Login
- Table of Contents
-
- 02-Layer 2 Configuration Guide
- 00-Preface
- 01-Ethernet Interface Configuration
- 02-Loopback and Null Interface Configuration
- 03-MAC Address Table Configuration
- 04-Ethernet Link Aggregation Configuration
- 05-Port Isolation Configuration
- 06-Spanning Tree Configuration
- 07-VLAN Configuration
- 08-GVRP Configuration
- 09-LLDP Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-MAC Address Table Configuration | 89.98 KB |
Contents
MAC address table configuration
How a MAC address table entry is created
Types of MAC address table entries
MAC address table-based frame forwarding
Configuring the MAC address table
Configuring static, dynamic, and blackhole MAC address table entries
Configuring the aging timer for dynamic MAC address entries
Configuring the MAC learning limit
Configuring static multicast MAC address entries
Displaying and maintaining MAC address tables
MAC address table configuration example
This chapter includes these sections:
· Overview
· Configuring the MAC address table
· Configuring static multicast MAC address entries
· Displaying and maintaining MAC address tables
· MAC address table configuration example
|
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. · The port-related MAC address table configurations are supported on only Layer 2 ports, such as Layer 2 Ethernet ports and Layer 2 aggregate interfaces. |
Overview
An Ethernet device uses a MAC address table for forwarding frames through unicast instead of broadcast. This table describes from which port a MAC address (or host) can be reached. When forwarding a frame, the device first looks up the MAC address of the frame in the MAC address table for a match. If an entry is found, the device forwards the frame out of the outgoing port in the entry. If no entry is found, the device broadcasts the frame out of all but the incoming port.
How a MAC address table entry is created
The entries in the MAC address table come from two sources: automatically learned by the device and manually added by the administrator.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each port.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1. Checks the source MAC address (MAC-SOURCE for example) of the frame.
2. Looks up the source MAC address in the MAC address table.
¡ If an entry is found, the device updates the entry.
¡ If no entry is found, the device adds an entry for MAC-SOURCE and Port A.
3. After learning this source MAC address, when the device receives a frame destined for MAC-SOURCE, the device finds the MAC-SOURCE entry in the MAC address table and forwards the frame out Port A.
The device performs the learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated.
Manually configuring MAC address entries
With dynamic MAC address learning, a device does not distinguish between illegitimate and legitimate frames, which can invite security hazards. For example, when a hacker sends frames with a forged source MAC address to a port different from the one where the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead.
You can manually add MAC address entries to the MAC address table of the device to bind specific user devices to the port. Because manually configured entries have higher priority than dynamically learned ones, this prevents hackers from stealing data using forged MAC addresses.
Types of MAC address table entries
A MAC address table can contain the following types of entries:
· Static entries, which are manually added and never age out.
· Dynamic entries, which can be manually added or dynamically learned and may age out.
· Blackhole entries, which are manually configured and never age out. Blackhole entries are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a destination blackhole MAC address entry.
|
|
NOTE: A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa. |
MAC address table-based frame forwarding
When forwarding a frame, the device adopts the following forwarding modes based on the MAC address table:
· Unicast mode: If an entry is available for the destination MAC address, the device forwards the frame out the outgoing interface indicated by the MAC address table entry.
· Broadcast mode: If the device receives a frame with an all-ones destination address, or no entry is available for the destination MAC address, the device broadcasts the frame to all the interfaces except the receiving interface.
Configuring the MAC address table
The configuration tasks discussed in the following sections are all optional and can be performed in any order.
Configuring static, dynamic, and blackhole MAC address table entries
To fence off MAC address spoofing attacks and improve port security, you can manually add MAC address table entries to bind ports with MAC addresses.
You can also configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.
Follow these steps to add or modify a static, dynamic, or blackhole MAC address table entry in system view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Add or modify a dynamic or static MAC address entry |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id |
Required Use either command. Ensure that you have created the VLAN and assign the interface to the VLAN. |
|
Add or modify a blackhole MAC address entry |
mac-address blackhole mac-address vlan vlan-id |
Follow these steps to add or modify a static or dynamic MAC address table entry in interface view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Layer 2 Ethernet/VE/aggregate interface view |
interface interface-type interface-number |
— |
|
Add or modify a static or dynamic MAC address entry |
mac-address { dynamic | static } mac-address vlan vlan-id |
Required Ensure that you have created the VLAN and assign the interface to the VLAN. |
Configuring the aging timer for dynamic MAC address entries
The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the device deletes the entry. This aging mechanism ensures that the MAC address table could promptly update to accommodate latest network changes.
Set the aging timer appropriately. Too long am aging interval may cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the latest network changes. Too short an interval may result in removal of valid entries, causing unnecessary broadcasts, which may affect device performance.
Follow these steps to configure the aging timer for dynamic MAC address entries:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the aging timer for dynamic MAC address entries |
mac-address timer { aging seconds | no-aging } |
Optional 300 seconds by default. The no-aging keyword disables the aging timer. |
You can reduce broadcasts on a stable network by disabling the aging timer to prevent dynamic entries from unnecessarily aging out. By reducing broadcasts, you improve not only network performance, but also security, because the chances for a data packet to reach unintended destinations are reduced.
Configuring the MAC learning limit
Configuring the MAC learning limit on ports
As the MAC address table is growing, the forwarding performance of your device may degrade. To prevent the MAC address table from getting so large that the forwarding performance is affected, you can limit the number of MAC addresses that can be learned on a port.
Follow these steps to configure the MAC learning limit on a Layer 2 Ethernet interface, Layer 2 VE interface, Layer 2 aggregate interface, or all ports in a port group:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
Enter Layer 2 Ethernet/aggregate interface view interface interface-type interface-number Enter port group view port-group manual port-group-name |
Required Use either command. Settings in Layer 2 Ethernet/aggregate interface view take effect on the current interface only. Settings in port group view take effect on all member ports in the port group. |
|
Configure the MAC learning limit on the interface |
mac-address max-mac-count count |
Required No MAC learning limit is configured by default. |
Configuring static multicast MAC address entries
In Layer-2 multicast, a Layer 2 multicast protocol (such as IGMP snooping) can dynamically add multicast MAC address entries. Or, you can manually configure multicast MAC address entries.
Configuring a static multicast MAC address entry in system view
Follow these steps to configure a static multicast MAC address entry in system view
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure a static multicast MAC address entry |
mac-address multicast mac-address interface interface-list vlan vlan-id |
Required No static multicast MAC address entries exist by default. |
Configuring a static multicast MAC address entry in interface view
Follow these steps to configure static multicast MAC address entries in interface view
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet interface/Layer 2 aggregate interface view or port group view |
Enter Ethernet interface/Layer 2 aggregate interface view interface interface-type interface-number Enter port group view port-group manual port-group-name |
Required In Ethernet interface view or Layer 2 aggregate interface view, the configuration is effective on only the current interface. In port group view, the configuration is effective on all ports in the port group. |
|
Configure a static multicast MAC address entry |
mac-address multicast mac-address vlan vlan-id |
Required No static multicast MAC address entries exist by default. |
|
|
NOTE: · When you configure a static multicast MAC address entry in system view, the configuration is effective for the specified interface. When you configure a static multicast MAC address entry in interface view or port group view, the configuration is effective only for the current interface or interfaces in the current port group. · Any legal multicast MAC address except 0100-5Exx-xxxx (where x represents a hexadecimal number from 0 to F) can be manually added to the multicast MAC address table. Multicast MAC addresses are the MAC addresses whose the least significant bit of the most significant octet is 1. |
Displaying and maintaining MAC address tables
|
To do… |
Use the command… |
Remarks |
|
Display MAC address table information |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the aging timer for dynamic MAC address entries |
display mac-address aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the multi-port unicast MAC address table entries |
display mac-address multiport [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display MAC address statistics |
display mac-address statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view |
MAC address table configuration example
Network requirements
· The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 1/0/1 of the device. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the device.
· The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so that all packets destined for the host will be dropped.
· Set the aging timer for dynamic MAC address entries to 500 seconds.
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface gigabitethernet 1/0/1 vlan 1
# Add a destination blackhole MAC address entry.
[Sysname] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
# Display the MAC address entry for port GigabitEthernet 1/0/1.
[Sysname] display mac-address interface gigabitethernet 1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
000f-e235-dc71 1 Config static GigabitEthernet 1/0/1 NOAGED
--- 1 mac address(es) found ---
# Display information about the destination blackhole MAC address table.
[Sysname] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME
000f-e235-abcd 1 Blackhole N/A NOAGED
--- 1 mac address(es) found ---
# View the aging time of dynamic MAC address entries.
[Sysname] display mac-address aging-time
Mac address aging time: 500s
