Specifications

Configuring and Managing VLANs

RoamAbout Mobility System Software Configuration Guide 4-19

Restricting Layer 2 Forwarding Among Clients

Bydefault,clientswithinaVLANareabletocommunicatewithoneanotherdirectlyatLayer2.

YoucanenhancenetworksecuritybyrestrictingLayer2forwardingamongclientsinthesame

VLAN.WhenyourestrictLayer2forwardinginaVLAN,MSSallowsLayer2forwardingonly

betweenaclient

andasetofMACaddresses,generallytheVLAN’sdefaultrouters.Clientswithin

theVLANarenotpermittedtocommunicateamongthemselvesdirectly.Tocommunicatewith

anotherclient,theclientmustuseoneofthespecifieddefaultrouters.

TorestrictLayer2forwardinginaVLAN,usethefollowingcommand:

set security l2-restrict vlan vlan-id

[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]

Youcanspecifymultipleaddressesbylistingthemonthesamecommandlineorbyentering

multiplecommands.

RestrictionofclienttrafficdoesnotbeginuntilyouenablethepermittedMA C list.Usethemode

enableoptionwiththiscommand.

TochangeaMACaddress,usetheclearsecurityl2‐restrict

commandtoremove it,thenusethe

setsecurityl2‐restrictcommandtoaddthecorrectaddress.

clear security l2-restrict vlan vlan-id

[permit-mac mac-addr [mac-addr] | all]

TodisplayconfigurationinformationandstatisticsforLayer2forwardingrestriction,usethe

followingcommand:

show security l2-restrict [vlan vlan-id | all]

Examples

ThefollowingcommandsrestrictLayer2forwardingofclientdatainVLANabc_airtothedefault

routerswithMACaddressaa:bb:cc:dd:ee:ffand11:22:33:44:55:66,anddisplayrestriction

informationandstatistics:

set security l2-restrict vlan abc_air mode enable permit-mac aa:bb:cc:dd:ee:ff

11:22:33:44:55:66

success: change accepted.

show security l2-restrict

VLAN Name En Drops Permit MAC

Hits

---------- ---------------- ------- ---------- -------------------------- ------

----

1 abc_air Y 0

aa:bb:cc:dd:ee:ff 5947

Note: For networks with IP-only clients, you can restrict client-to-client forwarding using ACLs. (See

“Restricting Client-To-Client Forwarding Among IP-Only Clients” on page 15-28.)

Note: There can be a slight delay before functions such as pinging between clients become

available again after Layer 2 restrictions are lifted. Even though packets are passed immediately

once Layer 2 restrictions are gone, it can take 10 seconds or more for upper-layer protocols to

update their ARP caches and regain their functionality.