Umber, Imitation, Unction of – PLANET XGS3-24040 User Manual

Chapter 48 The Number Limitation Function of Port, MAC in VLAN and IP Configuration

48-4

debug vlan mac count

no debug vlan mac count

All kinds of debug information when

limiting the number of MAC in VLAN.

debug ip arp count

no debug ip arp count

All kinds of debug information when

limiting the number of ARP in VLAN.

debug ipv6 nd count

no debug ipv6 nd count

All kinds of debug information when

limiting the number of MAC in VLAN.

48.3 The Number Limitation Function of Port, MAC in VLAN and

IP Typical Examples

Figure

3-1 The Number Limitation of Port, MAC in VLAN and IP Typical Configuration Example

In the network topology above, SWITCH B connects to many PC users, before enabling the number limitation

function of port, MAC in VLAN and IP, if the system hardware has no other limitation, SWTICH A and SWTICH

B can get the MAC, ARP, ND list entries of all the PC, so limiting the MAC, ARP list entry can avoid DOS

attack to a certain extent. When malicious users frequently do MAC, ARP cheating, it will be easy for them to

fill the MAC, ARP list entries of the switch, causing successful DOS attacks. Limiting the MAC, ARP, ND

list entry can prevent DOS attack.

On port 1/1 of SWITCH A, set the max number can be learnt of dynamic MAC address as 20, of dynamic ARP

address as 20, NEIGHBOR list entry as 10. In VLAN 1, set the max number of dynamic MAC address as 30,

of dynamic ARP address as 30, NEIGHBOR list entry as 20.

SWITCH A

SWITCH B

PC

PC

PC

PC

PC

………