No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes principles of MAC address table.

MAC Address Table

Each device maintains a MAC address table. A MAC address table records the MAC address, VLAN ID and outbound interfaces learned from other devices. When forwarding a data frame, the device searches the MAC table for the outbound interface according to the destination MAC address and VLAN ID in the frame. This helps the device reduce broadcasting.

Packet Forwarding Based on the MAC Address Table

The device forwards packets based on the MAC address table in either of the following modes:

  • Unicast mode: If the destination MAC address of a packet can be found in the MAC address table, the device forwards the packet through the outbound interface specified in the matching entry.
  • Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC address cannot be found in the MAC address table, the device broadcasts the packet to all the interfaces in the VLAN except the inbound interface.
Categories of MAC Address Entries

The MAC address entry can be classified into the dynamic entry, the static entry and the blackhole entry.

  • The dynamic entry is created by learning the source MAC address. It has aging time.

  • The static entry is set by users and is delivered to each SIC. It does not age.

  • The blackhole entry is used to discard the frame with the specified source MAC address or destination MAC address. Users manually set the blackhole entries and send them to each SIC. Blackhole entries have no aging time.

The dynamic entry will be lost after the system is reset or the interface board is hot swapped or reset. The static entry and the blackhole entry, however, will not be lost.

Generation of a MAC address entry

MAC address entries are generated automatically or configured manually.

  • Automatically Generated MAC Address Entries

    MAC address entries are learned by the system automatically. For example, SwitchA and HostB are connected. When SwitchB sends a frame to SwitchA, SwitchA obtains the source MAC address (the MAC address of HostB) from the frame and adds the source MAC address and the interface number to the MAC address table. When SwitchA receives a frame sent to HostB again, SwitchA can search the MAC address table to find the correct outbound interface.

    The entries in the MAC table will not be valid all the time. Each entry has its own lifetime. If the entry has not been refreshed at the expiration of its lifetime, the device will delete that entry from the MAC table. That lifetime is called aging time. If the entry is refreshed before its lifetime expires, the device resets the aging time for it.

  • Manually Configured MAC Address Entries

    When creating MAC address entries by itself, the device cannot identify whether the packets are from the legal users or the hackers. This threatens the network safety.

    Hackers can fake the source MAC address in attack packets. The packet with a forged address enters the device from the other port. Then the device learns a fault MAC table entry. That is why the packets sent to the legal users are forwarded to the hackers.

    For security, the network administrator can add static entries to the MAC table manually to bind the user's device and the port of the device. In this way, the device can stop the illegal users from stealing data.

    By configuring blackhole MAC address entries, you can configure the specified user traffic not to pass through a switch to prevent attacks from unauthorized users.

    The priority of MAC entries set up by users is higher than that generated by the device itself.

Aging Time of MAC Addresses

To adapt to the changes of networks, the MAC table needs to be updated constantly. The dynamic entries automatically created in a MAC address table are not always valid. Each entry has a life cycle. The entry that has never been updated till its life cycle ends will be deleted. This life cycle is called aging time. If the entry is updated before its life cycle ends, the aging time of the entry is recalculated.

Figure 7-11  Aging of MAC addresses

As shown in the preceding figure, the aging time of MAC addresses is set to T. At t1, packets with the source MAC address 00e0-fc00-0001 and VLAN ID 1 reach an interface. Assume that the interface is added to VLAN 1. If no entry with the MAC address as 00e0-fc00-0001 and the VLAN ID as 1 exists in the MAC address table, the MAC address is added to the MAC address table as a dynamic MAC address entry and the flag of the matching entry is set to 1.

The switch checks all learned dynamic MAC address entries at an interval of T. For example, at t2, if the switch discovers that the flag of the matching dynamic MAC address entry with the MAC address as 00e0-fc00-0001 and the VLAN ID as 1 is 1, the flag of the matching MAC address entry is set to 0 and the MAC address entry is not deleted. If packets with the source MAC address as 00e0-fc00-0001 and the VLAN ID as 1 enter the switch between t2 and t3, the flag of the matching MAC address entry is set to 1 again. If no packet with the source MAC address as 00e0-fc00-0001 and the VLAN ID as 1 enters the switch between t2 and t3, the flag of the matching MAC address entry is always 0. At t3, after discovering that the flag of the matching MAC address entry is 0, the switch assumes that the aging time of the MAC address entry expires and deletes the MAC address entry.

As stated above, the minimum holdtime of a dynamic MAC address entry in the MAC address table ranges from the aging time T to 2 T configured on the switch through automatic aging.

The aging time of MAC addresses is configurable. By setting the aging time of MAC addresses, you can flexibly control the holdtime of learned dynamic MAC address entries in the MAC address table.

Disabling MAC Address Learning and Limiting the Number of MAC Addresses

The capacity of a MAC address table is limited. Therefore, when hackers forge a large quantity of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device may reach its full capacity. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets.

A device limits the number of learned MAC addresses in one of the following modes:
  • Disabling MAC address learning on an interface or a VLAN

  • Limiting the number of MAC addresses on an interface or a VLAN

After MAC address learning is disabled on an interface or a VLAN, no MAC address entry can be learned on the interface or VLAN. The system deletes the previously learned dynamic MAC entries after the aging time expires. You can also manually delete these entries.

You can limit the maximum number of dynamic MAC address entries on a specified VLAN or interface. After the number of MAC address entries learned by the VLAN or interface reaches the limit, no MAC address entry can be learned on the VLAN or interface until the previously learned MAC address entries age out.

In most cases, attack packets sent by a hacker enter a switch through the same interface. Therefore, you can set the limit on the number of MAC address entries or disable MAC address learning on an interface to prevent attack packets from exhausting the MAC address table.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118852

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next