MAC Configuration Guide

introduction introduction mac (media access control) address, also known as a physical address or hardware address in the internet, an ip address cannot specifically identify a user because anyone can change it, whereas the mac address is written inside network card at the time of manufacture by the manufacturer of the network equipment and can uniquely identify a user the mac address consists of 48 bit long, 12 bit hexadecimal numbers, of which, starting from left to right, bits 0 to 23 are codes applied by the vendor to the ietf and other bodies to identify the vendor, and bits 24 to 47 are assigned by the vendor itself in addition to the physical mac address, there are also broadcast mac addresses (all 1s) and multicast mac addresses (bit 8 is 1) mac address table mac address table the mac address table records the mac address and interface and the vlan to which the interface belongs, etc when the switch forwards packets, it queries the mac table according to the destination mac of packets if the table contains the table entry corresponding to the destination mac of packets, it forwards the packets directly through the egress interface in the table entry; if it does not contain the destination mac, it forwards the packets through broadcast on all interfaces in the corresponding vlan except the receiving interface generation of mac address table entries generation of mac address table entries mac tables can be generated in two ways automatically, and manually automatic generation automatic generation in general, the mac table is automatically generated by the source mac learning when interface a on the switch receives a data frame, it analyses the source mac of the frame and updates the table entry if the mac is already included in the mac address table; if the mac is not included in the mac address table, this new mac address is added to the mac table as a new table entry with the interface a corresponding to that mac to adapt to changes in the network topology, the mac table needs to be updated constantly automatically generated table entries in the mac table are not always valid, each table entry has a life cycle and any table entry that is not refreshed before it reaches that life cycle will be deleted, this life cycle is called the aging time if a table entry is refreshed before the life cycle is reached, the aging time for that table entry is recalculated manual configuration manual configuration when the switch automatically generates mac tables through source mac learning, it is unable to distinguish between packets from legitimate and illegal users, which poses a security risk if an illegal user disguises the source mac of attack packets as the mac of a legitimate user and enters from another interface of the switch, the switch will learn the wrong mac address table entry and thus forward packets that should have been forwarded to the legitimate user to the illegal user therefore, to improve security, specific table entries can be manually added to the mac table to bind the user device to the interface, thus preventing illegal users from spoofing the data classification of mac address table entries classification of mac address table entries mac address table entries are classified as static mac, dynamic mac and black hole mac static mac static mac manually configured by the user table entries do not age static mac priority is higher than automatically generated mac table entries are not lost after reboot (save the configuration first) dynamic mac dynamic mac automatically generated by source mac learning table entries can be aged dynamic table entries are lost after system reboot black hole mac black hole mac manually configured by the user to discard packets whose source mac or destination mac is the same as the specified mac for example, a user is prohibited from sending or receiving packets blackhole mac table entries do not age table entries are not lost after reboot (save the configuration first) mac configuration mac configuration mac default setting mac default setting the default setting of mac is shown in the table below table 1 mac default setting table 1 mac default setting parameters default value dynamic mac table entry aging time 1800 seconds mac address learning open mac drift detection function open note the default aging time for dynamic arp is 1/6 of the mac aging time configure static mac configure static mac table 2 configure static mac table 2 configure static mac purpose commands description enter global configuration view configure terminal configure a static mac mac address static hh\ hh\ hh\ hh\ hh \ hh vlan vlan id interface type interface name interface type optional ethernet, link aggregation notes static mac table entry configuration are not lost after being saved and reboot ,this can only be deleted manually the specified vlan must have been created and a member port must exist the specified mac address must be a unicast mac that is not the one of this switch and cannot be a multicast or broadcast mac address static mac entries have higher priority than dynamic mac configure a black hole mac configure a black hole mac table 3 configure a black hole mac table 3 configure a black hole mac purpose commands description enter global configuration view configure terminal configure a black hole mac mac address static hh\ hh\ hh\ hh\ hh \ hh vlan vlan id blackhole set the aging time of dynamic mac set the aging time of dynamic mac mac table entry aging time is a parameter that affects mac self learning of the switch dynamic mac table entries that have exceeded the aging time are automatically deleted and the switch performs mac learning again to construct new mac table entries static mac table entries are not affected by the aging time too long or too short for the aging time configuration can affect device performance if the aging time is too long, the switch may keep many obsolete mac table entries and thus run out of memory, resulting in the mac table not being updated; if the aging time is too short, the switch may delete valid mac table entries too quickly, resulting in a large number of broadcast packets and increasing the network burden the user can configure it according to the actual situation if the network topology is relatively stable, the aging time can be configured longer or configured as no aging; otherwise, the aging time can be configured shorter for example, in a relatively stable network, if there is no traffic for a long time, all dynamic mac address table entries will be deleted, which may cause the switch to suddenly broadcast a large number of data packets, resulting in security risks thus, the aging time of dynamic mac address table entries can be set longer or not aging, in order to reduce broadcast packets and increase network stability and security table 4 set the aging time of dynamic mac table entries table 4 set the aging time of dynamic mac table entries purpose commands description enter global configuration view configure terminal set dynamic mac aging time mac address timer aging seconds the default value is 1800s the value range is 300 7200 seconds configure dynamic mac not to age mac address timer no aging disable mac address learning disable mac address learning when the switch receives a large number of forged packets with different source mac addresses, the capacity of the mac address table may be exceeded, and mac learning will not be possible after the over specification, resulting in a large number of broadcast floods in the group network and taking up bandwidth disabling the mac address learning function can effectively prevent this attack disable interface based mac address learning disable interface based mac address learning as the mac learning disable function is only for layer 2 ports, it is required that the port being operated is in a vlan table 5 disable interface based mac address learning table 5 disable interface based mac address learning purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name | link aggregation lagid } sub interfaces are not supported currently disable mac learning no mac address learning disable vlan based mac address learning disable vlan based mac address learning table 6 disable vlan based mac address learning table 6 disable vlan based mac address learning purpose commands description enter global configuration view configure terminal enter vlan view vlan vlan id disable mac learning no mac address learning configure mac table entry limit configure mac table entry limit only https //cloudswit ch/product/48 port 25g data center switch sonic enterprise marvell falcon/ and cx532p n v2 devices support this feature table 7 configure mac table entry limit table 7 configure mac table entry limit purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name | vlan vlan id } configure mac table entry limit for an interface mac limit number number number of mac table entries allowed to be learnt, in the range \[1,131072] configure the mac address of layer 3 interface configure the mac address of layer 3 interface by default, the interface mac of rif (router interface) is the mac address dynamically assigned by the system or is the same as the switch mac this series product supports users to reconfigure the mac of physical interfaces, vlan interfaces and link aggregation interfaces table 8 configure the mac address of layer 3 interface table 8 configure the mac address of layer 3 interface purpose commands description enter global configuration view configure terminal enter interface configuration view interface { ethernet interface name \[ subinterface number ]| link aggregation lag id \[ subinterface number ]| vlan vlan id } configure the mac address of the interface mac address hh\ hh\ hh\ hh\ hh \ hh display and maintenance display and maintenance display the mac table display the mac table execute the following command to display the mac table details table 9 display mac table table 9 display mac table purpose commands description check mac table show mac address \[ ethernet | link aggregation interface name | all ] the parameter all displays the mac addresses synchronized between local and remote vxlans clear mac table clear mac table for daily maintenance, the following command can be executed to clear the mac table table 10 clear the mac table table 10 clear the mac table purpose commands description clear mac table clear mac address \[ ethernet | link aggregation interface name ] \[ vlan id ] { static | dynamic } typical configuration example typical configuration example networking requirements there is a user host with mac address e2 8c 56 85 4a 11, which belongs to vlan100 and connects to the switch port ethernet0 to prevent illegal users from fraudulently obtaining data by impersonating their identity, you are required to add a static table entry for this user in the mac table of the switch another user host, whose mac address is a0 1b 5e 47\ c9 08 and belongs to vlan 100, has been blacklisted for having accessed the switch's network for illegal operations and has requested that a blackhole mac table entry be added to the switch, making it impossible for the user host to receive packets set dynamic mac table entry aging time to 720stopology topology procedure \#configuring a static mac sonic# configure terminal sonic(config)# mac address static e2 8c 56 85 4a 11 ethernet 0/0 vlan 100 \#configuring the black hole mac sonic(config)# mac address static a0 1b 5e 47\ c9 08 vlan 100 blackhole \#configuring the aging time sonic(config)# mac address timer aging 720 verify the configuration \#check mac table sonic# show mac address no vlan macaddress port type \ 1 100 e2 8c 56 85 4a 11 0/0 static 2 100 a0 1b 5e 47\ c9 08 none blackhole total number of entries 2