Example for Configuring the MAC Address Table
Networking Requirements
As shown in Figure 2-10, the MAC address of the user host PC1 is 0002-0002-0002 and that of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through the LSW. The LSW is connected to 10GE1/0/1 of the Switch, which belongs to VLAN 2. The MAC address of the server is 0004-0004-0004. The server is connected to 10GE1/0/2 of the Switch. 10GE1/0/2 belongs to VLAN 2.
To prevent hackers from using MAC addresses to attack the network, configure two static MAC address entries for each user host on the Switch.
To prevent hackers from stealing user information by forging the MAC address of the server, configure a static MAC address entry on the Switch for the server.
This example applies to the scenario where there are few users. When there are many users, perform dynamic binding according to Example for Configuring Port Security.
Configuration Roadmap
The configuration roadmap is as follows:
Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
Configure static MAC address entries to prevent MAC address attacks.
Configure the aging time of dynamic MAC address entries to update the entries.
Procedure
- Configure static MAC address entries.
# Create VLAN 2 and add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
<HUAWEI> system-view [~HUAWEI] sysname Switch [*HUAWEI] commit [~Switch] vlan 2 [*Switch-vlan2] quit [*Switch] interface 10ge 1/0/1 [*Switch-10GE1/0/1] port link-type trunk [*Switch-10GE1/0/1] port trunk allow-pass vlan 2 [*Switch-10GE1/0/1] quit [*Switch] interface 10ge 1/0/2 [*Switch-10GE1/0/2] port link-type trunk [*Switch-10GE1/0/2] port trunk allow-pass vlan 2 [*Switch-10GE1/0/2] quit [*Switch] commit
# Configure a static MAC address entry.
[~Switch] mac-address static 2-2-2 10GE 1/0/1 vlan 2 [*Switch] mac-address static 3-3-3 10GE 1/0/1 vlan 2 [*Switch] mac-address static 4-4-4 10GE 1/0/2 vlan 2 [*Switch] commit
- Set the aging time of a dynamic MAC address entry.
[~Switch] mac-address aging-time 500 [*Switch] commit
- Verify the configuration.
# Run the display mac-address static command in any view to check whether the static MAC address entries are successfully added to the MAC address table.
[~Switch] display mac-address static vlan 2 Flags: * - Backup BD : bridge-domain Age : dynamic MAC learned time in seconds ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0002-0002-0002 2/-/- 10GE1/0/1 static 0003-0003-0003 2/-/- 10GE1/0/1 static 0004-0004-0004 2/-/- 10GE1/0/2 static ------------------------------------------------------------------------------- Total items: 3
# Run the display mac-address aging-time command in any view to check whether the aging time of dynamic entries is set successfully.
[~Switch] display mac-address aging-time Aging time: 500 second(s)
Configuration Files
Switch configuration file
# sysname Switch # vlan batch 2 # mac-address aging-time 500 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 2 # interface 10GE1/0/2 port link-type trunk port trunk allow-pass vlan 2 # mac-address static 0002-0002-0002 10GE1/0/1 vlan 2 mac-address static 0003-0003-0003 10GE1/0/1 vlan 2 mac-address static 0004-0004-0004 10GE1/0/2 vlan 2 # return