03-Layer 2 - LAN Switching Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10303-Layer 2 - LAN Switching Configuration Guide
02-MAC Address Table Configuration
Title Size Download
02-MAC Address Table Configuration 117.55 KB

 

 

NOTE:

·       MAC address table configuration applies only to Layer 2 Ethernet ports, Layer 2 virtual Ethernet (VE) interfaces, and Layer 2 aggregate interfaces.

·       This document covers only the configuration of unicast MAC address table entries, including static, dynamic, and blackhole MAC address table entries.

 

Overview

A MAC address table is maintained for frame forwarding. Each entry in this table indicates the following information:

·           The MAC address of a connected network device

·           The interface to which the device is connected

·           The VLAN to which the interface belongs

When forwarding a frame, the router first looks up the MAC address table by the destination MAC address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather than broadcast, so broadcasts are reduced.

How a MAC address table entry is created

A MAC address table entry can be dynamically learned or manually configured.

Dynamically learning MAC address entries

Usually, a router can populate its MAC address table automatically by learning the source MAC addresses of incoming frames on each port.

When a frame arrives at a port, Port A for example, the router performs the following tasks:

1.      Checks the source MAC address (MAC-SOURCE for example) of the frame.

2.      Looks up the source MAC address in the MAC address table.

¡  If an entry is found, the router updates the entry.

¡  If no entry is found, the router adds an entry for MAC-SOURCE and Port A.

3.      After learning this source MAC address, when the router receives a frame destined for MAC-SOURCE, it finds the MAC-SOURCE entry in the MAC address table and forwards the frame out Port A.

The router performs the learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated.

To adapt to network changes, MAC address table entries must be constantly updated. Each dynamically learned MAC address table entry has an aging timer. If an entry is not updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.

Manually configuring MAC address entries

With dynamic MAC address learning, a router does not distinguish illegitimate frames from legitimate frames. This causes security hazards. For example, if a hacker sends frames with a forged source MAC address to a port different from the one where the real MAC address is connected, the router will create an entry for the forged MAC address, and will forward frames destined for the legal user to the hacker instead.

To enhance the security of a port, you can manually add MAC address entries in the MAC address table of the router to bind specific user devices to the port. Because manually configured entries have higher priority than the dynamically learned ones, this prevents hackers from stealing data using forged MAC addresses.

Types of MAC address table entries

A MAC address table may contain these types of entries:

·           Static entriesStatic entries are manually configured and never age out.

·           Dynamic entriesDynamic entries can be manually configured or dynamically learned and may age out.

·           Blackhole entriesBlackhole entries are manually configured and never age out. Blackhole entries are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a destination blackhole MAC address entry.

 

 

NOTE:

A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.

 

MAC address table-based frame forwarding

When forwarding a frame, the router adopts the following two forwarding modes based on the MAC address table:

·           Unicast modeIf an entry is available for the destination MAC address, the router forwards the frame out the outgoing interface indicated by the MAC address table entry.

·           Broadcast modeIf the router receives a frame with an all-ones destination address, or no entry is available for the destination MAC address, the router broadcasts the frame to all the interfaces except the receiving interface.

Configuring the MAC address table

The configuration tasks discussed in the following sections are all optional and can be performed in any order.

Configuring MAC address table entries

To fence off MAC address spoofing attacks and improve port security, you can manually add MAC address table entries to bind ports with MAC addresses.

You can also configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.

Add or modify a static, dynamic, or blackhole MAC address table entry globally

To add or modify a static, dynamic, or blackhole MAC address table entry in system view:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Add or modify a dynamic or static MAC address entry.

mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id

Use either command.

Make sure that you have created the VLAN and assign the interface to the VLAN.

3.     Add or modify a blackhole MAC address entry.

mac-address blackhole mac-address vlan vlan-id

 

Add or modify a static or dynamic MAC address table entry on an interface

To add or modify a static or dynamic MAC address table entry in interface view:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Add or modify a MAC address entry.

mac-address { dynamic | static } mac-address vlan vlan-id

Make sure that you have created the VLAN and assign the interface to the VLAN.

 

Disabling MAC address learning

You may need to disable MAC address learning sometimes to prevent the MAC address table from being saturated, for example, when your router is being attacked by a large amount of packets with different source MAC addresses.

Disabling MAC address learning on ports

After enabling global MAC address learning, you may disable the function on a single port, or on all ports in a port group as needed.

To disable MAC address learning on a Layer 2 Ethernet port, port group, Layer 2 VE interface, or Layer 2 aggregate interface:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view or port group view.

·       Enter Layer 2 Ethernet interface view, Layer 2 VE interface view, or Layer 2 aggregate interface view:
interface interface-type interface-number

·       Enter port group view:
port-group manual port-group-name

Use any command.

The configuration you make in Layer 2 Ethernet interface view, Layer 2 VE interface view, or Layer 2 aggregate interface view takes effect on the current interface only. Configuration made in port group view takes effect on all the member ports in the port group.

3.     Disable MAC address learning.

mac-address mac-learning disable

By default, MAC address learning is enabled on ports.

 

 

NOTE:

For more information about port group configuration, see Interface Configuration Guide.

 

Disabling MAC address learning on a VLAN

You may disable MAC address learning on a per-VLAN basis.

To disable MAC address learning on a VLAN:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VLAN view.

vlan vlan-id

N/A

3.     Disable MAC address learning on the VLAN.

mac-address mac-learning disable

By default, MAC address learning is enabled.

 

Configuring the aging timer for dynamic MAC address entries

The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the router deletes the entry. This aging mechanism ensures that the MAC address table could promptly update to accommodate latest network changes.

Set the aging timer appropriately. Too long an aging interval may cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the latest network changes. Too short an interval may result in removal of valid entries, causing unnecessary broadcasts, which may affect router performance.

To configure the aging timer for dynamic MAC address entries:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure the aging timer for dynamic MAC address entries.

mac-address timer { aging seconds | no-aging }

Optional.

The default setting is 300 seconds.

 

 

NOTE:

·       The MAC address aging timer takes effect globally only on dynamic MAC address entries (learned or administratively configured).

·       You can reduce broadcasts on a stable network by disabling the aging timer to prevent dynamic entries from unnecessarily aging out. By reducing broadcasts, you improve not only network performance, but also security, because the chances for a data packet to reach unintended destinations are reduced.

 

Configuring the MAC learning limit

Configuring the MAC learning limit on ports

As the MAC address table grows, the forwarding performance of your router may degrade. To prevent the MAC address table from getting so large that the forwarding performance is affected, you can limit the number of MAC addresses that can be learned on a port.

To configure the MAC learning limit on a Layer 2 Ethernet interface, Layer 2 VE interface, Layer 2 aggregate interface, or all ports in a port group:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view or port group view.

·       Enter Layer 2 Ethernet interface view, Layer 2 VE interface view, or Layer 2 aggregate interface view:
interface interface-type interface-number

·       Enter port group view:
port-group manual port-group-name

Use either command.

The configuration you make in Layer 2 Ethernet interface view, Layer 2 VE interface view, or Layer 2 aggregate interface view takes effect on the current interface only. The configuration you make in port group view takes effect on all ports in the port group.

3.     Configure the MAC learning limit on the interface or port group, and specify whether or not frames with unknown source MAC addresses can be forwarded when the MAC learning limit is reached.

mac-address max-mac-count { count | disable-forwarding }

By default, the maximum number of source MAC addresses that can be learned on an interface is not specified.

 

Configuring the MAC learning limit on a VLAN

You may also limit the number of MAC addresses that can be learned on a per-VLAN basis.

To configure the MAC learning limit on a VLAN:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter VLAN view.

vlan vlan-id

N/A

3.     Configure the MAC leaning limit on the VLAN, and specify whether or not frames with unknown source MAC addresses can be forwarded in the VLAN when the MAC learning limit is reached.

mac-address max-mac-count { count | disable-forwarding }

By default, the maximum number of source MAC addresses that can be learned on a VLAN is not specified.

 

Displaying and maintaining MAC address tables

 

Task

Command

Remarks

Display MAC address table information.

display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the aging timer for dynamic MAC address entries.

display mac-address aging-time [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the system or interface MAC address learning state.

display mac-address mac-learning [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view

 

MAC address table configuration example

Network requirements

As shown in Figure 1,

·           The MAC address of a host (Host A) is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 3/1/10 of the router. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the router.

·           The MAC address of another host (Host B) is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so all packets destined for the host will be dropped.

·           Set the aging timer for dynamic MAC address entries to 500 seconds.

Figure 1 Network diagram

 

Configuration procedure

# Add a static MAC address entry.

<Sysname> system-view

[Sysname] mac-address static 000f-e235-dc71 interface GigabitEthernet 3/1/10 vlan 1

# Add a destination blackhole MAC address entry.

[Sysname] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer for dynamic MAC address entries to 500 seconds.

[Sysname] mac-address timer aging 500

# Display the MAC address entry for port GigabitEthernet 3/1/10.

[Sysname] display mac-address interface GigabitEthernet 3/1/10

MAC ADDR          VLAN ID  STATE            PORT INDEX             AGING TIME(s)

000f-e235-dc71    1        Config static    GigabitEthernet3/1/10  NOAGED

 

  ---  1 mac address(es) found on port GigabitEthernet3/1/10 ---

# Display information about the destination blackhole MAC address table.

[Sysname] display mac-address blackhole

MAC ADDR        VLAN ID    STATE            PORT INDEX             AGING TIME

000f-e235-abcd  1          Blackhole        N/A                    NOAGED

 

  ---  1 mac address(es) found  ---

# View the aging time of dynamic MAC address entries.

[Sysname] display mac-address aging-time

Mac address aging time: 500s