08-MAC Address Table Management Configuration
Chapters Download (64.25 KB)
Table of Contents
1 MAC Address Table Management Configuration
How a MAC Address Table Entry Is Created
Types of MAC Address Table Entries
MAC Address Table-Based Frame Forwarding
Configuring MAC Address Table Management
Configuring MAC Address Table Entries
Configuring the Aging Timer for Dynamic MAC Address Entries
Configuring the MAC Learning Limit
Displaying and Maintaining MAC Address Table Management
MAC Address Table Management Configuration Example
When configuring MAC address table management, go to these sections for information you are interested in:
l Overview
l Configuring MAC Address Table Management
l MAC Address Table Management Configuration Example
Interfaces that MAC address table management involves can only be Layer 2 Ethernet ports.
A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the MAC address of a connected device, to which interface this device is connected and to which VLAN the interface belongs. When forwarding a frame, the device first looks up the MAC address table by the destination MAC address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather than broadcast. Thus, broadcasts are reduced.
A MAC address table entry can be dynamically learned or manually configured.
Usually, a device can populate its MAC address table automatically by learning the source MAC addresses of received frames.
The following is how a device learns a MAC address when it receives a frame from a port, Port A for example:
1) Check the source MAC address (MAC-SOURCE for example) of the frame. Assume that frames with the source MAC address MAC-SOURCE can be forwarded through Port A.
2) Look up the MAC address table by the MAC address for a match and do the following:
l If an entry is found for the MAC address, update the entry.
l If no entry is found, add an entry for the MAC address to indicate from which port the frame is received.
When receiving a frame destined for MAC-SOURCE, the device looks up the MAC address table and forwards it from Port A.
To adapt to network changes, MAC address table entries need to be constantly updated. Each dynamically learned MAC address table entry has a life time, that is, an aging timer. If an entry has not updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.
With dynamic MAC address learning, a device does not tell illegitimate frames from legitimate ones. This brings security hazards. For example, if a hacker sends frames with a forged source MAC address to a port different from the one where the real MAC address is connected to, the device will create an entry for the forged MAC address, and forward frames destined for the legal user to the hacker instead.
To enhance the security of a port, you can manually add MAC address entries into the MAC address table of the device to bind specific user devices to the port. Because manually configured entries have higher priority than dynamically learned ones, you can thus prevent hackers from stealing data using forged MAC addresses.
A MAC address table may contain these types of entries:
l Static entries, which are manually configured and never age out.
l Dynamic entries, which can be manually configured or dynamically learned and may age out.
l Blackhole entries, which are manually configured and never age out. Blackhole entries are configured for filtering out frames with specific destination MAC addresses.
Dynamically-learned MAC addresses cannot overwrite static or blackhole MAC address entries, but the latter can overwrite the former.
When forwarding a frame, the device adopts the following two forwarding modes based on the MAC address table:
l Unicast mode: If an entry is available for the destination MAC address, the device forwards the frame out the outgoing interface indicated by the MAC address table entry.
l Broadcast mode: If the device receives a frame with the destination address being all ones, or no entry is available for the destination MAC address, the device broadcasts the frame to all the interfaces except the receiving interface.
Figure 1-1 Forward frames using the MAC address table
The MAC address table management configuration tasks include:
l Configuring MAC Address Table Entries
l Configuring the Aging Timer for Dynamic MAC Address Entries
l Configuring the MAC Learning Limit
These configuration tasks are all optional and order independent. You can perform them as needed in any order.
Follow these steps to add, modify, or remove entries in the MAC address table globally:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Add/modify a MAC address entry |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id mac-address blackhole mac-address vlan vlan-id |
Required |
Follow these steps to add, modify, or remove entries in the MAC address table on an interface:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Add/modify MAC address entries under the specified interface view |
mac-address { dynamic | static } mac-address vlan vlan-id |
Required |
The MAC address table on your device is available with an aging mechanism for dynamic entries to prevent its resources from being exhausted. Set the aging timer appropriately: a long aging interval may cause the MAC address table to retain outdated entries and fail to accommodate the latest network changes; a short interval may result in removal of valid entries and hence unnecessary broadcasts which may affect device performance.
Follow these steps to configure the aging timer for dynamic MAC address entries:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the aging timer for dynamic MAC address entries |
mac-address timer { aging seconds | no-aging } |
Optional 300 by default. |
The MAC address aging timer takes effect globally on dynamic MAC address entries (learned or administratively configured) only.
As the MAC address table is growing, the forwarding performance of your device may degrade. To prevent the MAC address table from getting so large that the forwarding performance is affected, you can limit the number of MAC addresses that can be learned on a port.
Follow these steps to configure the MAC learning limit on an Ethernet port, Layer 2 aggregate interface, or the Ethernet ports in a port group:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enter Ethernet interface view, port group view, or Layer 2 aggregate interface view |
Enter Ethernet interface view |
interface interface-type interface-number |
Required Use any of these three commands. The configuration you make in Ethernet interface view or Layer 2 aggregate interface view takes effect on the current interface only; the configuration you make in port group view takes effect on all the member ports in the port group. |
|
Enter port group view |
port-group manual port-group-name |
||
|
Enter Layer 2 aggregate interface view |
interface bridge-aggregation interface-number |
||
|
Configure the MAC learning limit on an Ethernet port, Layer 2 aggregate interface or port group, and configure whether frames with unknown source MAC addresses can be forwarded or not when the MAC learning limit is reached |
mac-address max-mac-count { count | disable-forwarding } |
Required The default maximum number of MAC addresses that can be learned is not configured. When the MAC learning limit is reached, frames with unknown source MAC addresses are forwarded by default. |
|
|
To do… |
Use the command… |
Remarks |
|
Display MAC address table information |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] |
Available in any view |
|
Display the aging timer for dynamic MAC address entries |
display mac-address aging-time |
|
|
Display MAC address statistics |
display mac-address statistics |
A host with MAC address 000f-e235-dc71 and belonging to VLAN 1 is connected to GigabitEthernet1/0/1 of the device. To prevent MAC address spoofing, add a static entry into the MAC address table of the device for the host, and set the aging timer for dynamic MAC address entries to 500 seconds.
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface gigabitethernet1/0/1 vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
# Display the MAC address entry for port GigabitEthernet1/0/1.
[Sysname] display mac-address interface gigabitethernet1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-dc71 1 Config static GigabitEthernet1/0/1 NOAGED
--- 1 mac address(es) found -
