Table of Contents
Advertisement
Chapter 48 The Number Limitation Function
of Port, MAC in VLAN and IP Configuration
48.1 Introduction to the Number Limitation Function of Port,
MAC in VLAN and IP
MAC address list is used to identify the mapping relationship between the destination MAC addresses and the
ports of switch. There are two kinds of MAC addresses in the list: static MAC address and dynamic MAC
address. The static MAC address is set by users, having the highest priority (will not be overwritten by
dynamic MAC address), and will always be effective; dynamic MAC address is learnt by the switch through
transmitting data frames, and will only be effective in a s pecific time range. When the s witch rec eives a data
framed waiting to be transmitted, it will study the source MA C address of the data frame, build a mapping
relationship with the receiving port, and then look up the MAC address list for the destination MAC address. If
any matching list entry is found, the switch will transmit the data frame via the corresponding port, or, the
switch will broadcast the data frame over the VLAN it belongs to. If the dynamically learnt MAC address
matches no transmitted data in a long time, the switch will delete it from the MA C address list.
Usually the switch supports both the static configuration and dynamic study of MAC address, which means
each port can have more than one static set MAC addresses and dynamically learnt MAC addresses, and
thus can implement the transmission of data traffic bet ween port and known MAC addresses. When a MAC
address becomes out of date, it will be dealt with broadcast. No number limitation is put on MAC address of
the ports of our current switches; every port can have several MAC addressed either by configuration or study,
until the hardware list entries are exhausted. To avoid too many MAC addresses of a port, we should limit the
number of MAC addresses a port can have.
For each INTE RFA CE VLAN, there is no number limitation of IP; the upper limit of the number of IP is the
upper limit of the number of user on an interface, which is, at the same time, the upper limit of ARP and ND list
entry. There is no relative configuration command can be used to control the sent number of these list entries.
To enhance the security and the controllability of our products, we need to control the number of MAC address
on eac h port and the number of ARP, ND on each INTE RFA CE VLAN. The num ber of static or dynamic MAC
address on a port should not exceed the configuration. The number of user on each VLA N should not exceed
the configuration, either.
Limiting the number of MA C and ARP list entry can avoid DOS attack to a certain extent. When malicious
users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and ARP list entries of the
switch, causing successful DOS attacks.
To summer up, it is very meaningful to develop the number limitation function of port, MAC in VLAN and IP.
Switch can control the number of MAC address of ports and the number A RP, ND list entry of ports and VLA N
through configuration commands.
Limiting the number of dynamic MAC and IP of ports:
48-1
Advertisement
Table of Contents
Troubleshooting
