Example for Configuring Traffic Suppression on a Specified Interface in a VLAN
This section provides an example for configuring traffic suppression on a specified interface in a VLAN, including the networking requirements, configuration roadmap, configuration procedure, and configuration files. Traffic suppression on a specified interface in a VLAN helps prevent interface+VLAN-based MAC address attacks and control the number of access users.
Networking Requirements
On the Ethernet, on the one hand, you need to manage user traffic and properly allocate bandwidths to users; on the other hand, for the sake of security, you need to suppress the unknown unicast traffic, multicast traffic, and broadcast traffic to ensure the normal forwarding of unicast traffic and proper utilization of network bandwidths. If you do not suppress the preceding traffic, the traffic mounts and consumes more network bandwidths, which degrades network performance or even interrupts communications.
As shown in Figure 1, interface1 and interface2 of the router belong to VLAN 10. PC1 and PC2 connect to the router. To improve network security, configure unknown unicast traffic suppression on interface1 and multicast and broadcast traffic suppression on interface2.
Configuration Roadmap
The configuration roadmap is as follows:
Create a VLAN and add the interfaces to it.
Configure the suppression rules.
Data Preparation
To complete the configuration, you need the following data:
VLAN ID (10)
Interface numbers (GE 0/1/0 and GE 0/1/8)
Committed information rate (CIR) for unknown traffic
Procedure
- Add the interfaces to the VLAN.
<HUAWEI> system-view [~HUAWEI] sysname Device [*HUAWEI] commit [~Device] interface gigabitethernet 0/1/0 [~Device-GigabitEthernet0/1/0] undo shutdown [*Device-GigabitEthernet0/1/0] portswitch [*Device-GigabitEthernet0/1/0] quit [*Device] interface gigabitethernet 0/1/8 [*Device-GigabitEthernet0/1/8] undo shutdown [*Device-GigabitEthernet0/1/8] portswitch [*Device-GigabitEthernet0/1/8] quit [*Device] vlan 10 [*Device-vlan10] port gigabitethernet 0/1/0 [*Device-vlan10] port gigabitethernet 0/1/8 [*Device-vlan10] commit
- Configure traffic suppression on the interfaces.
[~Device-vlan10] suppression inbound enable [*Device-vlan10] commit [~Device-vlan10] quit [~Device] interface gigabitethernet 0/1/0 [~Device-GigabitEthernet0/1/0] broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10 [*Device-GigabitEthernet0/1/0] multicast-suppression cir 38400 cbs 7200000 inbound vlan 10 [*Device-GigabitEthernet0/1/0] unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10 [*Device-GigabitEthernet0/1/0] quit [*Device] interface gigabitethernet 0/1/8 [*Device-GigabitEthernet0/1/8] broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10 [*Device-GigabitEthernet0/1/8] multicast-suppression cir 38400 cbs 7200000 inbound vlan 10 [*Device-GigabitEthernet0/1/8] unknown-unicast-suppression cir cbs 7200000 38400 inbound vlan 10 [*Device-GigabitEthernet0/1/8] quit [*Device] commit
- Verify the configuration.
Run the display this command in the interface view to view the configurations.
For example, the configurations on GE 0/1/0 are displayed as follows:
[*Device-GigabitEthernet0/1/0] display this # interface GigabitEthernet0/1/0 portswitch undo shutdown port default vlan 10 broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10 multicast-suppression cir 38400 cbs 7200000 inbound vlan 10 unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10 #
Configuration Files
# sysname Device # vlan batch 10 # vlan 10 suppression inbound enable # interface GigabitEthernet0/1/0 undo shutdown portswitch port default vlan 10 broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10 multicast-suppression cir 38400 cbs 7200000 inbound vlan 10 unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10 # interface GigabitEthernet0/1/8 undo shutdown portswitch port default vlan 10 broadcast-suppression cir 38400 cbs 7200000 inbound vlan 10 multicast-suppression cir 38400 cbs 7200000 inbound vlan 10 unknown-unicast-suppression cir 38400 cbs 7200000 inbound vlan 10 # return