Login
- Table of Contents
-
- 04-Layer 2 - LAN Switching Configuration Guide
- 00-Preface
- 01-VLAN Configuration
- 02-MAC Address Table Configuration
- 03-Spanning Tree Configuration
- 04-Ethernet Link Aggregation Configuration
- 05-Port Isolation Configuration
- 06-QinQ Configuration
- 07-VLAN Mapping Configuration
- 08-BPDU Tunneling Configuration
- 09-GVRP Configuration
- 10-Loopback Detection Configuration
- 11-MAC-in-MAC Configuration
- 12-LLDP Configuration
- 13-MVRP Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-MAC Address Table Configuration | 119.45 KB |
Contents
Configuring the MAC address table·
How a MAC address table entry is created
Types of MAC address table entries
MAC address table-based frame forwarding
Configuring the MAC address table
Configuring static, dynamic, and blackhole MAC address table entries
Configuring a multi-port unicast MAC address table entry
Configuring the aging timer for dynamic MAC address entries
Configuring the MAC learning limit
Displaying and maintaining the MAC address table
MAC address table configuration example
|
|
NOTE: · At present, MAC address table configuration applies to Layer 2 Ethernet ports and Layer 2 aggregate interfaces only. · This document covers only the configuration of static, dynamic, blackhole, and multi-port unicast MAC address table entries. For the configuration of static multicast MAC address table entries, see IP Multicast Configuration Guide. · The switch operates in IRF or standalone (the default) mode. For more information about the IRF mode, see IRF Configuration Guide. |
Overview
A MAC address table is maintained for frame forwarding. Each entry in this table indicates the following information:
· The MAC address of a connected network device
· The interface to which the device is connected
· The VLAN to which the interface belongs
When forwarding a frame, the switch first looks up the MAC address table by the destination MAC address of the frame for the outgoing port. If the outgoing port is found, the frame is forwarded rather than broadcast, so broadcasts are reduced.
How a MAC address table entry is created
A MAC address table entry can be dynamically learned or manually configured.
Dynamically generate MAC address table entries
Usually, a switch can populate its MAC address table automatically by learning the source MAC addresses of incoming frames on each port.
When a frame arrives at a port, Port A for example, the switch performs the following tasks:
1. Checks the source MAC address (MAC-SOURCE for example) of the frame.
2. Looks up the source MAC address in the MAC address table.
¡ If an entry is found, the switch updates the entry.
¡ If no entry is found, the switch adds an entry for MAC-SOURCE and Port A.
3. After learning this source MAC address, when the switch receives a frame destined for MAC-SOURCE, it finds the MAC-SOURCE entry in the MAC address table and forwards the frame out Port A.
The switch performs the learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated.
To adapt to network changes, MAC address table entries must be constantly updated. Each dynamically learned MAC address table entry has an aging timer. If an entry is not updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the aging timer restarts.
Manually configure MAC address table entries
With dynamic MAC address learning, a switch does not distinguish illegitimate frames from legitimate frames. This causes security hazards. For example, if a hacker sends frames with a forged source MAC address to a port different from the one where the real MAC address is connected, the switch will create an entry for the forged MAC address, and will forward frames destined for the legal user to the hacker instead.
To enhance the security of a port, you can manually add MAC address entries in the MAC address table of the switch to bind specific user switches to the port. Because manually configured entries have higher priority than the dynamically learned ones, this prevents hackers from stealing data using forged MAC addresses.
Types of MAC address table entries
A MAC address table may contain these types of entries:
· Static entries—Static entries are manually configured and never age out.
· Dynamic entries—Dynamic entries can be manually configured or dynamically learned and may age out.
· Blackhole entries—Blackhole entries are manually configured and never age out. Blackhole entries are configured for filtering frames with specific MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a destination blackhole entry.
· Multi-port unicast entries—Multi-port unicast entries are manually added and never age out.
|
|
NOTE: A static, blackhole, or multi-port unicast MAC address entry can overwrite a dynamic MAC address entry, but not vice versa. |
MAC address table-based frame forwarding
When forwarding a frame, the switch adopts the following two forwarding modes based on the MAC address table:
· Unicast mode—If an entry is available for the destination MAC address, the switch forwards the frame directly from the hardware.
· Broadcast mode—If the switch receives a frame with an all-ones destination address, or no entry is available for the destination MAC address, the switch broadcasts the frame to all the interfaces except the receiving interface.
Configuring the MAC address table
The configuration tasks discussed in the following sections are all optional and can be performed in any order.
Configuring static, dynamic, and blackhole MAC address table entries
Usually, a switch can populate its MAC address table automatically by learning the source MAC addresses of incoming frames.
To improve port security, you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses, fending off MAC address spoofing attacks.
In addition, you can configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.
To add or modify a static, dynamic, or blackhole MAC address table entry in system view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Add or modify a dynamic or static MAC address entry. |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id |
Use either command. |
|
3. Add or modify a blackhole MAC address entry. |
mac-address blackhole mac-address vlan vlan-id |
To add or modify a static or dynamic MAC address table entry in interface view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Add or modify a static or dynamic MAC address entry. |
mac-address { dynamic | static } mac-address vlan vlan-id |
Make sure that you have created the VLAN and assign the interface to the VLAN. |
Configuring a multi-port unicast MAC address table entry
You can configure a multi-port unicast MAC address table entry to associate a unicast MAC address with multiple ports, so that packets that match the entry is delivered to multiple destination ports.
To configure a multi-port unicast MAC address table entry in system view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure a multi-port unicast MAC address table entry. |
mac-address multiport mac-address interface interface-list vlan vlan-id |
No multi-port unicast MAC address table entries exist by default. Make sure that you have created the VLAN and assign the interfaces to the VLAN. |
To configure a multi-port unicast MAC address table entry in interface view:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view or port group view. |
·
Enter Layer 2 Ethernet interface view or Layer
2 aggregate interface view: ·
Enter port group view: |
Use either command. Settings in Layer 2 Ethernet interface view or Layer 2 aggregate interface view take effect on the current interface only. Settings in port group view take effect on all member ports in the port group. |
|
3. Configure a multi-port unicast MAC address table entry. |
mac-address multiport mac-address vlan vlan-id |
No multi-port unicast MAC address table entries exist by default. Make sure that you have created the VLAN and assign the interface or interfaces to the VLAN. |
|
|
NOTE: · On a switch operating in IRF mode, do not specify the same MAC address for both a multi-port unicast MAC address table entry and a static neighbor table entry. Otherwise, a conflict will occur. For more information about static neighbor entries, see Layer 3—IP Services Configuration Guide. · To associate a unicast MAC address to an Ethernet interface that belongs to an aggregation group, configure the multi-port unicast MAC address table entry in Layer 2 aggregate interface view, instead of Layer 2 Ethernet interface view. |
Configuring the aging timer for dynamic MAC address entries
The MAC address table on your switch uses an aging mechanism for dynamic entries, so dynamic MAC address entries that are not updated within their aging time are deleted to make room for new entries, and the MAC address table is promptly updated to accommodate the latest network changes.
Set the aging timer appropriately. Too long an aging interval may cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the latest network changes. Too short an interval may result in removal of valid entries, causing unnecessary broadcasts, which may affect switch performance.
To configure the aging timer for dynamic MAC address entries:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the aging timer for dynamic MAC address entries. |
mac-address timer { aging seconds | no-aging } |
Optional. The value range of the aging timer is 10 to 3600 seconds and the default value is 300 seconds. |
|
|
NOTE: · The MAC address aging timer takes effect globally on dynamic MAC address entries (learned or administratively configured) only. · In a stable network, when there has been no traffic activity for a long time, all dynamic entries in the MAC address table maintained by the switch are deleted, and the switch broadcasts a large amount of data packets, which may be listened to by unwanted users, resulting in security hazards. To avoid this, you can configure mac-address timer no-aging for dynamic MAC address entries, so that dynamic MAC address entries will not be aged out. This can reduce broadcasts and improve the stability and security of the network. |
Configuring the MAC learning limit
Configuring the MAC learning limit on ports
To prevent the MAC address table from getting so large that the forwarding performance of the switch degrades, you can limit the number of MAC addresses that can be learned on a port.
To configure the MAC learning limit on an Ethernet port, the Ethernet ports in a port group, or a Layer 2 aggregate interface:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Ethernet interface, port group, or Layer 2 aggregate interface view. |
·
Enter Ethernet interface view: ·
Enter port group view: ·
Enter Layer 2 aggregate interface view: |
Use any command. Settings in Ethernet interface view or Layer 2 aggregate interface view effect on the current port only. Settings in port group view take effect on all the member ports in the port group. |
|
3. Configure the MAC learning limit on an interface, and configure whether frames with unknown source MAC addresses can be forwarded when the MAC learning limit is reached. |
mac-address max-mac-count { count | disable-forwarding } |
By default, the maximum number of MAC addresses that can be learned on an interface is not specified. |
Configuring the MAC learning limit on a VLAN
You may also limit the number of MAC addresses that can be learned on a per-VLAN basis.
To configure the MAC learning limit on a VLAN:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Configure the MAC leaning limit on a VLAN, and configure whether or not frames with unknown source MAC addresses can be forwarded in the VLAN when the upper limit is reached. |
mac-address max-mac-count { count | disable-forwarding } |
By default, the maximum number of MAC addresses that can be learned on a VLAN is not specified. |
Displaying and maintaining the MAC address table
|
Task |
Command |
Remarks |
|
Display MAC address table information. |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the multi-port unicast MAC address table entries. |
display mac-address multiport [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the aging timer for dynamic MAC address entries. |
display mac-address aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view |
MAC address table configuration example
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are in DOWN state. Before configuring these interfaces, use the undo shutdown command to bring them up. |
Network requirements
As shown in Figure 1:
· The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 3/0/1 of the switch. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the switch.
· The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so all packets destined for the host will be dropped.
· Set the aging timer for dynamic MAC address entries to 500 seconds.
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface Gigabitethernet 3/0/1 vlan 1
# Add a destination blackhole MAC address entry.
[Sysname] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
# Display the MAC address entry for port GigabitEthernet 3/0/1.
[Sysname] display mac-address interface Gigabitethernet 3/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-dc71 1 Config static Gigabitethernet 3/0/1 NOAGED
--- 1 mac address(es) found on port GigabitEthernet3/0/1 ---
# Display information about destination blackhole MAC addresses.
[Sysname] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-abcd 1 Blackhole N/A NOAGED
--- 1 mac address(es) found ---
# View the aging time of dynamic MAC address entries.
[Sysname] display mac-address aging-time
Mac address aging time: 500s
