26
to block all packets destined for a specific user for security concerns, you can configure the MAC
address of this user as a blackhole MAC address entry.
To adapt to network changes and prevent inactive entries from occupying table space, an aging
mechanism is adopted for dynamic MAC address entries. Each time a dynamic MAC address entry is
learned or created, an aging time starts. If the entry has not updated when the aging timer expires, the
switch deletes the entry. If the entry has updated before the aging timer expires, the aging timer restarts.
A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.
MAC address table-based frame forwarding
When forwarding a frame, the switch adopts the following forwarding modes based on the MAC
address table:
• Unicast mode: If an entry is available for the destination MAC address, the switch forwards the
frame out the outgoing interface indicated by the MAC address table entry.
• Broadcast mode: If the switch receives a frame with the destination address being all ones, or no
entry is available for the destination MAC address, the switch broadcasts the frame to all interfaces
except the receiving interface.
Configuring the MAC address table
These configuration tasks are all optional and can be performed in any order.
The MAC address table can contain only Layer 2 Ethernet ports and Layer 2 aggregate interfaces.
This chapter covers only configuring static, dynamic, and blackhole unicast MAC address table entries.
For more information about static multicast MAC address table entries, see the IP Multicast Configuration
Guide.
Manually configuring MAC address table entries
To fence off MAC address spoofing attacks and improve port security, you can manually add MAC
address table entries to bind ports with MAC addresses.
You can also configure blackhole MAC address entries to filter out packets with certain source or
destination MAC addresses.
To add, modify, or remove entries in the MAC address table in system view:
To do… Use the command… Remarks
1. Enter system
view
system-view —
Configure static or
dynamic MAC
Address Table
Entries
mac-address { dynamic | static } mac-
address interface interface-type
interface-number vlan vlan-id
2. Configure
MAC address
table entries
Configure
blackhole MAC
Address Table
Entries
mac-address blackhole mac-address
vlan vlan-id
Required.
Use either command.
Make sure that you
have created the VLAN
and assign the
interface to the VLAN.
To add or modify a MAC address table entry in interface view:
To Next Page
Loading...
