4.1 Introduction #
MAC (Media Access Control) address, also known as a physical address or hardware address. In the Internet, an IP address cannot specifically identify a user because anyone can change it, whereas the MAC address is written inside network card at the time of manufacture by the manufacturer of the network equipment and can uniquely identify a user. The MAC address consists of 48 bit-long, 12-bit hexadecimal numbers, of which, starting from left to right, bits 0 to 23 are codes applied by the vendor to the IETF and other bodies to identify the vendor, and bits 24 to 47 are assigned by the vendor itself.
In addition to the physical MAC address, there are also broadcast MAC addresses (all 1s) and multicast MAC addresses (bit 8 is 1).
4.2 MAC Address Table #
The MAC address table records the MAC address and interface and the VLAN to which the interface belongs, etc. When the device forwards packets, it queries the MAC table according to the destination MAC of packets. If the table contains the table entry corresponding to the destination MAC of packets, it forwards the packets directly through the egress interface in the table entry; if it does not contain the destination MAC, it forwards the packets through broadcast on all interfaces in the corresponding VLAN except the receiving interface.
4.2.1 Generation of MAC Address Table Entries
MAC tables can be generated in two ways: automatically, and manually.
- Automatic generation
In general, the MAC table is automatically generated by the source MAC learning.
When Interface A on the device receives a data frame, it analyses the source MAC of the frame and updates the table entry if the MAC is already included in the MAC address table; if the MAC is not included in the MAC address table, this new MAC address is added to the MAC table as a new table entry with the interface A corresponding to that MAC.
To adapt to changes in the network topology, the MAC table needs to be be updated constantly. Automatically generated table entries in the MAC table are not always valid, each table entry has a life cycle and any table entry that is not refreshed before it reaches that life cycle will be deleted, this life cycle is called the aging time. If a table entry is refreshed before the life cycle is reached, the ageing time for that table entry is recalculated.
- Manual configuration
When the device automatically generates MAC tables through source MAC learning, it is unable to distinguish between packets from legitimate and illegal users, which poses a security risk. If an illegal user disguises the source MAC of attack packets as the MAC of a legitimate user and enters from another interface of the device, the device will learn the wrong MAC address table entry and thus forward packets that should have been forwarded to the legitimate user to the illegal user. Therefore, to improve security, specific table entries can be manually added to the MAC table to bind the user device to the interface, thus preventing illegal users from spoofing the data.
4.2.2 Classification of MAC Address Table Entries
MAC address table entries are classified as static MAC, dynamic MAC and black hole MAC.
- Static MAC
Manually configured by the user. Table entries do not age. Static MAC priority is higher than automatically generated MAC. Table entries are not lost after reboot (save the configuration first).
- Dynamic MAC
Automatically generated by source MAC learning. Table entries can be aged. Dynamic table entries are lost after system reboot.
- Black Hole MAC
Manually configured by the user to discard packets whose source MAC or destination MAC is the same as the specified MAC. For example, a user is prohibited from sending or receiving packets. Blackhole MAC table entries do not age. Table entries are not lost after reboot (save the configuration first).
4.3 MAC Configuration #
4.3.1 MAC Default Setting
The default setting of MAC is shown in the table below.
| Parameters | Default value |
|---|---|
| Dynamic MAC table entry aging time | 1800 seconds |
| MAC address learning | Open |
| MAC drift detection function | Open |
NOTE:
The default aging time for Dynamic ARP is 1/6 of the MAC aging time.
4.3.2 Configure Static MAC
| Operation | Commands | Description |
|---|---|---|
| Enter global configuration view. | configure terminal | - |
| Configure a static MAC. | mac-address static HH:HH:HH:HH:HH:HH vlan vlan-id interface-type interface-name | Interface type optional ethernet, link-aggregation |
| Remove the static MAC. | no mac-address static HH:HH:HH:HH:HH:HH vlan vlan-id | Interface type optional ethernet, link-aggregation |
NOTE:
- Static MAC table entry configuration are not lost after being saved and reboot ,thus can only be deleted manually.
- The specified VLAN must have been created and a member port must exist.
- The specified MAC address must be a unicast MAC that is not the one of this switch and cannot be a multicast or broadcast MAC address.
- Static MAC have higher priority than dynamic MAC.
4.3.3 Configure a Black Hole MAC
| Operation | Commands | Description |
|---|---|---|
| Enter global configuration view. | configure terminal | - |
| Configure a black hole MAC. | mac-address static HH:HH:HH:HH:HH:HH vlan vlan-id blackhole | - |
| Delete the black hole MAC. | no mac-address static HH:HH:HH:HH:HH:HH vlan vlan-id | - |
4.3.4 Set the Aging Time of Dynamic MAC
MAC table entry aging time is a parameter that affects MAC self-learning of the switch. Dynamic MAC table entries that have exceeded the aging time are automatically deleted and the device performs MAC learning again to construct new MAC table entries. Static MAC table entries are not affected by the aging time.
Too long or too short for the aging time configuration can affect device performance. If the aging time is too long, the switch may keep many obsolete MAC table entries and thus run out of memory, resulting in the MAC table not being updated; if the aging time is too short, the switch may delete valid MAC table entries too quickly, resulting in a large number of broadcast packets and increasing the network burden.
The user can configure it according to the actual situation. If the network topology is relatively stable, the aging time can be configured longer or configured as no aging; otherwise, the aging time can be configured shorter. For example, in a relatively stable network, if there is no traffic for a long time, all dynamic MAC address table entries will be deleted, which may cause the device to suddenly broadcast a large number of data packets, resulting in security risks. Thus, the aging time of dynamic MAC address table entries can be set longer or not aging, in order to reduce broadcast packets and increase network stability and security.
| Operation | Commands | Description |
|---|---|---|
| Enter global configuration view. | configure terminal | - |
| Set dynamic MAC aging time. | mac-address timer aging seconds | The default value is 1800s. |
| Configure dynamic MAC not to age. | mac-address timer no-aging | - |
4.3.5 Disable MAC Address Learning
When the device receives a large number of forged packets with different source MAC addresses, the capacity of the MAC address table may be exceeded, and MAC learning will not be possible after the over-specification, resulting in a large number of broadcast floods in the group network and taking up bandwidth. Disabling the MAC address learning function can effectively prevent this attack.
4.3.5.1 Disable Interface-based MAC Address Learning
As the MAC learning disable function is only for Layer 2 ports, it is required that the port being operated is in a VLAN.
| Operation | Commands | Description |
|---|---|---|
| Enter global configuration view. | configure terminal | - |
| Enter interface view | interface interface-type interface-name | Interface type, optionally ethernet, link-aggregation, Sub-interfaces not supported at this time |
| Disable MAC Learning | no mac-address learning | - |
| Enable MAC Learning | mac-address learning | - |
4.3.5.2 Disable VLAN-based MAC Address Learning
| Operation | Commands | Description |
|---|---|---|
| Enter global configuration view. | configure terminal | - |
| Enter VLAN view | vlan vlan-id | - |
| Disable MAC Learning | no mac-address learning | - |
| Enable MAC Learning | mac-address learning | - |
4.3.6 Configure MAC Table Entry Limit
Only CX308P-48Y-NF and CX532P-N-V2 devices support this feature.
| Operation | Commands | Description |
|---|---|---|
| Enter global configuration view. | configure terminal | - |
| Enter interface view | interface interface-type interface-name | Interface type optional ethernet, vlan |
| Configure MAC table entry limit for an interface | mac-limit number | number : number of mac table entries allowed to be learnt, in the range [1,131072]. |
| Remove the MAC table entry limit for an interface | no mac-limit | - |
4.3.7 Configure the MAC Address of Layer 3 Interface
By default, the interface MAC of RIF (Router Interface) is the MAC address dynamically assigned by the system or is the same as the device MAC. This series product supports users to reconfigure the MAC of physical interfaces, VLAN interfaces and link aggregation interfaces.
| Operation | Commands | Description |
|---|---|---|
| Enter global configuration view. | configure terminal | - |
| Enter interface view | interface interface-type interface-name[. subinterface-number] | Interface type can be ethernet, VLAN, link-aggregation |
| Configure the MAC address of the interface | mac-address HH:HH:HH:HH:HH:HH | - |
| Restore the MAC address of the interface to its default value | no mac-address | - |
4.4 Display and Maintenance #
4.4.1 Display the MAC Table
Execute the following command to display the MAC table details.
| Operation | Commands | Description |
|---|---|---|
| View MAC table | show mac-address [interface-type interface-name] | Interface type can be ethernet, VLAN, link-aggregation |
4.4.2 Clear MAC Table
For daily maintenance, the following command can be executed to clear the MAC table.
| Operation | Commands | Description |
|---|---|---|
| Clear MAC table | clear mac-address [ethernet|link-aggregation interface-name] [vlan id] {static|dynamic} | - |
4.5 Typical Configuration Example #
4.5.1 Network requirements
- There is a user host with MAC address E2:8C:56:85:4A:11, which belongs to VLAN100 and connects to the device port Ethernet0. To prevent illegal users from fraudulently obtaining data by impersonating their identity, you are required to add a static table entry for this user in the MAC table of the device.
- Another user host, whose MAC address is A0:1B:5E:47:C9:08 and belongs to VLAN 100, has been blacklisted for having accessed the device’s network for illegal operations and has requested that a blackhole MAC table entry be added to the device, making it impossible for the user host to receive packets.
- Set dynamic MAC table entry aging time to 720s
4.5.2 Configuration steps
- Configuring a static MAC
sonic# configure terminal
sonic(config)# mac-address static E2:8C:56:85:4A:11 ethernet 0/0 vlan 100- Configuring the Black Hole MAC
sonic(config)# mac-address blackhole A0:1B:5E:47:C9:08 vlan 100- Configuring the ageing time
sonic(config)# mac-address timer aging 7204.5.3 Validation
sonic# show mac-address
No. Vlan MacAddress Port Type
----------------------------------------
1 100 E2:8C:56:85:4A:11 0/0 Static
2 100 A0:1B:5E:47:C9:08 None BlackHole
Total number of entries 2
