Article directory
- foreword
- 1. MAC address table security
- 2. Types and functions of MAC address table
- 3. MAC table entry related commands (from Huawei official)
-
- 1. Configure static MAC entries
- 2. Configure the black hole MAC entry
- 3. Configure the aging time of dynamic MAC entries
- 4. Disable the VLAN-based MAC address learning function
- 5. Configure to limit the number of MAC address learning based on the interface
- 6. Configure the action to be taken on the message when the number of MAC addresses reaches the limit
- 7. Configure whether to alarm when the number of MAC addresses reaches the limit
- 8. Configure to limit the number of MAC address learning based on VLAN
- 9. Disable the interface-based mac address learning function
foreword
There is no example configuration explanation this time, and a comprehensive example of Ethernet security will be introduced later.
1. MAC address table security
There are three main types静态mac地址表、动态mac地址表、黑洞mac地址表
- Static mac address table: The
小型网络administrator configures手工the mac address in the table信任, the port and the mac address绑定, the table entry不会老化(including hot swap), other interfaces will directly choose to discard the packets whose source mac is the bound mac . - Dynamic mac address table: learn addresses
自动for packets passing through the port ,源mac表项会老化。 - Black hole mac address table: administrator
手工配置,不可老化, after matching the target black hole mac address直接丢弃, it is like being thrown into a black hole, hence the name.
2. Types and functions of MAC address table
Don't talk nonsense anymore, go directly to the mind map, which is easier to understand than text,
3. MAC table entry related commands (from Huawei official)
There will be no example explanation here, and a piece of Ethernet switching technology integration exercise will be published later.
1. Configure static MAC entries
# 指定的VLAN必须已经创建并且已经加入绑定的端口;指定的MAC地址,必须是单播MAC地址,不能是组播和广播MAC地址
[Huawei] mac-address static mac-address interface-type interface-number vlan vlan-id
2. Configure the black hole MAC entry
#当设备收到目的MAC或源MAC地址为黑洞MAC地址的报文,直接丢弃。
[Huawei] mac-address blackhole mac-address [ vlan vlan-id ]
3. Configure the aging time of dynamic MAC entries
[Huawei] mac-address aging-time aging-time
4. Disable the VLAN-based MAC address learning function
#缺省情况下,VLAN的MAC地址学习功能是使能的。
当同时配置基于接口和基于VLAN的禁止MAC地址学习功能时,基于VLAN的优先级要高于基于接口的优先级配置
Huawei-vlan2] mac-address learning disable。
5. Configure to limit the number of MAC address learning based on the interface
#缺省情况下,不限制MAC地址学习数
[Huawei-GigabitEthernet0/0/1] mac-limit maximum max-num
6. Configure the action to be taken on the message when the number of MAC addresses reaches the limit
#缺省情况下,对超过MAC地址学习数限制的报文采取丢弃动作
Huawei-GigabitEthernet0/0/1] mac-limit action {
discard | forward
7. Configure whether to alarm when the number of MAC addresses reaches the limit
#缺省情况下,对超过MAC地址学习数限制的报文进行告警
[Huawei-GigabitEthernet0/0/1] mac-limit alarm {
disable | enable }
8. Configure to limit the number of MAC address learning based on VLAN
#缺省情况下,不限制MAC地址学习数
[Huawei-vlan2] mac-limit maximum max-num
9. Disable the interface-based mac address learning function
#关闭MAC地址学习功能的缺省动作为forward,即对报文进行转发。
当配置动作为discard时,会对报文的源MAC地址进行匹配,当接口和MAC地址与MAC地址表项匹配时,则对该报文进行转发。当接口和MAC地址与MAC地址表项不匹配时,则丢弃该报文
Huawei-GigabitEthernet0/0/1] mac-address learning disable [ action {
discard | forward } ]
Note: The idea is original, the order cannot be original, it is all from Huawei official! ! !