3Com WX2200 3CRWX220095A Switch User Manual

Restricting Layer 2
Forwarding Among
By default, clients within a VLAN are able to communicate with one
another directly at Layer 2. You can enhance network security by
restricting Layer 2 forwarding among clients in the same VLAN. When
you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding
only between a client and a set of MAC addresses, generally the VLAN’s
default routers. Clients within the VLAN are not permitted to
communicate among themselves directly. To communicate with another
client, the client must use one of the specified gateway routers.
For networks with IP-only clients, you can restrict client-to-client
forwarding using ACLs. (See “Restricting Client-To-Client Forwarding
Among IP-Only Clients” on page 409.)
To restrict Layer 2 forwarding in a VLAN, use the following command:
set security l2-restrict vlan vlan-id
[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]
You can specify multiple addresses by listing them on the same command
line or by entering multiple commands.
Restriction of client traffic does not begin until you enable the permitted
MAC list. Use the mode enable option with this command.
To change a MAC address, use the clear security l2-restrict command
to remove it, then use the set security l2-restrict command to add the
correct address.
clear security l2-restrict vlan vlan-id
[permit-mac mac-addr [mac-addr] | all]
There can be a slight delay before functions such as pinging between
clients become available again after Layer 2 restrictions are lifted. Even
though packets are passed immediately once Layer 2 restrictions are
gone, it can take 10 seconds or more for upper-layer protocols to update
their ARP caches and regain their functionality.
To display configuration information and statistics for Layer 2 forwarding
restriction, use the following command:
display security l2-restrict [vlan vlan-id | all]