Summary of MAC Address Table Configuration Tasks
Scenario |
Description |
Task |
|---|---|---|
MAC addresses and interfaces need to be bound statically. |
Configure static MAC address entries to bind MAC addresses and interfaces, improving security of authorized users. |
|
Attack packets from unauthorized users need to be filtered out. |
Configure blackhole MAC address entries to filter out packets from unauthorized users, thereby protecting the system against attacks. |
|
Aging of dynamic MAC address entries needs to be flexibly controlled. |
Set the aging time according to your needs. Set the aging time to a large value or 0 (not to age dynamic MAC address entries) on a stable network; set a short aging time in other situations. |
|
MAC address learning needs to be controlled. |
Attacks initiated by unauthorized users may exhaust MAC address entries. To prevent this problem, disable MAC address learning or limit the number of learned MAC address entries. |
|
MAC address flapping needs to be prevented. |
MAC address flapping occurs on a network when the network has a loop or undergoes an attack. You can use the following methods to prevent MAC address flapping:
|
|
MAC address flapping needs to be detected. |
MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN and the MAC address entry learned later overrides the earlier one. MAC address flapping detection enables a switch to check whether any MAC address flaps between interfaces and determine whether a loop occurs. When MAC address flapping occurs, the switch sends an alarm to the NMS. The network maintenance personnel can locate the loop based on the alarm information and historical records for MAC address flapping. This greatly improves network maintainability. If the network connected to the switch does not support loop prevention protocols, configure the switch to shut down the interfaces where MAC address flapping occurs to reduce the impact of MAC address flapping on the network. |
|
The switch needs to discard packets in which destination MAC addresses do not match the MAC address table. |
After a DHCP user goes offline, the MAC address entry of the user ages out. If there are packets destined for this user, the system cannot find the MAC address entry. The system then broadcasts the packets to all interfaces in the VLAN. In this case, all users receive the packets, which bring security risks. After the switch is configured to discard packets that do not match any MAC address entry, the switch discards such packets. This function mitigates the burden on the switch and enhances security. |
Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry |
The outbound interfaces in ARP entries need to be updated quickly. |
Configure the MAC address-triggered ARP entry update function. When the outbound interface in a MAC address entry changes, the device updates the outbound interface in the corresponding ARP entry before ARP probing. This function shortens service interruption time. |
|
An interface needs to forward packets of which the source and destination MAC addresses are both learned on the interface. |
By default, an interface does not forward packets whose source and destination MAC addresses are both learned by this interface. When the interface receives such a packet, it discards the packet as an invalid packet. After the port bridge function is enabled on the interface, the interface forwards such packets. This function applies to a switch that connects to devices incapable of Layer 2 forwarding or functions as an access device in a data center. |