Umber, Imitation, Unction of – PLANET WGSW-52040 User Manual

43.3 The Number Limitation Function of MAC and IP in

Port, VLAN Typical Examples

SWITCH A

SWITCH B

………

PC PC

PC

PC

PC

Figure 43-1: The Number Limitation of MAC and IP in Port, VLAN Typical Configuration

Example

g successful DOS attacks. Limiting the MAC, ARP, ND list entry can

revent DOS attack.

of

ynamic MAC address as 30, of dynamic ARP address as 30, NEIGHBOR list entry as 20.

WITCH A configuration task sequence:

imum 20

Switch (Config-if-Vlan1)#vlan mac-address dynamic maximum 30

In the network topology above, SWITCH B connects to many PC users, before enabling the

number limitation function of MAC and IP in Port, VLAN, if the system hardware has no other

limitation, SWTICH A and SWTICH B can get the MAC, ARP, ND list entries of all the PC, so

limiting the MAC, ARP list entry can avoid DOS attack to a certain extent. When malicious

users frequently do MAC, ARP cheating, it will be easy for them to fill the MAC, ARP list entries

of the switch, causin

p

On port 1/1 of SWITCH A, set the max number can be learnt of dynamic MAC address as 20,

dynamic ARP address as 20, NEIGHBOR list entry as 10. In VLAN 1, set the max number

d

S

Switch (config)#interface ethernet 1/1

Switch (Config-If-Ethernet1/1)#switchport mac-address dynamic max

Switch (Config-If-Ethernet1/1)#switchport arp dynamic maximum 20

Switch (Config-If-Ethernet1/1)#switchport nd dynamic maximum 10

43-162