
set security l2-restrict 123
set security
Restricts Layer 2 forwarding between clients in the same VLAN. When
you restrict Layer 2 forwarding in a VLAN, MSS allows Layer 2 forwarding
only between a client and a set of MAC addresses, generally the VLAN’s
gateway routers. Clients within the VLAN are not permitted to
communicate among themselves directly. To communicate with another
client, the client must use one of the specified gateway routers.
set security l2-restrict vlan vlan-id
[mode {enable | disable}] [permit-mac mac-addr [mac-addr]]
vlan-id — VLAN name or number.
modeEnables or disables restriction of Layer 2 forwarding.
{enable | disable}
permit-mac mac-addr MAC addresses to which clients are
mac-addr] allowed to forward data at Layer 2. You
can specify up to four addresses.
Defaults — Layer 2 restriction is disabled by default.
Access — Enabled.
History —Introduced in MSS Version 4.1.
Usage — You can specify multiple addresses by listing them on the same
command line or by entering multiple commands. To change a MAC
address, use the clear security 12-restrict command to remove it, then
use the set security 12-restrict command to add the correct address.
Restriction of client traffic does not begin until you enable the permitted
MAC list. Use the mode enable option with this command
Examples — The following command restricts Layer 2 forwarding of
client data in VLAN abc_air to the gateway routers with MAC address
aa:bb:cc:dd:ee:ff and 11:22:33:44:55:66:
WX4400# set security 12-restrict vlan abc_air mode enable
permit-mac aa:bb:cc:dd:ee:ff 11:22:33:44:55:66
success: change accepted.
See Also
clear security 12-restrict on page 105
clear security 12-restrict counters on page 106
display security 12-restrict on page 116