Login
- Table of Contents
-
- 02-Layer 2-LAN Switching Configuration Guide
- 00-Preface
- 01-Ethernet interface configuration
- 02-Loopback and null interface configuration
- 03-Bulk interface configuration
- 04-MAC address table configuration
- 05-Ethernet link aggregation configuration
- 06-Port isolation configuration
- 07-Spanning tree configuration
- 08-BPDU tunneling configuration
- 09-VLAN configuration
- 10-GVRP configuration
- 11-LLDP configuration
- 12-Service loopback group configuration
- 13-MVRP configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-MAC address table configuration | 131.25 KB |
Configuring the MAC address table
How a MAC address entry is created
MAC address table-based frame forwarding
Configuring static, dynamic, and blackhole MAC address entries
Disabling MAC address learning on a VLAN
Configuring the aging timer for dynamic MAC address entries
Configuring the MAC learning limit on a port
Displaying and maintaining MAC address tables
MAC address table configuration example
Configuration restrictions and guidelines
Enabling MAC Information globally·
Enabling MAC Information on an interface
Configuring MAC Information mode
Configuring the interval for sending syslog or trap messages
Configuring the MAC Information cache queue length
MAC Information configuration example
This chapter describes how to configure the MAC address table.
Overview
An Ethernet device uses a MAC address table for forwarding frames through unicast instead of broadcast. This table describes from which port a MAC address (or host) can be reached. When forwarding a frame, the device first looks up the destination MAC address of the frame in the MAC address table for a match. If the device finds an entry, it forwards the frame out of the outgoing port in the entry. If the device does not find an entry, it broadcasts the frame out of all but the incoming port.
To view MAC address table information, use the display mac-address command as follows:
<Sysname> display mac-address
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e201-0101 1 Learned GigabitEthernet1/0/1 AGING
--- 1 mac address(es) found ---
How a MAC address entry is created
The entries in the MAC address table originate from two sources: automatically learned by the device and manually added by the administrator.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each port.
When a frame arrives at a port, Port A for example, the device performs the following tasks:
1. Verifies the source MAC address (for example, MAC-SOURCE) of the frame.
2. Looks up the source MAC address in the MAC address table.
3. Updates an entry if it finds one. If the device does not find an entry, it adds an entry for MAC-SOURCE and Port A.
The device performs the learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated.
After learning this source MAC address, when the device receives a frame destined for MAC-SOURCE, the device finds the MAC-SOURCE entry in the MAC address table and forwards the frame out of Port A.
Manually configuring MAC address entries
With dynamic MAC address learning, a device does not distinguish between illegitimate and legitimate frames, which can invite security hazards. For example, when a hacker sends frames with a forged source MAC address to a port different from the one that the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead.
To improve the port security and prevent hackers from stealing data by using forged MAC addresses, you can bind specific user devices to the port by manually adding MAC address entries to the MAC address table of the device.
Types of MAC address entries
A MAC address table can contain the following types of entries:
· Static entries—Static entries are manually added in order to forward frames with specific destination MAC addresses out of their associated ports and never age out.
· Dynamic entries—Dynamic entries can be manually added or dynamically learned in order to forward frames with specific destination MAC addresses out of their associated ports and might age out.
· Blackhole entries—Blackhole entries are manually configured and never age out. Blackhole entries are configured for filtering out frames with specific source or destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry.
To adapt to network changes and prevent inactive entries from occupying table space, an aging mechanism is adopted for dynamic MAC address entries. Each time a dynamic MAC address entry is learned or created, an aging timer starts. If the entry has not updated when the aging timer expires, the device deletes the entry. If the entry has updated before the aging timer expires, the aging timer restarts.
A static or blackhole unicast MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.
MAC address table-based frame forwarding
When forwarding a frame, the device adopts the following forwarding modes based on the MAC address table:
· Unicast mode—If an entry is available for the destination MAC address, the device forwards the frame out of the outgoing port indicated by the MAC address entry.
· Broadcast mode—If the device receives a frame with the destination address as all-ones, or no entry is available for the destination MAC address, the device broadcasts the frame to all interfaces except the receiving interface.
Configuration procedure
The configuration tasks discussed in the following sections are all optional and can be performed in any order.
The MAC address table can contain only Layer 2 Ethernet ports and Layer 2 aggregate interfaces.
This document covers the configuration of unicast MAC address entries, including static, dynamic, and blackhole MAC address entries. For information about configuring static multicast MAC address entries, see IP Multicast Configuration Guide.
Configuring static, dynamic, and blackhole MAC address entries
To help prevent MAC address spoofing attacks and improve port security, you can manually add MAC address entries to bind ports with MAC addresses. You can also configure blackhole MAC address entries to filter out packets with certain source or destination MAC addresses.
Adding or modifying a static or dynamic MAC address entry globally
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Add or modify a dynamic or static MAC address entry. |
mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id |
By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN. |
Adding or modifying a static or dynamic MAC address entry on an interface
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet or aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Add or modify a static or dynamic MAC address entry. |
mac-address { dynamic | static } mac-address vlan vlan-id |
By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN. When you configure a static MAC address entry on an interface that belongs to a specific isolate-user-VLAN, you only need to specify the isolate-user-VLAN, instead of any secondary VLANs associated with the isolate-user-VLAN. For more information about isolate-user-VLANs, see "Configuring isolate-user-VLANs." |
Configuring a blackhole MAC address entry
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Add or modify a blackhole MAC address entry. |
mac-address blackhole mac-address vlan vlan-id |
By default, no MAC address entry is configured. Make sure you have created the VLAN. |
Disabling MAC address learning on a VLAN
Sometimes, you might need to disable MAC address learning to prevent the MAC address table from being saturated, for example, when your device is being attacked by a large amount of packets with different source MAC addresses.
When MAC address learning is disabled, the learned MAC addresses remain valid until they age out.
You may disable MAC address learning on a per-VLAN basis.
To disable MAC address learning on a VLAN:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Disable MAC address learning on the VLAN. |
mac-address mac-learning disable |
By default, MAC address learning is enabled on each VLAN. To disable MAC address learning for an isolate-user-VLAN, you must also disable MAC address learning for the secondary VLANs associated with the isolate-user-VLAN. For more information about isolate-user-VLANs, see "Configuring isolate-user-VLANs." |
Configuring the aging timer for dynamic MAC address entries
The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the device deletes the entry. This aging mechanism makes sure the MAC address table can promptly update to accommodate the most recent network changes.
Set the aging timer appropriately. A too long aging interval might cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the most recent network changes. A too short interval might result in removal of valid entries and consequently cause unnecessary broadcasts, which might affect device performance.
You can reduce broadcasts on a stable network by disabling the aging timer to prevent dynamic entries from unnecessarily aging out. By reducing broadcasts, you improve not only network performance, but also security, because the chances for a data packet to reach unintended destinations are reduced.
To configure the aging timer for dynamic MAC address entries:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the aging timer for dynamic MAC address entries. |
mac-address timer { aging seconds | no-aging } |
Optional. By default, the aging timer is 300 seconds. The no-aging keyword disables the aging timer. |
Configuring the MAC learning limit on a port
To prevent a large MAC address table from degrading forwarding performance, limit the number of MAC addresses that a port can obtain. Do not configure the MAC learning limit on any member ports of an aggregation group. Otherwise, the member ports cannot be selected.
To configure the MAC learning limit on a Layer 2 Ethernet interface or all ports in a port group:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view or port group view. |
·
Enter Layer 2 Ethernet interface view: ·
Enter port group view: |
Use either command. Settings in interface view take effect on the interface only. Settings in port group view take effect on all member ports in the port group. |
|
3. Configure the MAC learning limit on the interface or port group. |
mac-address max-mac-count count |
By default, no limit is configured. Layer 2 aggregate interfaces do not support the mac-address max-mac-count command. |
Displaying and maintaining MAC address tables
|
Task |
Command |
Remarks |
|
Display MAC address table information. |
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the aging timer for dynamic MAC address entries. |
display mac-address aging-time [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display the system or interface MAC address learning state. |
display mac-address mac-learning [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display MAC address statistics. |
display mac-address statistics [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
MAC address table configuration example
Network requirements
As shown in Figure 1:
· The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 1/0/1 of the device. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the device.
· The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a blackhole MAC address entry for the host MAC address, so that all packets destined for the host will be dropped.
· Set the aging timer for dynamic MAC address entries to 500 seconds.
Configuration procedure
# Add a static MAC address entry.
<Sysname> system-view
[Sysname] mac-address static 000f-e235-dc71 interface gigabitethernet 1/0/1 vlan 1
# Add a blackhole MAC address entry.
[Sysname] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Sysname] mac-address timer aging 500
# Display the MAC address entry for port GigabitEthernet 1/0/1.
[Sysname] display mac-address interface gigabitethernet 1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-dc71 1 Config static GigabitEthernet 1/0/1 NOAGED
--- 1 mac address(es) found ---
# Display information about the blackhole MAC address table.
[Sysname] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-abcd 1 Blackhole N/A NOAGED
--- 1 mac address(es) found ---
# View the aging time of dynamic MAC address entries.
[Sysname] display mac-address aging-time
Mac address aging time: 500s
To monitor a network, you must monitor users who are joining and leaving the network. Because a MAC address uniquely identifies a network user, you can monitor users who are joining and leaving a network by monitoring their MAC addresses.
With the MAC Information function, Layer 2 Ethernet interfaces send syslog or trap messages to the monitor end in the network when they learn or delete MAC addresses. By analyzing these messages, the monitor end can monitor users who are accessing the network.
How MAC Information works
When a new MAC address is learned or an existing MAC address is deleted on a device, the device writes related information about the MAC address to the buffer area used to store user information. When the timer set for sending MAC address monitoring syslog or trap messages expires, the device sends the syslog or trap messages to the monitor end.
The device writes information and sends messages only for the following MAC addresses: automatically learned source MAC addresses, MAC addresses that pass MAC authentication, MAC addresses that pass 802.1X authentication, MAC addresses matching OUI addresses in the voice VLAN feature, and secure MAC addresses. The device does not write information or send messages for blackhole MAC address, static MAC addresses, dynamic MAC addresses that are manually configured, multicast MAC addresses, and local MAC addresses.
For more information about MAC authentication, 802.1X, and secure MAC addresses in port security, see Security Configuration Guide. For more information about voice VLAN and OUI addresses, see "Configuring voice VLANs."
Configuration procedure
This section describes how to configure MAC Information.
Configuration restrictions and guidelines
To enable MAC Information on an Ethernet interface, first enable MAC Information globally.
Enabling MAC Information globally
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable MAC Information globally. |
mac-address information enable |
By default, MAC Information is disabled globally. |
Enabling MAC Information on an interface
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable MAC Information on the interface. |
mac-address information enable { added | deleted } |
By default, MAC Information is disabled on each interface. |
Configuring MAC Information mode
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional) Configure MAC Information mode. |
mac-address information mode { syslog | trap } |
The default setting is trap. |
Configuring the interval for sending syslog or trap messages
To prevent syslog or trap messages from being sent too frequently, you can set the interval for sending syslog or trap messages.
To set the interval for sending syslog or trap messages:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional) Set the interval for sending syslog or trap messages. |
mac-address information interval interval-time |
The default setting is one second. |
Configuring the MAC Information cache queue length
The device processes MAC address changes differently depending on whether the MAC Information cache queue length is 0:
· If it is 0, the device sends a syslog or trap message immediately after learning or deleting a MAC address.
· If it is not 0, the device stores MAC address changes in the cache queue:
¡ When the timer set for sending syslog or trap messages does not expire, the device overwrites the last piece of information written into the cache queue with the new MAC address change if the cache queue has been exhausted.
¡ When the timer set for sending syslog or trap messages expires, the device sends syslog or trap messages regardless of whether or not the cache queue has been exhausted.
To configure the MAC Information cache queue length:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional) Configure the MAC Information cache queue length. |
mac-address information queue-length value |
The default setting is 50. |
MAC Information configuration example
Network requirements
As shown in Figure 2:
· Host A is connected to a remote server (Server) through Device.
· Enable MAC Information on GigabitEthernet 1/0/1 on Device. Device sends MAC address changes in syslog messages to Host B through GigabitEthernet 1/0/3. Host B analyzes and displays the syslog messages.
Configuration procedure
1. Configure Device to send syslog messages to Host B.
For more information, see Network Management and Monitoring Configuration Guide.
2. Enable MAC Information:
# Enable MAC Information globally.
<Device> system-view
[Device] mac-address information enable
# Configure MAC Information mode as syslog.
[Device] mac-address information mode syslog
# Enable MAC Information on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] mac-address information enable added
[Device-GigabitEthernet1/0/1] mac-address information enable deleted
[Device-GigabitEthernet1/0/1] quit
# Set the MAC Information queue length to 100.
[Device] mac-address information queue-length 100
# Set the interval for sending syslog or trap messages to 20 seconds.
[Device] mac-address information interval 20
