Configuring the MAC address table· 2

Overview·· 2

How a MAC address entry is created· 2

Types of MAC address entries 3

Configuring static, dynamic, and destination blackhole MAC address entries 3

Adding or modifying a static or dynamic MAC address entry in system view·· 3

Adding or modifying a static or dynamic MAC address entry in interface view·· 4

Configuring a destination blackhole MAC address entry· 4

Disabling MAC address learning· 4

Disabling global MAC address learning· 4

Disabling MAC address learning on ports 5

Configuring the aging timer for dynamic MAC address entries 5

Configuring the MAC learning limit on ports 6

Displaying and maintaining MAC address tables 6

 

This document covers only the configuration of MAC address entries, including static, dynamic, and destination blackhole MAC address entries.

The MAC address table configuration tasks can be performed in any order.

Overview

To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address table for forwarding frames. This table describes from which port a MAC address (or host) can be reached. When forwarding a single-destination frame, the device first looks up the destination MAC address of the frame in the MAC address table for a match. If the device finds an entry, it forwards the frame out of the outgoing port in the entry. If the device does not find an entry, it floods the frame out of all but the incoming port.

To view MAC address table information, use the display mac-address command, as follows:

<Sysname> display mac-address

MAC ADDR        VLAN ID   STATE            PORT INDEX              AGING TIME(s)

000f-e201-0101  1         Learned          GigabitEthernet1/0/1    AGING

 

  ---  1 mac address(es) found  --- 

How a MAC address entry is created

The device automatically learns entries in the MAC address table, or you can add them manually.

MAC address learning

The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each port.

When a frame arrives at a port, Port A, for example, the device performs the following tasks:

1.        Verifies the source MAC address (for example, MAC-SOURCE) of the frame.

2.        Looks up the source MAC address in the MAC address table.

3.        Updates an entry if it finds one. If the device does not find an entry, it adds an entry for MAC-SOURCE and Port A.

The device performs this learning process each time it receives a frame from an unknown source MAC address, until the MAC address table is fully populated.

After learning a source MAC address, when the device receives a frame destined for MAC-SOURCE, the device finds the MAC-SOURCE entry in the MAC address table and forwards the frame out of Port A.

Manually configuring MAC address entries

With dynamic MAC address learning, a device does not distinguish between illegitimate and legitimate frames. For example, when a hacker sends frames with a forged source MAC address to a port different from the one to which the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead.

To improve port security, you can bind specific user devices to the port by manually adding MAC address entries to the MAC address table of the device.

Types of MAC address entries

A MAC address table can contain the following types of entries:

·          Static entries—Manually added and never age out.

·          Dynamic entries—Manually added or dynamically learned, and might age out.

·          Destination blackhole entries—Manually configured and never age out. Destination blackhole entries are configured for filtering out frames with specific destination MAC addresses. For example, to block all packets destined for a specific user for security concerns, you can configure the MAC address of this user as a destination blackhole MAC address entry.

A static or destination blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.

To adapt to network changes and prevent inactive entries from occupying table space, an aging mechanism is adopted for dynamic MAC address entries. Each time a dynamic MAC address entry is learned or created, an aging timer starts. If the entry has not updated when the aging timer expires, the device deletes the entry. If the entry has updated before the aging timer expires, the aging timer restarts.

Configuring static, dynamic, and destination blackhole MAC address entries

To prevent MAC address spoofing attacks and improve port security, manually add MAC address entries to bind ports with MAC addresses. You can also configure destination blackhole MAC address entries to filter out packets with certain destination MAC addresses.

The MAC address table configuration is supported only on Layer 2 Ethernet ports, WLAN-BSS interfaces, and Layer 2 aggregate interfaces.

Adding or modifying a static or dynamic MAC address entry in system view

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Add or modify a dynamic or static MAC address entry.	mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id	By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN.

 

Adding or modifying a static or dynamic MAC address entry in interface view

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enter Layer 2 Ethernet, WLAN-BSS, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3.       Add or modify a static or dynamic MAC address entry.	mac-address { dynamic | static } mac-address vlan vlan-id	By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN.

 

Configuring a destination blackhole MAC address entry

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Add or modify a destination blackhole MAC address entry.	mac-address blackhole mac-address vlan vlan-id	By default, no destination blackhole MAC address entry is configured. Make sure you have created the VLAN.

 

Disabling MAC address learning

Sometimes, you might need to disable MAC address learning to prevent the MAC address table from being saturated, for example, when your device is being attacked by a large volume of packets with different source MAC addresses.

You can disable MAC address learning globally or on interfaces.

Disabling global MAC address learning

Disabling global MAC address learning disables the learning function on all ports.

To disable global MAC address learning:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Disable global MAC address learning.	mac-address mac-learning disable	By default, global MAC address learning is enabled.

 

Disabling MAC address learning on ports

You can disable MAC address learning on a single port, or on all ports in a port group.

To disable MAC address learning on an interface or a port group:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enable global MAC address learning.	undo mac-address mac-learning disable	Optional. By default, global MAC address learning is enabled.
3.       Enter interface view or port group view.	·         Enter Layer 2 Ethernet, WLAN-BSS, or Layer 2 aggregate interface view: interface interface-type interface-number ·         Enter port group view: port-group manual port-group-name	Use either command. Settings in interface view take effect only on the current interface. Settings in port group view take effect on all member ports in the port group. For more information about port groups, see "Configuring Ethernet interfaces."
4.       Disable MAC address learning.	mac-address mac-learning disable	By default, MAC address learning is enabled on each port.

 

Configuring the aging timer for dynamic MAC address entries

The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the device deletes that entry. This aging mechanism makes sure the MAC address table can promptly update to accommodate the latest network changes.

Set the aging timer appropriately. Too long an aging interval might cause the MAC address table to retain outdated entries, exhaust the MAC address table resources, and fail to update its entries to accommodate the latest network changes. Too short an interval might result in removal of valid entries, causing unnecessary floods, which could affect device performance.

To configure the aging timer for dynamic MAC address entries:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Configure the aging timer for dynamic MAC address entries.	mac-address timer { aging seconds | no-aging }	Optional. The default setting is 300 seconds. The no-aging keyword disables the aging timer.

 

You can reduce floods on a stable network by disabling the aging timer to prevent dynamic entries from unnecessarily aging out. By reducing floods, you improve not only network performance, but also security, because you reduce the chances that a data packet will reach unintended destinations.

Configuring the MAC learning limit on ports

As the MAC address table grows, the forwarding performance of your device might degrade. To prevent the MAC address table from getting so large that the forwarding performance degrades, you can limit the number of MAC addresses that a port can learn.

To configure the MAC learning limit on a Layer 2 Ethernet interface, WLAN-BSS interface, Layer 2 aggregate interface, or all ports in a port group:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enter interface view or port group view.	·         Enter Layer 2 Ethernet, WLAN-BSS, or Layer 2 aggregate interface view: interface interface-type interface-number ·         Enter port group view: port-group manual port-group-name	Use either command. Settings in interface view take effect only on the specific interface. Settings in port group view take effect on all member ports in the port group.
3.       Configure the MAC learning limit on the interface or port group, and configure whether or not frames with unknown source MAC addresses can be forwarded when the MAC learning limit is reached.	mac-address max-mac-count { count | disable-forwarding }	The default MAC learning limit is 255. By default, frames with unknown source MAC addresses are forwarded when the MAC learning limit is reached.

 

Displaying and maintaining MAC address tables

 

Task	Command	Remarks
Display MAC address table information.	display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display the aging timer for dynamic MAC address entries.	display mac-address aging-time [ | { begin | exclude | include } regular-expression ]	Available in any view.
Display the system or interface MAC address learning state.	display mac-address mac-learning [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]	Available in any view.