- Table of Contents
-
- 03-Layer 2 - LAN Switching Configuration Guide
- 00-Preface
- 01-VLAN Configuration
- 02-MAC Address Table Configuration
- 03-Spanning Tree Configuration
- 04-Ethernet Link Aggregation Configuration
- 05-Port Isolation Configuration
- 06-QinQ Configuration
- 07-BPDU Tunneling Configuration
- 08-GVRP Configuration
- 09-VLAN Termination Configuration
- 10-LLDP Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
02-MAC Address Table Configuration | 117.55 KB |
Contents
MAC address table configuration
How a MAC address table entry is created
Types of MAC address table entries
MAC address table-based frame forwarding
Configuring the MAC address table
Configuring MAC address table entries
Disabling MAC address learning
Configuring the aging timer for dynamic MAC address entries
Configuring the MAC learning limit
Displaying and maintaining MAC address tables
MAC address table configuration example
|
NOTE: · MAC address table configuration applies only to Layer 2 Ethernet ports, Layer 2 virtual Ethernet (VE) interfaces, and Layer 2 aggregate interfaces. · This document covers only the configuration of unicast MAC address table entries, including static, dynamic, and blackhole MAC address table entries. |
Overview
A MAC address table is maintained for frame forwarding. Each entry in this table indicates the following information:
· The MAC address of a connected network device
· The interface to which the device is connected
· The VLAN to which the interface belongs
When forwarding a frame, the router first looks up the MAC address table by the destination MAC address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather than broadcast, so broadcasts are reduced.
How a MAC address table entry is created
A MAC address table entry can be dynamically learned or manually configured.
Dynamically learning MAC address entries
Usually, a router can populate its MAC address table automatically by learning the source MAC addresses of incoming frames on each port.
When a frame arrives at a port, Port A for example, the router performs the following tasks:
1. Checks the source MAC address (MAC-SOURCE for example) of the frame.
2. Looks up the source MAC address in the MAC address table.
¡ If an entry is found, the router updates the entry.
¡ If no entry is found, the router adds an entry for MAC-SOURCE and Port A.
3. After learning this source MAC address, when the router receives a frame destined for MAC-SOURCE, it finds the MAC-SOURCE entry in the MAC address table and forwards the frame out Port A.
The router performs the learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated.
To adapt to network changes, MAC address table entries must be constantly updated. Each dynamically learned MAC address table entry has an aging timer. If an entry is not updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.
Manually configuring MAC address entries
With dynamic MAC address learning, a router does not distinguish illegitimate frames from legitimate frames. This causes security hazards. For example, if a hacker sends frames with a forged source MAC address to a port different from the one where the real MAC address is connected, the router will create an entry for the forged MAC address, and will forward frames destined for the legal user to the hacker instead.
To enhance the security of a port, you can manually add MAC address entries in the MAC address table of the router to bind specific user devices to the port. Because manually configured entries have higher priority than the dynamically learned ones, this prevents hackers from stealing data using forged MAC addresses.
Types of MAC address table entries
A MAC address table may contain these types of entries:
· Static entries—Static entries are manually configured and never age out.
· Dynamic entries—Dynamic entries can be manually configured or dynamically learned and may age out.
· Blackhole entries—Blackhole entries are manually configured and never age out. Blackhole entries are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a destination blackhole MAC address entry.
|
NOTE: A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa. |
MAC address table-based frame forwarding
When forwarding a frame, the router adopts the following two forwarding modes based on the MAC address table:
· Unicast mode—If an entry is available for the destination MAC address, the router forwards the frame out the outgoing interface indicated by the MAC address table entry.
· Broadcast mode—If the router receives a frame with an all-ones destination address, or no entry is available for the destination MAC address, the router broadcasts the frame to all the interfaces except the receiving interface.
Configuring the MAC address table
The configuration tasks discussed in the following sections are all optional and can be performed in any order.
Configuring MAC address table entries
To fence off MAC address spoofing attacks and improve port security, you can manually add MAC address table entries to bind ports with MAC addresses.
You can also configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.
Add or modify a static, dynamic, or blackhole MAC address table entry globally
To add or modify a static, dynamic, or blackhole MAC address table entry in system view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Add or modify a dynamic or static MAC address entry. |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id |
Use either command. Make sure that you have created the VLAN and assign the interface to the VLAN. |
3. Add or modify a blackhole MAC address entry. |
mac-address blackhole mac-address vlan vlan-id |
Add or modify a static or dynamic MAC address table entry on an interface
To add or modify a static or dynamic MAC address table entry in interface view:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view. |
interface interface-type interface-number |
N/A |
3. Add or modify a MAC address entry. |
mac-address { dynamic | static } mac-address vlan vlan-id |
Make sure that you have created the VLAN and assign the interface to the VLAN. |
Disabling MAC address learning
You may need to disable MAC address learning sometimes to prevent the MAC address table from being saturated, for example, when your router is being attacked by a large amount of packets with different source MAC addresses.
Disabling MAC address learning on ports
After enabling global MAC address learning, you may disable the function on a single port, or on all ports in a port group as needed.
To disable MAC address learning on a Layer 2 Ethernet port, port group, Layer 2 VE interface, or Layer 2 aggregate interface:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view or port group view. |
·
Enter Layer 2 Ethernet interface view, Layer 2
VE interface view, or Layer 2 aggregate interface view: ·
Enter port group view: |
Use any command. The configuration you make in Layer 2 Ethernet interface view, Layer 2 VE interface view, or Layer 2 aggregate interface view takes effect on the current interface only. Configuration made in port group view takes effect on all the member ports in the port group. |
3. Disable MAC address learning. |
mac-address mac-learning disable |
By default, MAC address learning is enabled on ports. |
|
NOTE: For more information about port group configuration, see Interface Configuration Guide. |
Disabling MAC address learning on a VLAN
You may disable MAC address learning on a per-VLAN basis.
To disable MAC address learning on a VLAN:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter VLAN view. |
vlan vlan-id |
N/A |
3. Disable MAC address learning on the VLAN. |
mac-address mac-learning disable |
By default, MAC address learning is enabled. |
Configuring the aging timer for dynamic MAC address entries
The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the router deletes the entry. This aging mechanism ensures that the MAC address table could promptly update to accommodate latest network changes.
Set the aging timer appropriately. Too long an aging interval may cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the latest network changes. Too short an interval may result in removal of valid entries, causing unnecessary broadcasts, which may affect router performance.
To configure the aging timer for dynamic MAC address entries:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the aging timer for dynamic MAC address entries. |
mac-address timer { aging seconds | no-aging } |
Optional. The default setting is 300 seconds. |
|
NOTE: · The MAC address aging timer takes effect globally only on dynamic MAC address entries (learned or administratively configured). · You can reduce broadcasts on a stable network by disabling the aging timer to prevent dynamic entries from unnecessarily aging out. By reducing broadcasts, you improve not only network performance, but also security, because the chances for a data packet to reach unintended destinations are reduced. |
Configuring the MAC learning limit
Configuring the MAC learning limit on ports
As the MAC address table grows, the forwarding performance of your router may degrade. To prevent the MAC address table from getting so large that the forwarding performance is affected, you can limit the number of MAC addresses that can be learned on a port.
To configure the MAC learning limit on a Layer 2 Ethernet interface, Layer 2 VE interface, Layer 2 aggregate interface, or all ports in a port group:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter interface view or port group view. |
·
Enter Layer 2 Ethernet interface view, Layer 2
VE interface view, or Layer 2 aggregate interface view: ·
Enter port group view: |
Use either command. The configuration you make in Layer 2 Ethernet interface view, Layer 2 VE interface view, or Layer 2 aggregate interface view takes effect on the current interface only. The configuration you make in port group view takes effect on all ports in the port group. |
3. Configure the MAC learning limit on the interface or port group, and specify whether or not frames with unknown source MAC addresses can be forwarded when the MAC learning limit is reached. |
mac-address max-mac-count { count | disable-forwarding } |
By default, the maximum number of source MAC addresses that can be learned on an interface is not specified. |
Configuring the MAC learning limit on a VLAN
You may also limit the number of MAC addresses that can be learned on a per-VLAN basis.
To configure the MAC learning limit on a VLAN:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter VLAN view. |
vlan vlan-id |
N/A |
3. Configure the MAC leaning limit on the VLAN, and specify whether or not frames with unknown source MAC addresses can be forwarded in the VLAN when the MAC learning limit is reached. |
mac-address max-mac-count { count | disable-forwarding } |
By default, the maximum number of source MAC addresses that can be learned on a VLAN is not specified. |
Displaying and maintaining MAC address tables
Task |
Command |
Remarks |
Display MAC address table information. |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display the aging timer for dynamic MAC address entries. |
display mac-address aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view |
Display the system or interface MAC address learning state. |
display mac-address mac-learning [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
MAC address table configuration example
Network requirements
As shown in Figure 1,
· The MAC address of a host (Host A) is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 3/1/10 of the router. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the router.
· The MAC address of another host (Host B) is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so all packets destined for the host will be dropped.
· Set the aging timer for dynamic MAC address entries to 500 seconds.
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface GigabitEthernet 3/1/10 vlan 1
# Add a destination blackhole MAC address entry.
[Sysname] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
# Display the MAC address entry for port GigabitEthernet 3/1/10.
[Sysname] display mac-address interface GigabitEthernet 3/1/10
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-dc71 1 Config static GigabitEthernet3/1/10 NOAGED
--- 1 mac address(es) found on port GigabitEthernet3/1/10 ---
# Display information about the destination blackhole MAC address table.
[Sysname] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
000f-e235-abcd 1 Blackhole N/A NOAGED
--- 1 mac address(es) found ---
# View the aging time of dynamic MAC address entries.
[Sysname] display mac-address aging-time
Mac address aging time: 500s