Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-MAC Address Table Configuration | 76.42 KB |
Table of Contents
1 MAC Address Table Configuration
How a MAC Address Table Entry Is Created
Types of MAC Address Table Entries
MAC Address Table-Based Frame Forwarding
Configuring a MAC Address Table
Configuring MAC Address Entries
Disabling MAC Address Learning
Configuring the Aging Timer for Dynamic MAC Address Entries
Configuring the MAC Learning Limit on a Port
Displaying and Maintaining MAC Address Tables
MAC Address Table Configuration Example
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
This chapter includes these sections:
l Overview
l Configuring a MAC Address Table
l Displaying and Maintaining MAC Address Tables
l MAC Address Table Configuration Example
l In this document, MAC address table configuration applies to Layer 2 Ethernet interfaces only.
l This document covers only the configuration of static, dynamic, and blackhole unicast MAC address table entries.
Overview
An AP maintains a MAC address table for frame forwarding. Each entry in this table indicates the MAC address of a connected network device, to which interface this device is connected, and to which VLAN the interface belongs. When forwarding a frame, the AP first looks up the MAC address table based on the destination MAC address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather than broadcast. Thus, broadcasts are reduced.
How a MAC Address Table Entry Is Created
A MAC address table entry can be dynamically learned or manually configured.
Dynamically learning MAC address entries
Usually, an AP can populate its MAC address table automatically by learning the source MAC addresses of received frames.
The following is how an AP learns a MAC address when it receives a frame from a port, Port A for example:
1) Check the source MAC address (MAC-SOURCE for example) of the frame. Assume that frames with the source MAC address MAC-SOURCE can be forwarded through Port A.
2) Look up the MAC address table by the MAC address for a match and do the following:
l If an entry is found for the MAC address, update the entry.
l If no entry is found, add an entry for the MAC address to indicate from which port the frame is received.
When receiving a frame destined for MAC-SOURCE, the AP looks up the MAC address table and forwards it from Port A.
To adapt to network changes, MAC address table entries need to be constantly updated. Each dynamically learned MAC address table entry has a life time, that is, an aging timer. If an entry has not updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.
Manually configuring MAC address entries
With dynamic MAC address learning, the AP does not tell illegitimate frames from legitimate ones. This brings security hazards. For example, if a hacker sends frames with a forged source MAC address to a port different from the one where the real MAC address is connected to, the AP will create an entry for the forged MAC address, and forward frames destined for the legal user to the hacker instead.
To enhance the security of a port, you can manually add MAC address entries into the MAC address table of the AP to bind specific user devices to the port. Because manually configured entries have higher priority than dynamically learned ones, you can thus prevent hackers from stealing data using forged MAC addresses.
Types of MAC Address Table Entries
A MAC address table may contain these types of entries:
l Static entries, which are manually configured and never age out.
l Dynamic entries, which can be manually configured or dynamically learned and may age out.
l Blackhole entries, which are manually configured and never age out. Blackhole entries are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole destination MAC address entry.
Dynamically-learned MAC addresses cannot overwrite static or blackhole MAC address entries, but the latter can overwrite the former.
MAC Address Table-Based Frame Forwarding
When forwarding a frame, the AP uses the following two forwarding modes based on the MAC address table:
l Unicast mode: If an entry is available for the destination MAC address, the AP forwards the frame directly from the hardware.
l Broadcast mode: If the AP receives a frame with the destination address being all Fs, or no entry is available for the destination MAC address, the AP broadcasts the frame to all the interfaces except the receiving interface.
Figure 1-1 Forward frames using the MAC address table
Configuring a MAC Address Table
This section covers these topics:
l Configuring MAC Address Entries
l Disabling MAC Address Learning
l Configuring the Aging Timer for Dynamic MAC Address Entries
l Configuring the MAC Learning Limit on a Port
These configuration tasks are all optional and can be performed in any order.
Configuring MAC Address Entries
Usually, an AP can populate its MAC address table automatically by learning the source MAC addresses of incoming frames.
To improve port security, you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses, thus fending off MAC address spoofing attacks.
In addition, you can configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.
Follow these steps to add, modify, or remove entries in the MAC address table globally:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Add/modify a MAC address entry |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id mac-address blackhole mac-address vlan vlan-id |
Required |
Follow these steps to add, modify, or remove entries in the MAC address table in interface view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Add/modify MAC address entries under the specified interface view |
mac-address { dynamic | static } mac-address vlan vlan-id |
Required |
When using the mac-address command to add a MAC address entry, the interface specified by the interface keyword must belong to the VLAN specified by the vlan keyword, and the VLAN must already exist. Otherwise, you will fail to add this MAC address entry.
Disabling MAC Address Learning
You may need to disable MAC address learning sometimes to prevent the MAC address table from being saturated, for example, when your AP is being attacked by a great deal of packets with different source MAC addresses.
Disabling MAC address learning globally
Disabling MAC address learning globally disables the learning function on all ports.
Follow these steps to disable MAC address learning globally:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Disable global MAC address learning |
mac-address mac-learning disable |
Required Enabled by default |
Disabling MAC address learning on a port
After enabling global MAC address learning, you may disable the function on individual ports as needed.
Follow these steps to disable MAC address learning on a port:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enable MAC address learning globally |
undo mac-address mac-learning disable |
Optional Enabled by default. |
|
|
Enter Ethernet interface view or WLAN-BSS interface view |
interface interface-type interface-number |
Required |
|
|
Disable MAC address learning on a port |
mac-address mac-learning disable |
Required Enabled by default |
|
Configuring the Aging Timer for Dynamic MAC Address Entries
The MAC address table on your AP is available with an aging mechanism for dynamic entries. In this way, dynamic MAC address entries that are not updated within their aging time will be deleted to make room for new entries, and the MAC address table can be timely updated to accommodate the latest network changes.
Set the aging timer appropriately: a long aging interval may cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and thus fail to update its entries to accommodate the latest network changes; a short interval may result in the removal of valid entries and hence unnecessary broadcasts, which may affect the performance of your AP.
Follow these steps to configure the aging timer for dynamic MAC address entries:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the aging timer for dynamic MAC address entries |
mac-address timer { aging seconds | no-aging } |
Optional |
l The MAC address aging timer takes effect globally on dynamic MAC address entries (learned or administratively configured) only.
l In a stable network, when there has been no traffic activity for a long time, all the dynamic entries in the MAC address table maintained by the AP will be deleted. When it happens, the AP broadcasts a large amount of data packets, which may be listened to by unwanted users, resulting in security hazards. In this case, you can configure mac-address timer no-aging for dynamic MAC address entries, that is, not to age out dynamic MAC address entries, thus reducing broadcasts and ensuring the stability and security of the network.
Configuring the MAC Learning Limit on a Port
As the MAC address table grows, the forwarding performance of your AP may degrade. To prevent a MAC address table from getting so large that it may degrade forwarding performance, you may restrict the number of MAC addresses that can be learned on a port, that is, configure the MAC learning limit on it.
Follow these steps to configure the MAC learning limit on a port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet interface view or WLAN-BSS interface view |
interface interface-type interface-number |
Required |
|
Configure the MAC learning limit on a port, and specify whether frames with unknown source MAC addresses can be forwarded after the MAC learning limit is reached |
mac-address max-mac-count { count | disable-forwarding } |
Required By default, after the MAC learning limit is reached, frames with unknown source MAC addresses are not forwarded. |
Displaying and Maintaining MAC Address Tables
|
To do… |
Use the command… |
Remarks |
|
Display MAC address table information |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] |
Available in any view |
|
Display the aging timer for dynamic MAC address entries |
display mac-address aging-time |
Available in any view |
|
Display the system or interface MAC address learning state |
display mac-address mac-learning [ interface-type interface-number ] |
Available in any view |
MAC Address Table Configuration Example
Network requirements
l The MAC address of one host is 000f-e235-dc71 and belongs to VLAN 1. It is connected to Ethernet 1/0/1 of the AP. To prevent MAC address spoofing, add a static entry into the MAC address table of the AP for the host.
l The MAC address of another host is 000f-e235-abcd and belongs to VLAN 1. Because this host once behaved suspiciously on the network, you can add a destination blackhole MAC address entry for the MAC address to drop all packets destined for the host for security sake.
l Set the aging timer for dynamic MAC address entries to 500 seconds.
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface ethernet 1/0/1 vlan 1
# Add a destination blackhole MAC address entry.
[Sysname] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
# Display the MAC address entry for port Ethernet 1/0/1.
[Sysname] display mac-address interface ethernet 1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
000f-e235-DC71 1 Config static Ethernet 1/0/1 NOAGED
# Display information about the destination blackhole MAC address table.
[Sysname] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
000f-e235-abcd 1 Blackhole N/A NOAGED
--- 1 mac address(es) found ---
# View the aging time of dynamic MAC address entries.
[Sysname] display mac-address aging-time
Mac address aging time: 500s
