Specifications
set security l2-restrict
Chapter 6
VLAN Commands
73
set security l2-restrict
Restricts Layer 2 forwarding between clients in the same VLAN. When you
restrict Layer 2 forwarding in a VLAN, UNIVERGE WL Control System allows
Layer 2 forwarding only between a client and a set of MAC addresses, generally
the VLAN default routers. Clients within the VLAN are not permitted to
communicate among themselves directly. To communicate with another client, the
client must use one of the specified default routers.
Syntax
set security l2-restrict vlan vlan-id
[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]
Defaults
Layer 2 restriction is disabled by default.
Access
Enabled.
Usage
You can specify multiple addresses by listing them on the same command
line or by entering multiple commands. To change a MAC address, use the clear
security l2-restrict command to remove it, and then use the set security
l2-restrict command to add the correct address.
Restriction of client traffic does not begin until you enable the permitted MAC
list. Use the mode enable option with this command.
Examples
The following command restricts Layer 2 forwarding of client data in
VLAN abc_air to the default routers with MAC address aa:bb:cc:dd:ee:ff and
11:22:33:44:55:66:
PROMPT# set security l2-restrict vlan abc_air mode enable permit-mac
aa:bb:cc:dd:ee:ff 11:22:33:44:55:66
success: change accepted.
vlan-id VLAN name or number.
mode
{enable | disable}
Enables or disables restriction of Layer 2 forwarding.
permit-mac mac-addr
[mac-addr]
MAC addresses to which clients are allowed to
forward data at Layer 2. You can specify up to four
addresses.