SGS-6341-Series User Manual
Table Of Contents
- Chapter 1 INTRODUCTION
- Chapter 2 INSTALLATION
- Chapter 3 Switch Management
- Chapter 4 Basic Switch Configuration
- Chapter 5 File System Operations
- Chapter 6 Cluster Configuration
- Chapter 7 Port Configuration
- Chapter 8 Port Isolation Function Configuration
- Chapter 9 Port Loopback Detection Function Configuration
- Chapter 10 ULDP Function Configuration
- Chapter 11 LLDP Function Operation Configuration
- Chapter 12 Port Channel Configuration
- Chapter 13 MTU Configuration
- Chapter 14 EFM OAM Configuration
- Chapter 15 PORT SECURITY
- Chapter 16 DDM Configuration
- Chapter 17 LLDP-MED
- Chapter 18 bpdu-tunnel Configuration
- Chapter 19 EEE Energy-saving Configuration
- Chapter 20 VLAN Configuration
- Chapter 21 MAC Table Configuration
- Chapter 22 MSTP Configuration
- Chapter 23 QoS Configuration
- Chapter 24 Flow-based Redirection
- Chapter 25 Flexible Q-in-Q Configuration
- Chapter 26 Layer 3 Management Configuration
- Chapter 27 ARP Scanning Prevention Function Configuration
- Chapter 28 Prevent ARP Spoofing Configuration
- Chapter 29 ARP GUARD Configuration
- Chapter 30 Gratuitous ARP Configuration
- Chapter 31 DHCP Configuration
- Chapter 32 DHCPv6 Configuration
- Chapter 33 DHCP Option 82 Configuration
- Chapter 34 DHCP Option 60 and option 43
- Chapter 35 DHCPv6 Options 37, 38
- Chapter 36 DHCP Snooping Configuration
- Chapter 37 DHCP Snooping Option 82 Configuration
- Chapter 38 IPv4 Multicast Protocol
- Chapter 39 IPv6 Multicast Protocol
- Chapter 40 Multicast VLAN
- Chapter 41 ACL Configuration
- Chapter 42 802.1x Configuration
- 42.1 Introduction to 802.1x
- 42.2 802.1x Configuration Task List
- 42.3 802.1x Application Example
- 42.4 802.1x Troubleshooting
- Chapter 43 The Number Limitation Function of MAC and IP in Port, VLAN Configuration
- Chapter 44 Operational Configuration of AM Function
- Chapter 45 Security Feature Configuration
- 45.1 Introduction to Security Feature
- 45.2 Security Feature Configuration
- 45.2.1 Prevent IP Spoofing Function Configuration Task Sequence
- 45.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence
- 45.2.3 Anti Port Cheat Function Configuration Task Sequence
- 45.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence
- 45.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence
- 45.3 Security Feature Example
- Chapter 46 TACACS+ Configuration
- Chapter 47 RADIUS Configuration
- Chapter 48 SSL Configuration
- Chapter 49 IPv6 Security RA Configuration
- Chapter 50 MAB Configuration
- Chapter 51 PPPoE Intermediate Agent Configuration
- Chapter 52 Web Portal Configuration
- Chapter 53 VLAN-ACL Configuration
- Chapter 54 SAVI Configuration
- Chapter 55 MRPP Configuration
- Chapter 56 ULPP Configuration
- Chapter 57 ULSM Configuration
- Chapter 58 Mirror Configuration
- Chapter 59 sFlow Configuration
- Chapter 60 RSPAN Configuration
- Chapter 61 ERSPAN
- Chapter 62 SNTP Configuration
- Chapter 63 NTP Function Configuration
- Chapter 64 Summer Time Configuration
- Chapter 65 DNSv4/v6 Configuration
- Chapter 66 Monitor and Debug
- Chapter 67 Reload Switch after Specified Time
- Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU
- Chapter 69 Dying Gasp Configuration
- Chapter 70 PoE Configuration
Chapter 43 The Number Limitation
Function of MAC and IP in Port, VLAN
Configuration
MAC address list is used to identify the mapping relationship between the destination MAC
addresses and the ports of switch. There are two kinds of MAC addresses in the list: static
MAC address and dynamic MAC address. The static MAC address is set by users, having the
highest priority (will not be overwritten by dynamic MAC address), and will always be effective;
dynamic MAC address is learnt by the switch through transmitting data frames, and will only
be effective in a specific time range. When the switch receives a data framed waiting to be
transmitted, it will study the source MAC address of the data frame, build a mapping
relationship with the receiving port, and then look up the MAC address list for the destination
MAC address. If any matching list entry is found, the switch will transmit the data frame via the
corresponding port, or, the switch will broadcast the data frame over the VLAN it belongs to. If
the dynamically learnt MAC address matches no transmitted data in a long time, the switch will
delete it from the MAC address list.
Usually the switch supports both the static configuration and dynamic study of MAC address,
which means each port can have more than one static set MAC addresses and dynamically
learnt MAC addresses, and thus can implement the transmission of data traffic between port
and known MAC addresses. When a MAC address becomes out of date, it will be dealt with
broadcast. No number limitation is put on MAC address of the ports of our current switches;
every port can have several MAC addressed either by configuration or study, until the
hardware list entries are exhausted. To avoid too many MAC addresses of a port, we should
limit the number of MAC addresses a port can have.
For each INTERFACE VLAN, there is no number limitation of IP; the upper limit of the number
of IP is the upper limit of the number of user on an interface, which is, at the same time, the
upper limit of ARP and ND list entry. There is no relative configuration command can be used
to control the sent number of these list entries. To enhance the security and the controllability
of our products, we need to control the number of MAC address on each port and the number
of ARP, ND on each INTERFACE VLAN. The number of static or dynamic MAC address on a
port should not exceed the configuration. The number of user on each VLAN should not
exceed the configuration, either.
Limiting the number of MAC and ARP list entry can avoid DOS attack to a certain extent. When
malicious users frequently do MAC or ARP cheating, it will be easy for them to fill the MAC and
43-93
User’s Manual of SGS-6341 series