Login
- Table of Contents
-
- 04-Layer 2 - LAN Switching Configuration Guide
- 00-Preface
- 01-MAC address table configuration
- 02-Ethernet link aggregation configuration
- 03-Port isolation configuration
- 04-Spanning tree configuration
- 05-Loop detection configuration
- 06-VLAN configuration
- 07-QinQ configuration
- 08-VLAN mapping configuration
- 09-LLDP configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-MAC address table configuration | 115.58 KB |
Contents
Configuring the MAC address table·
How a MAC address entry is created
MAC address table-based frame forwarding
Configuring the MAC address table
Configuring MAC address entries
Adding or modifying a blackhole MAC address entry
Adding or modifying a multiport unicast MAC address entry
Disabling MAC address learning
Configuring the aging timer for dynamic MAC address entries
Configuring the MAC learning limit
Configuring the frame forwarding rule after the upper limit is reached
Displaying and maintaining the MAC address table
Overview
An Ethernet device uses a MAC address table for forwarding frames through unicast instead of broadcast. This table describes from which interfaces a MAC address (or host) can be reached. When forwarding a frame, the device first looks up the MAC address of the frame in the MAC address table for a match. If an entry is found, the device forwards the frame out of the outgoing interface. If no entry is found, the device broadcasts the frame out of all but the incoming interface.
How a MAC address entry is created
The entries in the MAC address table come from two sources: automatically learned by the device and manually added by the administrator.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each interface.
When a frame arrives at an interface, for example, Port A, the device performs the following tasks:
1. Checks the source MAC address (MAC-SOURCE for example) of the frame.
2. Looks up the source MAC address in the MAC address table.
¡ If an entry is found, the device updates the entry.
¡ If no entry is found, the device adds an entry for MAC-SOURCE and Port A.
3. When the device receives a frame destined for MAC-SOURCE after learning this source MAC address, the device finds the MAC-SOURCE entry in the MAC address table and forwards the frame out of Port A.
The device performs the learning process each time it receives a frame from an unknown source MAC address until the MAC address table is fully populated.
Manually configuring MAC address entries
With dynamic MAC address learning, a device does not distinguish between illegitimate and legitimate frames, which can invite security hazards. For example, when an illegal user sends frames with a forged source MAC address to an interface different from the one where the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the illegal user instead.
To improve interface security and prevent illegal users from stealing data, you can manually add MAC address entries to the MAC address table of the device to bind specific user devices to the interface.
Types of MAC address entries
A MAC address table can contain the following types of entries:
· Static entries—Static entries are manually added in order to forward frames with a specific destination MAC address out of their associated interfaces and never age out. A static entry has higher priority than a dynamically learned one.
· Dynamic entries—Dynamic entries can be manually configured or dynamically learned in order to forward frames with a specific destination MAC address out of their associated interfaces and might age out. A manually configured dynamic entry has higher priority than a dynamically learned one.
· Blackhole entries—Blackhole entries are manually configured and never age out. Blackhole entries are configured for filtering out frames with a specific source or destination MAC address. For example, to block all frames destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry.
· Multiport unicast entries—Multiport unicast entries are manually added in order to repeat frames with a specific unicast destination MAC address out of multiple ports and never age out. A multiport unicast entry has higher priority than a dynamically learned one.
A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.
To adapt to network topology changes and prevent inactive entries from occupying table space, the system uses an aging mechanism for dynamic MAC address entries. Each time a dynamic MAC address entry is learned or created, an aging time starts. If the entry has not updated when the aging timer expires, the device deletes the entry. If the entry has updated before the aging timer expires, the aging timer restarts.
This document covers only unicast MAC address entries, including static, dynamic, blackhole, and multiport unicast MAC address entries. For information about static multicast MAC address entries, see IP Multicast Configuration Guide. For information about MAC address entries in VPLS, see MPLS Configuration Guide.
MAC address table-based frame forwarding
When forwarding a frame, the device adopts one of the following forwarding modes based on the MAC address table:
· Unicast mode—If an entry is available for the destination MAC address, the device forwards the frame out of the outgoing interface indicated by the MAC address entry.
· Broadcast mode—If the device receives a frame with an all-ones destination address, or no entry is available for the destination MAC address, the device broadcasts the frame to all the interfaces belonging to the corresponding VLAN except the receiving interface.
Configuring the MAC address table
The configuration tasks discussed in the following sections are all optional and can be performed in any order.
The MAC address table can contain only Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.
Configuring MAC address entries
Configuration guidelines
· When you configure a dynamic MAC address entry, if an automatically learned MAC address entry with the same MAC address but a different outgoing interface already exists in the MAC address table, the manually configured one does not take effect.
· The manually configured static, blackhole, and multiport unicast MAC address entries cannot survive a reboot if you do not save the configuration. The manually configured dynamic MAC address entries, however, are lost upon reboot whether or not you save the configuration.
A frame whose source MAC address matches different types of MAC address entries is differently processed.
|
Type |
Description |
|
Static MAC address entry. |
· Discards the frame entered on different interface from that in the entry. · Forwards the frame entered on the same interface with that in the entry. |
|
Multiport unicast MAC address entry. |
Discards the frame. |
|
Dynamic MAC address entry. |
· Learns the MAC address of the frames entered on different interface from that in the entry and overwrites the original entry. · Forwards the frame entered on the same interface with that in the entry and updates the aging timer for the entry. |
Configuration procedure
To add or modify a static or dynamic MAC address entry globally:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Add or modify a static or dynamic MAC address entry. |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id |
By default, no MAC address entry is configured globally. Make sure you have created the VLAN and assigned the interface to the VLAN. |
To adding or modifying a static or dynamic MAC address entry on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet or aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Add or modify a static or dynamic MAC address entry. |
mac-address { dynamic | static } mac-address vlan vlan-id |
By default, no MAC address entry is configured on an interface. Make sure you have created the VLAN and assigned the interface to the VLAN. |
Adding or modifying a blackhole MAC address entry
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Add or modify a blackhole MAC address entry. |
mac-address blackhole mac-address vlan vlan-id |
By default, no blackhole MAC address entry is configured. Make sure you have created the VLAN. |
Adding or modifying a multiport unicast MAC address entry
You can configure a multiport unicast MAC address entry to associate a unicast destination MAC address with multiple ports, so that the frame with a destination MAC address matching the entry is repeated out of multiple ports. For example, when a group of servers are processing a request from a client, the client is not concerned with the details of these servers and believes that only one server is responding. In this case, you can configure a multiport unicast MAC address entry on the device connected to the group of servers. In this manner, the device forwards the frame destined for the server group (the one server from the perspective of the client) to every server.
You can configure a multiport unicast MAC address entry globally or on an interface.
To configure a multiport unicast MAC address entry globally:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Add or modify a multiport unicast MAC address entry. |
mac-address multiport mac-address interface interface-list vlan vlan-id |
By default, no multiport unicast MAC address entry is configured globally. Make sure you have created the VLAN and assigned the interface to the VLAN. |
To configure a multiport unicast MAC address entry on an interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet or aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Add or modify a multiport unicast MAC address entry. |
mac-address multiport mac-address vlan vlan-id |
By default, no multiport unicast MAC address entry is configured on an interface. Make sure you have created the VLAN and assigned the interface to the VLAN. |
In IRF mode, to avoid conflict, the MAC address you specified in the mac-address multiport command for a multiport unicast MAC address entry cannot be the same with that specified in the ipv6 neighbor command for a static neighbor entry. For more information about static neighbor entry, see Layer 3—IP Services.
The multiport unicast MAC address entries on an Ethernet interface may not take effect after the Ethernet interface joins an aggregate group. Therefore, H3C recommends that you configure multiport unicast MAC address entries on aggregate interfaces in Layer 2 aggregate interface view.
Disabling MAC address learning
MAC address learning is enabled by default. To prevent the MAC address table from being saturated when the device is experiencing attacks, disable MAC address learning. For example, you can disable MAC address learning to prevent the device from being attacked by a large amount of frames with different source MAC addresses.
The learned MAC addresses age out normally after the MAC address learning is disabled.
Disabling MAC address learning on interfaces
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet or aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Disable MAC address learning on the interface. |
undo mac-address mac-learning enable |
By default, MAC address learning on the interface is enabled. |
Disabling MAC address learning on a VLAN
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Disable MAC address learning on the VLAN. |
undo mac-address mac-learning enable |
By default, MAC address learning on the VLAN is enabled. |
Configuring the aging timer for dynamic MAC address entries
The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the device deletes the entry. This aging mechanism makes sure the MAC address table could promptly update to accommodate latest network topology changes.
Set the aging timer appropriately. A stable network requires a longer aging interval and an unstable network requires a shorter aging interval. A too long aging interval may cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the latest network changes. A too short interval may result in removal of valid entries, causing unnecessary broadcasts, which may increase network burden.
You can reduce broadcasts on a stable network by setting a long aging timer or disabling the aging timer to prevent dynamic entries from unnecessarily aging out. By reducing broadcasts, you improve not only network performance, but also security, because the chances for a data frame to reach unintended destinations are reduced.
To configure the aging timer for dynamic MAC address entries:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the aging timer for dynamic MAC address entries. |
mac-address timer { aging seconds | no-aging } |
By default, the aging timer is 300 seconds. The no-aging keyword disables the aging timer. |
Configuring the MAC learning limit
Configuring the MAC learning limit on interfaces
As the MAC address table is growing, the forwarding performance of your device may degrade. To prevent the MAC address table from getting so large that the forwarding performance is affected, limit the number of MAC addresses that can be learned on an interface.
To configure the MAC learning limit on an interface:
|
Step |
Command |
Remarks |
|
3. Enter system view. |
system-view |
N/A |
|
4. Enter interface view. |
·
Enter Layer 2 Ethernet interface view. ·
Enter Layer 2 aggregate interface view. |
N/A |
|
5. Configure the MAC learning limit on the interface. |
mac-address max-mac-count count |
The default setting varies with cards. |
Configuring the MAC learning limit on a VLAN
You can also limit the number of MAC addresses that can be learned on a per-VLAN basis.
To configure the MAC learning limit on a VLAN:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Configure the MAC leaning limit on the VLAN. |
mac-address max-mac-count count |
The default setting varies with cards. |
Configuring the frame forwarding rule after the upper limit is reached
You can determine whether to allow the device to forward frames with unknown source MAC addresses after the upper limit is reached.
To enable the interface to forward frames with unknown source MAC addresses after the upper limit is reached:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
·
Enter Layer 2 Ethernet interface view. ·
Enter Layer 2 aggregate interface view. |
N/A |
|
3. Enable the device to forward frames with unknown source MAC addresses after the upper limit is reached. |
mac-address max-mac-count enable-forwarding |
By default, the interface forwards frames with unknown source MAC addresses after the upper limit is reached. |
To enable the interface to forward frames with unknown source MAC addresses after the upper limit is reached:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Enable the device to forward frames with unknown source MAC addresses after the upper limit is reached. |
mac-address max-mac-count enable-forwarding |
By default, the device forwards frames with unknown source MAC addresses after the upper limit is reached. |
Displaying and maintaining the MAC address table
Execute display commands in any view.
|
Task |
Command |
|
Display MAC address table information. |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole | multiport ] [ vlan vlan-id ] [ count ] ] |
|
Display the aging timer for dynamic MAC address entries. |
display mac-address aging-time |
|
Display the system or interface MAC address learning state. |
display mac-address mac-learning [ interface interface-type interface-number ] |
MAC address table configuration example
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command. |
Network requirements
Host A (000f-e235-dc71) is connected to interface GigabitEthernet 3/0/1 of Device and belongs to VLAN 1. To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of Device.
Host B (000f-e235-abcd), which once behaved suspiciously on the network, also belongs to VLAN 1. For security, add a blackhole MAC address entry for Host B, so that all frames destined for the host will be dropped.
Set the aging timer for dynamic MAC address entries to 500 seconds.
Configuration procedure
# Add a static MAC address entry for MAC address 000f-e235-dc71 on GigabitEthernet 3/0/1 that belongs to VLAN 1.
<Device> system-view
[Device] mac-address static 000f-e235-dc71 interface GigabitEthernet 3/0/1 vlan 1
# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.
[Device] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Device] mac-address timer aging 500
Verifying the configurations
# Display the MAC address static entry for interface GigabitEthernet 3/0/1.
[Device] display mac-address static interface GigabitEthernet 3/0/1
MAC Address VLAN ID State Port/NickName Aging
000f-e235-dc71 1 Static GE3/0/1 N
# Display information about the blackhole MAC address entries.
[Device] display mac-address blackhole
MAC Address VLAN ID State Port/NickName Aging
000f-e235-abcd 1 Blackhole N/A N
# View the aging time of dynamic MAC address entries.
[Device] display mac-address aging-time
MAC address aging time: 500s.
