
Specifies the lower alarm threshold for the number of MAC addresses. This value indicates the percentage of the number of learned MAC addresses to the maximum number of MAC addresses that can be learned during alarm clearing. downPercent must be smaller than upPercent. |
The value is an integer ranging from 1 to 100. |
Usage Scenario
You can configure the number of MAC addresses that can be learned based on VSI to control the number of users accessing a VSI. When the number of learned MAC addresses exceeds the limit, no more MAC addresses are learned to prevent MAC address attacks. To improve network security, you can run this command to specify the percentage of the number of learned MAC addresses to the maximum number of MAC addresses that can be learned. When the number of learned MAC addresses exceeds the upper alarm threshold, an alarm is generated. When the number of learned MAC addresses falls below the lower alarm threshold, an alarm is cleared.
Prerequisites
Before running this command, ensure that the mac-limit command has been run to set the maximum number of MAC addresses that can be learned in a specified VSI.
Precautions
If mac-limit up-threshold down-threshold command has been configured, you cannot delete the mac-limit configuration or execute the mac-limit maximum 0 command. Instead, you must first run the undo mac-limit up-threshold up-threshold down-threshold down-threshold command to cancel the configured threshold percentage of the number of MAC addresses that generates or clears a alarm.
<HUAWEI> system-view [~HUAWEI] mpls lsr-id 1.1.1.1 [*HUAWEI] mpls [*HUAWEI-mpls] quit [*HUAWEI] mpls l2vpn [*HUAWEI-l2vpn] quit [*HUAWEI] vsi 1 [*HUAWEI-vsi-1] mac-limit maximum 100 [*HUAWEI-vsi-1] mac-limit up-threshold 80 down-threshold 60