MAC

This help contains the following topics:

Introduction

An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame, it uses the destination MAC address of the frame to look for a match in the MAC address table.

Types of MAC address entries

A MAC address table can contain the following types of entries:

Aging timer for dynamic MAC address entries

For security and efficient use of table space, the MAC address table uses an aging timer for dynamic entries learned on all interfaces. If a dynamic MAC address entry is not updated before the aging timer expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can promptly update to accommodate latest network topology changes.

A stable network requires a longer aging interval, and an unstable network requires a shorter aging interval.

To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing flooding also improves the security because it reduces the chances for a data frame to reach unintended destinations.

MAC address learning

MAC address learning is enabled by default. To prevent the MAC address table from being saturated when the device is experiencing attacks, disable MAC address learning. For example, you can disable MAC address learning to prevent the device from being attacked by a large amount of frames with different source MAC addresses.

When global MAC address learning is enabled, you can disable MAC address learning on a single interface.

You can also configure the MAC learning limit on an interface to limit the MAC address table size. A large MAC address table will degrade forwarding performance. When the limit is reached, the interface stops learning any MAC addresses. You can also configure whether to forward frames whose source MAC address is not in the MAC address table.

VLAN ID check

This feature enables the device to check the VLAN ID of each packet that matches a session entry during Layer 2 forwarding.

On a hot backup system, you must disable VLAN ID check if the traffic incoming interfaces on the primary and secondary devices belong to different VLANs. If you enable VLAN ID check, traffic cannot match session entries correctly after a primary/secondary device switchover occurs or when asymmetric-path traffic exists.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Restrictions and guidelines

When you configure MAC address entries, follow these restrictions and guidelines:

Configure MAC address entries

A MAC address entry records the interface and VLAN to a MAC address belongs. Supported MAC address entry types include Dynamic, Static, and Blackhole. When the device forwards a packet, it looks up a forwarding path in the MAC address table. If no match is found, the packet is broadcast. To enhance data security, you can enable the VLAN ID check service on the Advanced Settings page.

  1. Click the Network tab.

  2. In the navigation pane, select Links > MAC > MAC Address Entries.

  3. Click Create.

    Figure-1 Creating a MAC address entry

  4. Configure parameters for the MAC address entry.

    Table-1 MAC address entry configuration items

    Item

    Description

    Type

    Select the type of the MAC address entry. Options include:

    • Dynamic.

    • Static.

    • Blackhole.

    MAC address

    Specify a MAC address in the format of H-H-H. You cannot specify a multicast MAC address, an all-zero MAC address, or an all-F MAC address.

    VLAN

    Specify the VLAN ID.

    Interface

    Specify the egress port in the VLAN.

  5. Click OK.

  6. (Optional.) Select Advanced Settings, and then enable or disable VLAN ID Check.

    Figure-2 Advanced settings