04-Layer 2—LAN Switching Configuration Guide

HomeSupportConfigure & DeployConfiguration GuidesH3C MSR1000[2600][3600] Routers Configuration Guides(V9)-R9119-6W10004-Layer 2—LAN Switching Configuration Guide
01-MAC address table configuration
Title Size Download
01-MAC address table configuration 99.95 KB

Configuring the MAC address table

About the MAC address table

An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame, it uses the destination MAC address of the frame to look for a match in the MAC address table.

·     The device forwards the frame out of the outgoing interface in the matching entry if a match is found.

·     The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries manually added.

MAC address learning

The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each interface.

The device performs the following operations to learn the source MAC address of incoming packets:

1.     Checks the source MAC address (for example, MAC-SOURCE) of the frame.

2.     Looks up the source MAC address in the MAC address table.

¡     The device updates the entry if an entry is found.

¡     The device adds an entry for MAC-SOURCE and the incoming port if no entry is found.

When the device receives a frame destined for MAC-SOURCE after learning this source MAC address, the device performs the following operations:

1.     Finds the MAC-SOURCE entry in the MAC address table.

2.     Forwards the frame out of the port in the entry.

The device performs the learning process for each incoming frame with an unknown source MAC address until the table is fully populated.

Manually configuring MAC address entries

Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames, which can invite security hazards. When Host A is connected to Port A, a MAC address entry will be learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames with MAC A as the source MAC address to Port B, the device performs the following operations:

1.     Learns a new MAC address entry with Port B as the outgoing interface and overwrites the old entry for MAC A.

2.     Forwards frames destined for MAC A out of Port B to the illegal user.

As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually configure a static entry to bind Host A to Port A. Then, the frames destined for Host A are always sent out of Port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

·     Static entries—A static entry is manually added to forward frames with a specific destination MAC address out of the associated interface, and it never ages out. A static entry has higher priority than a dynamically learned one.

·     Dynamic entries—A dynamic entry can be manually configured or dynamically learned to forward frames with a specific destination MAC address out of the associated interface. A dynamic entry might age out. A manually configured dynamic entry has the same priority as a dynamically learned one.

·     Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole entry is configured for filtering out frames with a specific source or destination MAC address. For example, to block all frames destined for or sourced from a user, you can configure the MAC address of the user as a blackhole MAC address entry. A blackhole entry has higher priority than a dynamically learned one.

A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa. A static entry and a blackhole entry cannot overwrite each other.

This document does not cover the configuration of static multicast MAC address entries. For more information about configuring static multicast MAC address entries, see IGMP snooping in IP Multicast Configuration Guide.

Feature and hardware compatibility

The following matrix shows the compatibility of hardware and the MAC address table:

 

Hardware

Remarks

·     Fixed Layer 2 Ethernet ports on the following routers:

¡     MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK

¡     MSR810-LMS, MSR810-LUS

¡     MSR810-LMS-EA, MSR810-LME

¡     MSR1004S-5G

¡     MSR2600-6-X1, MSR2600-10-X1, MSR2600-15-X1

¡     MSR3600-28, MSR3600-51, MSR3600-28-SI, MSR3600-51-SI

¡     MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP

¡     MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG

¡     MSR810-W-WiNet, MSR810-LM-WiNet

¡     MSR830-4LM-WiNet

¡     MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet

¡     MSR830-6BHI-WiNet, MSR830-10BHI-WiNet

¡     MSR2600-6-WiNet, MSR2600-10-X1-WiNet

¡     MSR3600-28-WiNet

¡     MSR3600-28-XS

¡     MSR3610-I-XS

¡     MSR3610-IE-XS

¡     MSR810-LM-GL, MSR810-W-LM-GL, MSR830-6EI-GL, MSR830-10EI-GL, MSR830-6HI-GL, MSR830-10HI-GL, MSR1004S-5G-GL, MSR2600-6-X1-GL, MSR3600-28-SI-GL

·     Layer 2 interface modules installed on routers.

For information about the support of the routers for Layer 2 interface modules, see H3C MSR Router Series Comware 7 Interface Module Guide.

 

MAC address table tasks at a glance

All MAC address table configuration tasks are optional.

To configure the MAC address table, perform the following tasks:

·     Configuring MAC address entries

¡     Adding or modifying a static or dynamic MAC address entry

¡     Adding or modifying a blackhole MAC address entry

·     Setting the aging timer for dynamic MAC address entries

·     Configuring MAC address learning

¡     Disabling MAC address learning

Configuring MAC address entries

About MAC address entry-based frame forwarding

A frame whose source MAC address matches different types of MAC address entries is processed differently.

 

Type

Description

Static MAC address entry

Forwards the frame according to the destination MAC address regardless of whether the frame's ingress interface is the same as that in the entry.

Blackhole MAC address entry

Drops the frame.

Dynamic MAC address entry

·     Learns the MAC address of the frames received on a different interface from that in the entry and overwrites the original entry.

·     Forwards the frame received on the same interface as that in the entry and updates the aging timer for the entry.

 

Restrictions and guidelines for MAC address entry configuration

You cannot add a dynamic MAC address entry if a learned entry already exists with a different outgoing interface for the MAC address.

The manually configured static and blackhole MAC address entries cannot survive a reboot if you do not save the configuration. The manually configured dynamic MAC address entries are lost upon reboot whether or not you save the configuration.

Do not configure the following MAC addresses as static, dynamic, or blackhole MAC addresses:

·     Reserved MAC addresses of the device.

·     MAC addresses of Layer 3 Ethernet interfaces or subinterfaces.

·     MAC addresses of Layer 3 aggregate interfaces or subinterfaces.

Prerequisites for MAC address entry configuration

Before manually configuring a MAC address entry for an interface, make sure the VLAN in the entry has been created.

Adding or modifying a static or dynamic MAC address entry

Adding or modifying a static or dynamic MAC address entry globally

1.     Enter system view.

system-view

2.     Add or modify a static or dynamic MAC address entry.

mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id

By default, no MAC address entry is configured globally.

Make sure you have assigned the interface to the VLAN.

Adding or modifying a static or dynamic MAC address entry on an interface

1.     Enter system view.

system-view

2.     Enter interface view.

¡     Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

3.     Add or modify a static or dynamic MAC address entry.

mac-address { dynamic | static } mac-address vlan vlan-id

By default, no MAC address entry is configured on an interface.

Make sure you have assigned the interface to the VLAN.

Adding or modifying a blackhole MAC address entry

1.     Enter system view.

system-view

2.     Add or modify a blackhole MAC address entry.

mac-address blackhole mac-address vlan vlan-id

By default, no blackhole MAC address entry is configured.

Setting the aging timer for dynamic MAC address entries

About this task

For security and efficient use of table space, the MAC address table uses an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can promptly update to accommodate latest network topology changes.

A stable network requires a longer aging interval, and an unstable network requires a shorter aging interval.

An aging interval that is too long might cause the MAC address table to retain outdated entries. As a result, the MAC address table resources might be exhausted, and the MAC address table might fail to update its entries to accommodate the latest network changes.

An interval that is too short might result in removal of valid entries, which would cause unnecessary floods and possibly affect the device performance.

To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing flooding also improves the security because it reduces the chances for a data frame to reach unintended destinations.

Procedure

1.     Enter system view.

system-view

2.     Set the aging timer for dynamic MAC address entries.

mac-address timer { aging seconds | no-aging }

The default setting is 300 seconds.

Disabling MAC address learning

About disabling MAC address learning

MAC address learning is enabled by default. To prevent the MAC address table from being saturated when the device is experiencing attacks, disable MAC address learning. For example, you can disable MAC address learning to prevent the device from being attacked by a large amount of frames with different source MAC addresses.

After MAC address learning is disabled, existing dynamic MAC address entries can age out.

Disabling MAC address learning on an interface

About this task

When global MAC address learning is enabled, you can disable MAC address learning on a single interface.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

¡     Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

3.     Disable MAC address learning on the interface.

undo mac-address mac-learning enable

By default, MAC address learning is enabled on an interface.

Enabling SNMP notifications for the MAC address table

About this task

To report critical MAC address move events to an NMS, enable SNMP notifications for the MAC address table. For MAC address move event notifications to be sent correctly, you must also configure SNMP on the device.

When SNMP notifications are disabled for the MAC address table, the device sends the generated logs to the information center. To display the logs, configure the log destination and output rule configuration in the information center.

For more information about SNMP and information center configuration, see the network management and monitoring configuration guide for the device.

Procedure

1.     Enter system view.

system-view

2.     Enable SNMP notifications for the MAC address table.

snmp-agent trap enable mac-address

By default, SNMP notifications are enabled for the MAC address table.

When SNMP notifications are disabled for the MAC address table, syslog messages are sent to notify important events on the MAC address table module.

Display and maintenance commands for MAC address table

Execute display commands in any view.

 

 

Task

Command

Display MAC address table information.

display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ]

Display the aging timer for dynamic MAC address entries.

display mac-address aging-time

Display the system or interface MAC address learning state.

display mac-address mac-learning [ interface interface-type interface-number ]

MAC address table configuration examples

Example: Configuring the MAC address table

Network configuration

As shown in Figure 1:

·     Host A at MAC address 000f-e235-dc71 is connected to GigabitEthernet 1/0/1 of Device and belongs to VLAN 1.

·     Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also belongs to VLAN 1.

Configure the MAC address table as follows:

·     To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of Device.

·     To drop all frames destined for Host B, add a blackhole MAC address entry for Host B.

·     Set the aging timer to 500 seconds for dynamic MAC address entries.

Figure 1 Network diagram

Procedure

# Add a static MAC address entry for MAC address 000f-e235-dc71 on GigabitEthernet 1/0/1 that belongs to VLAN 1.

<Device> system-view

[Device] mac-address static 000f-e235-dc71 interface gigabitethernet 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.

[Device] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.

[Device] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for GigabitEthernet 1/0/1.

[Device] display mac-address static interface gigabitethernet 1/0/1

MAC Address      VLAN ID    State            Port/Nickname            Aging

000f-e235-dc71   1          Static           GE1/0/1                  N

# Display the blackhole MAC address entries.

[Device] display mac-address blackhole

MAC Address      VLAN ID    State            Port/Nickname            Aging

000f-e235-abcd   1          Blackhole        N/A                      N

# Display the aging time of dynamic MAC address entries.

[Device] display mac-address aging-time

MAC address aging time: 500s.

 

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网