Set security l2-restrict – 3Com WXR100 3CRWXR10095A User Manual
Page 171
set security L2-restrict
171
set security
L2-restrict
Restricts Layer 2 forwarding between clients in the same VLAN. When
you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding
only between a client and a set of MAC addresses, generally the VLAN’s
gateway routers. Clients within the VLAN are not permitted to
communicate among themselves directly. To communicate with another
client, the client must use one of the specified gateway routers.
Syntax —
set security L2-restrict vlan
vlan-id
[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]
vlan-id
— VLAN name or number.
mode
— Enables or disables restriction of Layer 2 forwarding.
{enable | disable}
permit-mac mac-addr
— MAC addresses to which clients are
[
mac-addr
]
allowed to forward data at Layer 2. You
can specify up to four addresses.
Defaults — Layer 2 restriction is disabled by default.
Access — Enabled.
History —Introduced in MSS Version 4.1.
Usage — You can specify multiple addresses by listing them on the same
command line or by entering multiple commands. To change a MAC
address, use the clear security L2-restrict command to remove it, then
use the set security L2-restrict command to add the correct address.
Restriction of client traffic does not begin until you enable the permitted
MAC list. Use the mode enable option with this command
Examples — The following command restricts Layer 2 forwarding of
client data in VLAN abc_air to the gateway routers with MAC address
aa:bb:cc:dd:ee:ff and 11:22:33:44:55:66:
WX4400# set security L2-restrict vlan abc_air mode enable
permit-mac aa:bb:cc:dd:ee:ff 11:22:33:44:55:66
success: change accepted.
See Also
clear security L2-restrict on page 153
clear security L2-restrict counters on page 154