Login
- Table of Contents
-
- 04-Layer 2 - LAN Switching Configuration Guide
- 00-Preface
- 01-VLAN Configuration
- 02-MAC Address Table Configuration
- 03-Spanning Tree Configuration
- 04-Ethernet Link Aggregation Configuration
- 05-Port Isolation Configuration
- 06-QinQ Configuration
- 07-VLAN Mapping Configuration
- 08-BPDU Tunneling Configuration
- 09-GVRP Configuration
- 10-Loopback Detection Configuration
- 11-VLAN Termination Configuration
- 12-MAC-in-MAC Configuration
- 13-LLDP Configuration
- 14-MVRP Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-MAC Address Table Configuration | 129.92 KB |
Contents
Configuring the MAC address table·
How a MAC address table entry is created
Types of MAC address table entries
MAC address table-based frame forwarding
Configuring static, dynamic, and blackhole MAC address table entries
Adding or modifying a static, dynamic, or blackhole MAC address table entry in system view
Adding or modifying a static or dynamic MAC address table entry in interface view
Configuring a multiport unicast MAC address table entry
Configuring a multiport unicast MAC address table entry in system view
Configuring a multiport unicast MAC address table entry in interface view
Configuring the aging timer for dynamic MAC address entries
Configuration restrictions and guidelines
Configuring the MAC learning limit
Configuring the MAC learning limit on ports
Configuring the MAC learning limit on a VLAN
Enabling MAC address migration log notifying
Displaying and maintaining the MAC address table
MAC address table configuration example
MAC address table configuration applies to Layer 2 Ethernet ports and Layer 2 aggregate interfaces only.
This document covers only the configuration of static, dynamic, blackhole, and multiport unicast MAC address table entries. For the configuration of static multicast MAC address table entries, see IP Multicast Configuration Guide.
Overview
A MAC address table is maintained for frame forwarding. Each entry in this table indicates the following information:
· The MAC address of a connected network device.
· The interface to which the device is connected.
· The VLAN to which the interface belongs.
When forwarding a frame, the switch first looks up the MAC address table by the destination MAC address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather than broadcast, so broadcasts are reduced.
How a MAC address table entry is created
A MAC address table entry can be dynamically learned or manually configured.
Dynamically generate MAC address table entries
Usually, a switch can populate its MAC address table automatically by learning the source MAC addresses of incoming frames on each port.
When a frame arrives at a port, Port A for example, the switch performs the following tasks:
1. Checks the source MAC address (MAC-SOURCE for example) of the frame.
2. Looks up the source MAC address in the MAC address table.
¡ If an entry is found, the switch updates the entry.
¡ If no entry is found, the switch adds an entry for MAC-SOURCE and Port A.
3. After learning this source MAC address, when the switch receives a frame destined for MAC-SOURCE, it finds the MAC-SOURCE entry in the MAC address table and forwards the frame out of Port A.
The switch performs the learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated.
To adapt to network changes, MAC address table entries must be constantly updated. Each dynamically learned MAC address table entry has an aging timer. If an entry is not updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.
Manually configure MAC address table entries
With dynamic MAC address learning, a switch does not distinguish illegitimate frames from legitimate frames. This causes security hazards. For example, if a hacker sends frames with a forged source MAC address to a port different from the one where the real MAC address is connected, the switch will create an entry for the forged MAC address, and will forward frames destined for the legal user to the hacker instead.
To enhance the security of a port, you can manually add MAC address entries in the MAC address table of the switch to bind specific user switches to the port. Because manually configured entries have higher priority than the dynamically learned ones, this prevents hackers from stealing data using forged MAC addresses.
Types of MAC address table entries
A MAC address table can contain these types of entries:
· Static entries—Manually added and never age out.
· Dynamic entries—Manually added or dynamically learned, and might age out.
· Blackhole entries—Manually configured and never age out. Blackhole entries include source blackhole MAC addresses and destination blackhole MAC address entries. They are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a destination blackhole MAC address entry.
· Multiport unicast entries—Manually added for forwarding frames with a specific destination MAC address out of multiple ports and never age out.
|
|
NOTE: A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address entry, but not vice versa. |
MAC address table-based frame forwarding
When forwarding a frame, the switch adopts the following two forwarding modes based on the MAC address table:
· Unicast mode—If an entry is available for the destination MAC address, the switch forwards the frame directly from the hardware.
· Broadcast mode—If the switch receives a frame with an all-ones destination address, or no entry is available for the destination MAC address, the switch broadcasts the frame to all the interfaces except the receiving interface.
Configuring static, dynamic, and blackhole MAC address table entries
Usually, a switch can populate its MAC address table automatically by learning the source MAC addresses of incoming frames.
To improve port security, you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses, fending off MAC address spoofing attacks.
In addition, you can configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.
Adding or modifying a static, dynamic, or blackhole MAC address table entry in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Add or modify a dynamic or static MAC address entry. |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id |
Use either command. |
|
3. Add or modify a blackhole MAC address entry. |
mac-address blackhole mac-address vlan vlan-id |
Adding or modifying a static or dynamic MAC address table entry in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Add or modify a static or dynamic MAC address entry. |
mac-address { dynamic | static } mac-address vlan vlan-id |
Make sure that you have created the VLAN and assign the interface to the VLAN. |
Configuring a multiport unicast MAC address table entry
Multiport unicast MAC address entries enable you to deliver a single-destination packet out of multiple ports. For example, when a group of servers are processing a request from a client, the client is not concerned with the details of these servers and believes that only one server is responding. In this case, you can configure a multiport unicast MAC address entry on the device connected to the group of servers. In this manner, the device forwards the frame destined for the server group, which is considered as one server by the client, to every server.
Configuring a multiport unicast MAC address table entry in system view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a multiport unicast MAC address table entry. |
mac-address multiport mac-address interface interface-list vlan vlan-id |
No multiport unicast MAC address table entries exist by default. Make sure you have created the VLAN and assign the interfaces to the VLAN. |
Configuring a multiport unicast MAC address table entry in interface view
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view or port group view. |
· Enter Layer 2 Ethernet interface view or Layer 2 aggregate
interface view: · Enter port group view: |
Use either command. Settings in Layer 2 Ethernet interface view or Layer 2 aggregate interface view take effect on the current interface only. Settings in port group view take effect on all member ports in the port group. |
|
3. Configure a multiport unicast MAC address table entry. |
mac-address multiport mac-address vlan vlan-id |
No multiport unicast MAC address table entries exist by default. Make sure you have created the VLAN and assign the interface or interfaces to the VLAN. |
On a switch operating in IRF mode, do not specify the same MAC address for both a multiport unicast MAC address table entry and a static neighbor table entry. Otherwise, a conflict will occur. For more information about static neighbor entries, see Layer 3—IP Services Configuration Guide.
To associate a unicast MAC address with an Ethernet interface that belongs to an aggregation group, configure the multiport unicast MAC address table entry in Layer 2 aggregate interface view, instead of Layer 2 Ethernet interface view.
Configuring the aging timer for dynamic MAC address entries
The MAC address table on your switch uses an aging mechanism for dynamic entries, so dynamic MAC address entries that are not updated within their aging time are deleted to make room for new entries, and the MAC address table is promptly updated to accommodate the latest network changes.
Configuration restrictions and guidelines
Set the aging timer appropriately. Too long an aging interval might cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the latest network changes. Too short an interval might result in removal of valid entries, causing unnecessary broadcasts, which might affect switch performance.
The MAC address aging timer takes effect globally on dynamic MAC address entries (learned or administratively configured) only.
In a stable network, when there has been no traffic activity for a long time, all dynamic entries in the MAC address table maintained by the switch are deleted, and the switch broadcasts a large amount of data packets, which might be listened to by unwanted users, resulting in security hazards. To avoid this, you can configure mac-address timer no-aging for dynamic MAC address entries, so that dynamic MAC address entries will not be aged out. This can reduce broadcasts and improve the stability and security of the network.
Configuration procedure
To configure the aging timer for dynamic MAC address entries:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the aging timer for dynamic MAC address entries. |
mac-address timer { aging seconds | no-aging } |
Optional. The default setting is 300 seconds. |
Configuring the MAC learning limit
Configuring the MAC learning limit on ports
To prevent the MAC address table from getting so large that the forwarding performance of the switch degrades, you can limit the number of MAC addresses that can be learned on a port.
To configure the MAC learning limit on an Ethernet port, the Ethernet ports in a port group, or a Layer 2 aggregate interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Ethernet interface, port group, or Layer 2 aggregate interface view. |
· Enter Ethernet interface view: · Enter port group view: · Enter Layer 2 aggregate interface view: |
Use any command. Settings in Ethernet interface view or Layer 2 aggregate interface view take effect on the current port only. Settings in port group view take effect on all the member ports in the port group. |
|
3. Configure the MAC learning limit on an interface, and configure whether frames with unknown source MAC addresses can be forwarded when the MAC learning limit is reached. |
mac-address max-mac-count { count | disable-forwarding } |
By default, the maximum number of MAC addresses that can be learned on an interface is not specified, and frames with unknown source MAC addresses are forwarded when the MAC learning limit is reached. |
Configuring the MAC learning limit on a VLAN
You can also limit the number of MAC addresses that can be learned on a per-VLAN basis.
To configure the MAC learning limit on a VLAN:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Configure the MAC leaning limit on a VLAN, and configure whether or not frames with unknown source MAC addresses can be forwarded in the VLAN when the upper limit is reached. |
mac-address max-mac-count { count | disable-forwarding } |
By default, the maximum number of MAC addresses that can be learned on a VLAN is not specified, and frames with unknown source MAC addresses are forwarded when the MAC learning limit is reached. |
Enabling MAC address migration log notifying
To discover and locate Layer 2 loops, you can enable MAC address migration log notifying.
MAC address migration refers to this process: a device learns a MAC address from an interface, Port A for example, and the device later learns the MAC address from another interface, Port B for example. If Port A and Port B belong to the same VLAN, the outgoing interface in the entry for the MAC address is changed to Port B from Port A, which means that the MAC address migrates from Port A to Port B.
If a MAC address migrates between two specific interfaces frequently, a Layer 2 loop probably occurs in the network. Network connection error and misconfiguration are prone to create network loops. Layer 2 loops cause devices to repeatedly send the same packet, which could exhaust the network resource and even bring down the network.
To enable MAC address migration log notifying:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable MAC address migration log notifying. |
mac-flapping notification enable |
By default, MAC address migration log notifying is disabled. |
The MAC address migration logs of the last 1 minute are displayed once every 1 minute.
You can use the display mac-flapping information command to view the MAC address migration records after a device starts up.
Displaying and maintaining the MAC address table
|
Task |
Command |
Remarks |
|
Display MAC address table information. |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the multiport unicast MAC address table entries. |
display mac-address multiport [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the aging timer for dynamic MAC address entries. |
display mac-address aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the MAC address migration record (in standalone mode). |
display mac-flapping information [ slot slot-number ] |
Available in any view. |
|
Display the MAC address migration record (in IRF mode). |
display mac-flapping information [ chassis chassis-number [ slot slot-number ] ] |
Available in any view. |
MAC address table configuration example
By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these interfaces, use the undo shutdown command to bring them up.
Network requirements
As shown in Figure 1:
· The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 3/0/1 of the switch. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the switch.
· The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so all packets destined for the host will be dropped.
· Set the aging timer for dynamic MAC address entries to 500 seconds.
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface Gigabitethernet 3/0/1 vlan 1
# Add a destination blackhole MAC address entry.
[Sysname] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
# Display the MAC address entry for port GigabitEthernet 3/0/1.
[Sysname] display mac-address interface Gigabitethernet 3/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-dc71 1 Config static GigabitEthernet3/0/1 NOAGED
--- 1 mac address(es) found on port GigabitEthernet3/0/1 ---
# Display information about destination blackhole MAC addresses.
[Sysname] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-abcd 1 Blackhole N/A NOAGED
--- 1 mac address(es) found ---
# View the aging time of dynamic MAC address entries.
[Sysname] display mac-address aging-time
Mac address aging time: 500s
