Configuring EVC Security Attributes

Limit on packet transmission between EVC Layer 2 sub-interfaces within a bridge domain

An EVC Layer 2 sub-interface can be disabled from broadcasting received broadcast packets, unknown unicast packets, and unknown multicast packets to other EVC Layer 2 sub-interfaces in the same bridge domain.

Forwarding malicious unknown unicast packets increases device resource consumption. As a result, device performance deteriorates, or a device breaks down. Preventing an EVC Layer 2 sub-interface from broadcasting received packets to other EVC Layer 2 sub-interfaces in the same bridge domain prevents attacks initiated using unknown packets.

This function applies to networks without user changes or networks with static MAC address-based forwarding paths.

Limit on MAC address learning within a bridge domain

If a bridge domain has only one inbound interface and one outbound interface, to save MAC address entries, the MAC address learning function can be disabled in a bridge domain.

This function helps efficiently use the MAC address table space. The network has high security.

This function applies to networks without user changes or networks with static MAC address-based forwarding paths.

If static MAC addresses are used and a great number of users access a switch, information about each user must be configured to establish a forwarding path. This increases the workload of the network administrator. New users cannot access a device that has this function enabled.

Split horizon

A bridge domain is a broadcast domain, in which an EVC Layer 2 sub-interface broadcasts received packets within the domain. To reduce the broadcast volume, EVC Layer 2 sub-interfaces that do not need to communicate can be isolated from one another in the same bridge domain. To meet this requirement, enable split horizon to isolate EVC Layer 2 sub-interfaces from one another in the bridge domain.

Split horizon applies to all Layer 2 networks.