No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the MAC Address Table

Configuring the MAC Address Table

This section describes the MAC address table configuration.

Configuring the MAC Address Table

This section describes procedures to configure static, blackhole, and dynamic MAC address entries, prevent an interface from learning MAC addresses, limit the number of learned MAC addresses.

Configuring a Static MAC Address Entry

Context

To ensure communication security, you can configure MAC addresses of trusted upstream devices or users as static MAC address entries.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address static mac-address interface-type interface-number vlan vlan-id

    A static MAC address entry is configured.

    NOTE:

    A static MAC address entry takes precedence over a dynamic MAC address entry. The system discards packets with configured static MAC addresses that have been learned by other interfaces.

    If a physical interface is removed from a VLAN after static MAC address entries are configured, all static MAC address entries mapping the "physical interface + VLAN" will be automatically deleted.

Configuring a Blackhole MAC Address Entry

Context

To save the MAC address table space, protect user devices or network devices from MAC address attacks, you can configure untrusted MAC addresses as blackhole MAC addresses. Packets with source or destination MAC addresses matching the blackhole MAC address entries are discarded.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address blackhole mac-address [ vlan vlan-id ]

    A blackhole MAC address entry is configured.

Setting the Aging Time of Dynamic MAC Address Entries

Context

The network topology changes frequently, and the access point will learn many MAC addresses. After the aging time of dynamic MAC address entries is set, the device can delete unneeded MAC address entries to prevent sharp increase of MAC address entries. A shorter aging time is applicable to networks where network topology changes frequently, and a longer aging time is applicable to stable networks.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address aging-time aging-time

    The aging time of a dynamic MAC address entry is set.

Disabling MAC Address Learning

Context

When an access point with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the access point forwards the frames through the outbound interface according to the MAC address entry. The MAC address learning function reduces broadcast packets on a network. After MAC address learning is disabled on an interface, the access point does not learn source MAC addresses of packets received by the interface.

Configuration Process
  • Disabling MAC address learning in the interface view
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      mac-address learning disable [ action { discard | forward } ]

      MAC address learning is disabled on the interface.

      By default, MAC address learning is enabled on an interface.

      By default, the access point performs the forward action after MAC address learning is disabled. That is, the access point forwards packets according to the MAC address table. When the action is configured to discard, the access point matches the source MAC addresses of packets with the MAC address entries. If the inbound interface and source MAC address of a packet matches a MAC address entry, the access point forwards the packet. Otherwise, the access point discards the packet.

  • Disabling MAC address learning in the VLAN view
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vlan vlan-id

      The VLAN view is displayed.

    3. Run:

      mac-address learning disable

      MAC address learning is disabled in the VLAN.

      By default, MAC address learning is enabled in a VLAN.

Limiting the Number of Learned MAC Addresses

Context

The network with low security may be attacked by MAC address attacks. The capacity of a MAC address table is limited. Therefore, when hackers forge a large quantity of packets with different source MAC addresses and send the packets to the access point, the MAC address table of the access point may reach its full capacity. When the MAC address table is full, the access point cannot learn source MAC addresses of valid packets.

You can limit the number of MAC addresses learned on the access point. When the number of learned MAC address entries reaches the limit, the access point does not learn new MAC addresses. You can also configure the action and enable the device to send traps to the NMS when the number of MAC addresses reaches the limit.. This prevents MAC address attacks and improves network security.

Procedure

  • Limiting the number of MAC addresses learned by an interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      mac-limit maximum max-num

      The maximum number of MAC addresses learned on the interface is set.

      By default, the number of MAC addresses learned on an interface is not limited.

    4. Run:

      mac-limit action { discard | forward }

      The action to be taken on packets with unknown source MAC addresses when the number of learned MAC addresses reaches the limit is configured.

      By default, packets with unknown source MAC addresses are discarded after the number of learned MAC addresses reaches the limit.

    5. Run:

      mac-limit alarm { disable | enable }

      The access point is configured to (or not to) send a trap to the NMS when the number of learned MAC addresses reaches the limit.

      By default, the access point sends a trap to the NMS when the number of learned MAC addresses reaches the limit.

  • Limiting the number of MAC addresses learned in a VLAN
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vlan vlan-id

      The VLAN view is displayed.

    3. Run:

      mac-limit maximum max-num

      The maximum number of MAC addresses learned in the VLAN is set.

      By default, the number of MAC addresses learned in a VLAN is not limited.

    4. Run:

      mac-limit alarm { disable | enable }

      The access point is configured to (or not to) send a trap to the NMS when the number of learned MAC addresses reaches the limit.

      By default, the access point sends a trap to the NMS when the number of learned MAC addresses reaches the limit.

Checking the Configuration

Procedure

  • Run the display mac-address command to view all MAC address entries.
  • Run the display mac-address static command to view static MAC address entries.
  • Run the display mac-address dynamic command to view dynamic MAC address entries.
  • Run the display mac-address blackhole command to view blackhole MAC address entries.
  • Run the display mac-address aging-time command to view the aging time of dynamic MAC address entries.
  • Run the display mac-address summary command to view statistics on all the MAC address entries.
  • Run the display mac-address total-number command to view the number of MAC address entries.
  • Run the display mac-limit command to view the limit of the number of learned MAC addresses.

Configuring MAC Address Anti-flapping

You can configure MAC address anti-flapping to ensure that the device learns MAC addresses on correct interfaces, preventing unauthorized users to access the device.

Configuring the MAC Address Learning Priority of an Interface

Context

To prevent MAC address flapping, configure different MAC address learning priorities for interfaces. When interfaces learn the same MAC address, the MAC address entry learned by the interface with the highest priority overrides the MAC address entries learned by the other interfaces.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    mac-learning priority priority-id

    The MAC address learning priority of an interface is set.

    By default, the MAC address learning priority of an interface is 0. A greater priority value indicates a higher MAC address learning priority.

Forbidding MAC Address Flapping Between Interfaces with the Same Priority

Context

You can configure the device to forbid MAC address flapping between interfaces with the same priority to improve network security.

The Access Point configured to forbid MAC address flapping between interfaces with the same priority. After a device (such as the server) connected to Access Point off, another interface on Access Point the same MAC address as the device. The device cannot learn the correct MAC address after it powers on.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    undo mac-learning priority priority-id allow-flapping

    MAC address flapping between interfaces with the same priority is forbidden.

    By default, MAC address flapping between interfaces with the same priority is allowed.

Checking the Configuration

Procedure

  • Run the display current-configuration command to view the MAC address learning priorities of interfaces.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 130452

Downloads: 312

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next