- MAC address table composition
- port security
- MAC address table drift
1. The composition of the MAC address table
There are three types of MAC address entries:
1. Dynamic entry: The interface learns through the source MAC address, and the aging time is 300s.
After the system is reset or the interface is hot-swapped, the entry disappears.
2. Static entries: Manually configured, and sent to each interface board, the entries will not age
The table entry will not disappear when the system is reset or hot-swapped
3. Black hole entries: manually configured and sent to each interface board, the entries will not age
After the blackhole MAC address is configured, the packets whose source or destination MAC address is the blackhole MAC address will be discarded.
The composition of the MAC address table: it mainly consists of MAC address, VLAN tag, interface port, and type.
Configure the MAC address command:
配置MAC地址:
1、 静态MAC地址 : mac-address static 0011-2233-4455 g0/0/1 vlan 1。
2、配置黑洞MAC : mac-address blackhole 0011-2233-4455
3、配置动态MAC地址老化时间: mac-address aging-time 40 (默认是秒 默认300s)
2. Port Security
Overview: Port Security (Port Security) converts the dynamic MAC address learned by the interface into a secure MAC address (including secure dynamic MAC, secure static MAC, and Sticky MAC) to prevent illegal users from communicating with the switch through the interface, thereby enhancing the security of the device. safety.
There are three types of secure MAC addresses:
1. Security dynamic MAC address: Enable the MAC address converted by the port security function,
Restart is lost, it will age, and it can only be learned dynamically.
2. Secure static MAC address: Static MAC address manually configured when the port security function is enabled
It will not be lost or aged after restarting, and can only be configured manually
3. Sticky MAC address: The MAC address after enabling the port security function and enabling the Sticky MACd function
It will not be lost or aged after restarting, and can be configured manually
Configure the secure MAC function:
配置安全MAC功能:
1、使能端口安全功能 接口下: port-security enable
2、配置端口安全保护动作: port-security protect-action shutdown
//这里有三种动作:保护protect,限制restrict,关闭shutdown,
默认是关闭动作,其中保护动作,会丢弃报文,但是不发送告警日志,
限制动作,会丢弃报文,但是会发送告警日志。
关闭动作 也会发送日志信息
3、配置端口动态MAC地址学习数量: port-security max-mac-num 5
4、配置端口动态MAC地址老化时间: port-security aging-time 1000
配置 Sticky MAC功能:
1、 port-security enable 使能接口安全
2、port-security mac-address sticky 使能 sticky mac功能
3. MAC address table drift
Overview: MAC address flapping refers to the phenomenon that two ports in a VLAN on a device learn the same MAC address, and the later learned MAC address entries overwrite the original MAC address entries.
Anti-drift mechanism: 1. Increase the priority of interface MAC address learning;
2. Do not allow MAC address entries to be overwritten on interfaces with the same priority.
MAC address table anti-flapping detection: MAC address flapping detection is the function of detecting whether MAC address flapping occurs by using the phenomenon of MAC address outbound interface jumping.
MAC address anti-floating configuration:
配置接口MAC地址学习优先级
[Huawei-GigabitEthernet0/0/2]mac-learning priority 3
//配置接口学习MAC地址的y优先级为3,默认为0,数值越大优先级越高
配置不允许相同优先级接口MAC地址漂移
[Huawei]undo mac-learning priority 3 allow-flapping
//配置不允许相同优先级的接口发生MAC地址漂移
配置全局MAC地址漂移检测
[Huawei]mac-address flapping detection
//配置全局MAC地址漂移检测功能
配置基于VLAN的MAC地址漂移检测
[Huawei]vlan 2
[Huawei-vlan2]loop-detect eth-loop block-time 100 retry-times 3
//配置MAC地址漂移检测功能
