Typical MAC Configuration
Example for Configuring Static MAC Address Entries
Overview
MAC address entries are automatically generated when the switch learns the source MAC addresses of packets. Static MAC address entries are manually configured.
A network administrator manually adds MAC address entries of authorized users into the MAC address table. The static MAC address entries are often used to prevent unauthorized users from intercepting data of authorized users.
If a large number of static MAC address entries are manually configured, network maintenance can be difficult. You can enable port security to dynamically bind MAC addresses to interfaces.
Networking Requirements
In Figure 3-70, the server connects to the switch through GE1/0/2. To prevent the switch from broadcasting packets destined for the server, the static MAC address entry of the server needs to be configured on the switch. This ensures that the switch unicasts packets destined for the server through GE1/0/2. The MAC address of the PC is statically bound to GE1/0/1 to ensure secure communication between the PC and server.
Configuration Roadmap
The configuration roadmap is as follows:
Create a VLAN on the switch and add an interface to the VLAN to implement Layer 2 forwarding.
Configure the static MAC address entry of the server on the switch.
Configure the static MAC address entry of the PC on the switch.
Procedure
- Create VLAN 2 on the switch and add GE1/0/1 and GE1/0/2to VLAN 2.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 2 //Create VLAN 2. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type access //The interface connected to the PC must be the access interface. The default link type of an interface is not access, so you need to manually configure the access interface. [Switch-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2. [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to that of GE1/0/1. [Switch-GigabitEthernet1/0/2] port link-type access [Switch-GigabitEthernet1/0/2] port default vlan 2 [Switch-GigabitEthernet1/0/2] quit
- Configure the static MAC address entry of the server on the switch.
[Switch] mac-address static xxxx-xxxx-xxx4 gigabitethernet 1/0/2 vlan 2
- Configure the static MAC address entry of the PC on the switch.
[Switch] mac-address static xxxx-xxxx-xxx2 gigabitethernet 1/0/1 vlan 2
- Verify the configuration.
# Run the display mac-address static vlan 2 command in any view to check whether static MAC address entries were successfully added to the MAC address table.
[Switch] display mac-address static vlan 2 ------------------------------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------------------------------- xxxx-xxxx-xxx2 2/- GE1/0/1 static xxxx-xxxx-xxx4 2/- GE1/0/2 static ------------------------------------------------------------------------------- Total items displayed = 2
Configuration Files
Switch configuration file
# sysname Switch # vlan batch 2 # interface GigabitEthernet1/0/1 port link-type access port default vlan 2 # interface GigabitEthernet1/0/2 port link-type access port default vlan 2 # mac-address static xxxx-xxxx-xxx2 GigabitEthernet1/0/1 vlan 2 mac-address static xxxx-xxxx-xxx4 GigabitEthernet1/0/2 vlan 2 # return
Example for Configuring Blackhole MAC Address Entries
Overview
Blackhole MAC address entries can be used to prevent attacks from unauthorized users. The switch discards packets from or destined to blackhole MAC addresses.
Networking Requirements
As shown in Figure 3-71, the switch receives a packet from an unauthorized PC whose MAC address is 0005-0005-0005 and belongs to VLAN 3. This MAC address can be configured as a blackhole MAC address to filter packets from the unauthorized user.
Configuration Roadmap
The configuration roadmap is as follows:
Create a VLAN to implement Layer 2 forwarding.
Configure a blackhole MAC address to block packets from this MAC address.
Procedure
- Configure a blackhole MAC address entry.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan 3 //Create VLAN 3. [Switch-vlan3] quit [Switch] mac-address blackhole xxxx-xxxx-xxx5 vlan 3 //Configure MAC address 0005-0005-0005 as the blackhole MAC address in VLAN 3.
- Verify the configuration.
# Run the display mac-address blackhole command in any view to check whether the blackhole MAC address entry was successfully added to the MAC address table.
[Switch] display mac-address blackhole ------------------------------------------------------------------------------- MAC Address VLAN/VSI Learned-From Type ------------------------------------------------------------------------------- xxxx-xxxx-xxx5 3/- - blackhole ------------------------------------------------------------------------------- Total items displayed = 1
Example for Configuring MAC Address Limiting in a VLAN
Overview
The switch limits the number of MAC address entries based on VLANs or interfaces. In offices where clients seldom change, you can configure MAC address limiting to control user access. This can protect against certain attacks. For example, if an attacker forges a large number of packets with different source MAC addresses and sends the packets to the device, finite MAC address entries in the MAC address table of the device may be exhausted. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets. As a result, the device broadcasts the valid packets, wasting bandwidth resources.
MAC address limiting in a VLAN can limit the number of MAC address entries on multiple interfaces in a VLAN.
Configuration Notes
- After the port-security enable command is configured on an interface, MAC address limiting cannot take effect on the interface. Do not configure port security and MAC address limiting on the same interface simultaneously.
- This example applies to all versions of all S series switches.
- After the number of learned MAC address entries reaches the limit, SA cards of S series and F series cards of chassis devices and box devices (excluding the S5720-EI) cannot discard packets with nonexistent source MAC addresses.
Networking Requirements
In Figure 3-72, user network 1 is connected to GE1/0/1 of the switch through LSW1, user network 2 is connected to GE1/0/2 of the switch through LSW2, and GE1/0/1 and GE1/0/2 belong to VLAN 2. To control the number of access users, configure MAC address limiting in VLAN 2.
Configuration Roadmap
The configuration roadmap is as follows:
Create a VLAN and add interfaces to the VLAN to implement Layer 2 forwarding.
Configure MAC address limiting in a VLAN to prevent MAC address attacks and control the number of access users.
Procedure
- Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 2 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of the interface as trunk. [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 //Add GE1/0/1 to VLAN 2. [Switch-GigabitEthernet1/0/1] quit [Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to the configuration of GE1/0/1. [Switch-GigabitEthernet1/0/2] port link-type trunk [Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 [Switch-GigabitEthernet1/0/2] quit
- Configure the following MAC address limiting rule in VLAN
2: A maximum of 100 MAC addresses can be learned. When the number
of learned MAC address entries reaches the limit, the device forwards
the packets with new source MAC address entries and generates an alarm.
[Switch] vlan 2 [Switch-vlan2] mac-limit maximum 100 action forward //The default action taken for packets in different versions is different. You are advised to manually configure the action. For fixed switches, the action parameter can be set in the VLAN view only on the S5720-EI. On other fixed switches, the forward action is used in the VLAN view by default, and the action parameter does not need to be set. The alarm function is enabled by default, so you do not need to configure the alarm function manually. [Switch-vlan2] quit
- Verify the configuration.
# Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.
[Switch] display mac-limit MAC limit is enabled Total MAC limit rule count : 1 PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm ---------------------------------------------------------------------------- - 2 - 100 - forward enable
Example for Configuring MAC Address Limiting on an Interface
Overview
The switch limits the number of MAC address entries based on VLANs or interfaces. In offices where clients seldom change, you can configure MAC address limiting to control user access. This can protect against certain attacks. For example, if an attacker forges a large number of packets with different source MAC addresses and sends the packets to the device, finite MAC address entries in the MAC address table of the device may be exhausted. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets. As a result, the device broadcasts the valid packets, wasting bandwidth resources.
MAC address limiting on an interface can be used in scenarios where users connected to an interface in small and medium-sized enterprises are fixed and seldom change.
Configuration Notes
- After port-security enable is configured on an interface, MAC address limiting cannot be configured on the interface.
- This example applies to all versions of all S series switches.
Networking Requirements
In Figure 3-73, user network 1 and user network 2 connect to the switch through the LSW, and GE1/0/1 of the switch connects to the LSW. User network 1 and user network 2 belong to VLAN 10 and VLAN 20 respectively. On the switch, MAC address limiting can be configured on GE1/0/1 to control the number of access users.
Configuration Roadmap
The configuration roadmap is as follows:
Create VLANs and add interfaces to the VLANs to implement Layer 2 forwarding.
Configure MAC address limiting on an interface to control the number of access users.
Procedure
- Create VLAN 10 and VLAN 20 and add GE1/0/1 to VLAN 10 and VLAN 20.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 20 //Create VLAN 10 and VLAN 20. [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of the interface as trunk. [Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add GE1/0/1 to VLAN 10 and VLAN 20. [Switch-GigabitEthernet1/0/1] quit
- Configure the switch to learn a maximum of 100 MAC address
entries on GE1/0/1. When
the number of learned MAC address entries reaches the limit, the switch
discards the packets with new source MAC address entries and generates
an alarm.
[Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard //The default action taken for packets in different versions is different. You are advised to manually specify the action. The alarm function is enabled by default, so you do not need to specify it manually. [Switch-GigabitEthernet1/0/1] quit
- Verify the configuration.
# Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.
[Switch] display mac-limit MAC limit is enabled Total MAC limit rule count : 1 PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm ---------------------------------------------------------------------------- GE1/0/1 - - 100 - discard enable