E Xamples - Edge-Core ES4624-SFP Manual

24.4 The Number Limitation Function of Port, MAC in
VLAN and IP Typical Examples
Fig 24-1 The Number Limitation of Port, MAC in VLAN and IP Typical Configuration Example
In the network topology above, SWITCH B connects to many PC users, before
enabling the number limitation function of port, MAC in VLAN and IP, if the system
hardware has no other limitation, SWTICH A and SWTICH B can get the MAC, ARP, ND
list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS attack to a
certain extent. When malicious users frequently do MAC or ARP cheating, it will be easy
for them to fill the MAC and ARP list entries of the switch, causing successful DOS
attacks. Limiting the MAC, ARP list entry can prevent DOS attack.
On port 3/1 of SWITCH A, set the max number can be learnt of dynamic MAC
address as 20, of dynamic ARP address as 20, NEIGHBOR list entry as 10. In VLAN 1,
set the max number of dynamic MAC address as 30, of dynamic ARP address as 30,
NEIGHBOR list entry as 20.
SWITCH A configuration task sequence:
Switch(config)#
Switch (config)#int ethernet 3/1
Switch (Config-If-Ethernet3/1)#switchport mac-address dynamic maximum 20
Switch (Config-If-Ethernet3/1)#switchport arp dynamic maximum 20
Switch (Config-If-Ethernet3/1)#switchport nd dynamic maximum 10
895