MAC Address Table Configuration

introduction introduction the mac address table records mac addresses, interfaces, and the associated vlan information when the device forwards packets, it consults the mac table if the destination mac address in the packet is found in the table, the device forwards the packet through the corresponding outbound interface specified in the table entry if the destination mac address is not in the table, the device broadcasts the packet within the corresponding vlan, allowing all interfaces except the receiving one to receive the packet generation of mac address table entries generation of mac address table entries there are two methods for generating mac address tables automatic generation and static configuration automatic generation automatic generation in general, the mac table is automatically generated through mac address learning from source mac addresses when interface a on a device receives a data frame, it analyzes the source mac address of that frame if the mac address table already contains the mac address, the corresponding table entry is updated if the mac address is not in the table, a new entry is added to the mac table with the new mac address associated with interface a to adapt to changes in the network topology, the mac table needs constant updates automatically generated entries in the mac table are not always valid; each entry has a lifespan referred to as the aging time entries that are not refreshed before reaching their aging time will be removed if an entry is refreshed before reaching its aging time, the aging time for that entry is recalculated static configuration static configuration when the device generates the mac table through mac address learning from source mac addresses, it cannot distinguish between legitimate and illegitimate user packets this introduces security risks if an illegitimate user disguises the source mac of an attack packet as a legitimate user's mac and enters through another interface of the device, the device learns incorrect mac table entries and forwards packets intended for legitimate users to the illegitimate user to enhance security, specific entries can be manually added to the mac table through static configuration this binds user devices with interfaces, preventing illegitimate users from deceiving data transmission classification of mac address table entries classification of mac address table entries mac address table entries can be categorized as static mac, dynamic mac, and black hole mac static mac configured manually by users these entries do not age static mac entries take precedence over dynamically generated mac entries entries are retained even after configuration saves and system reboots dynamic mac automatically generated through mac address learning from source mac addresses these entries can age dynamic entries are lost after a system reboot black hole mac configured manually by users for discarding packets with source or destination mac addresses matching a specified mac for example, this can be used to prohibit a specific user from sending or receiving packets black hole mac entries do not age entries are retained even after configuration saves and system reboots configuring mac address configuring mac address default setting for mac address entry default setting for mac address entry parameter default value aging time of a dynamic mac entry 300 seconds mac address learning on an interface, in a vlan enable limit on the number of mac addresses learned on an interface or in a vlan unlimited mac address flapping detection disable configuring static mac entries configuring static mac entries static mac addresses have the following characteristics static mac table entries are retained even after configuration saves and system reboots; they can only be manually deleted the specified vlan must have been created and have member ports the provided mac address must be a unicast mac address and cannot be a multicast or broadcast mac address static mac table entries take precedence over dynamic mac entries operation command description enter the system configuration view configure configure static mac address mac address static hh\ hh\ hh\ hh\ hh \ hh vlan vlan id interface type interface name the interface type can be selected as either "ethernet" or "link aggregation" delete static mac address no mac address static hh\ hh\ hh\ hh\ hh \ hh vlan vlan id configuring blackhole mac address entries configuring blackhole mac address entries to prevent known network attacks, you can configure mac addresses of untrusted users as blackhole mac addresses when the device receives a packet with a destination mac or source mac matching a blackhole mac address, and the vlan id matches the vlan id in the table entry, the packet will be discarded operation command description enter the system configuration view configure configure blackhole mac address mac address blackhole hh\ hh\ hh\ hh\ hh \ hh vlan vlan id delete blackhole mac address no mac address blackhole hh\ hh\ hh\ hh\ hh \ hh vlan vlan id configuring aging time for dynamic mac entries configuring aging time for dynamic mac entries configuring the aging time for dynamic mac entries is a crucial parameter that affects the self learning behavior of a switch's mac table dynamic mac entries that exceed the aging time are automatically deleted, prompting the device to re learn mac addresses and build a new mac table unlike dynamic entries, static mac entries are unaffected by aging time setting the aging time too long or too short can impact device performance an excessively long aging time might cause the switch to retain numerous outdated mac entries, consuming memory and preventing the mac table from refreshing conversely, an overly short aging time might lead to the rapid removal of valid mac entries, resulting in an abundance of broadcast traffic and increased network load users should configure the aging time based on their specific circumstances in a stable network topology, a longer aging time or even no aging at all could be set in a less stable network, a shorter aging time might be preferable for example, in a highly stable network with infrequent traffic, dynamic mac entries could be entirely deleted over time, potentially causing the switch to broadcast a large volume of data packets suddenly to mitigate this security risk, users can extend the aging time or set it to unlimited for dynamic mac entries, reducing broadcast traffic, and enhancing network stability and security operation command description enter the system configuration view configure configure aging time for dynamic mac entries mac address timer aging seconds configure dynamic mac entries to not age mac address timer no aging disabling mac address learning disabling mac address learning to prevent situations where the device receives a large number of forged packets with different source mac addresses, potentially exceeding the capacity of the mac address table and hindering mac learning, you can disable the mac address learning feature this action can effectively mitigate flooding attacks in the network that could lead to bandwidth consumption and broadcast storms operation command description enter the system configuration view configure enter the interface configuration view interface interface type interface name disable mac address learning based on an interface disable mac learning mac learning disable enable mac learning no mac learning disable enter the vlan configuration view vlan vlan id disable mac address learning based on a vlan disable mac learning mac learning disable enable mac learning no mac learning disable display and maintenance display and maintenance operation command description view the mac table show mac address \[ interface type interface name ] clear the mac table clear mac address \[ ethernet|link aggregation interface id ] \[ vlan id ] {static|dynamic} clear all mac table clear mac address all configuration examples configuration examples network requirements network requirements user host a, with mac address e2 8c 56 85 4a 11, belongs to vlan100 and connects to the device port ethernet1 to prevent illegal users from fraudulently obtaining data by impersonating their identity, add a static table entry for this user in the mac table of the device user host b, with mac address 00 1b 5e 47\ c9 08, belongs to vlan100, connects to the device port ethernet2, has been blacklisted due to having accessed the device network for illegal operations, and requests to add a blackhole mac table entry on the device, so that the user host cannot receive messages user host c, with mac address 00 21 4e 56\ c9 84, belongs to vlan 100 and connects to device port ethernet3 configure the dynamic mac table entry aging time of the device to 720s procedure procedure create vlan100 and add interfaces ethernet1, ethernet2 and ethernet3 to vlan100 sonic(config)# vlan 100 sonic(config)# interface etherent 1 sonic(config if 1)# switchport access vlan 100 sonic(config)# interface etherent 2 sonic(config if 2)# switchport access vlan 100 sonic(config)# interface etherent 3 sonic(config if 3)# switchport access vlan 100 configure static mac sonic(config)# mac address static e2 8c 56 85 4a 11 vlan 100 ethernet 1 configure the black hole mac sonic(config)# mac address static a0 1b 5e 47\ c9 08 vlan 100 configure dynamic mac aging time to 720s sonic(config)# mac address timer aging 720 verify configuration verify configuration suppose a and c belong to the same network segment, then a can ping through c ping the ip address of pc b on pc a the ping operation succeeds view mac table sonic# show mac address no vlan macaddress port type \ 1 100 e2 8c 56 85 4a 11 ethernet1 static 2 100 a0 1b 5e 47\ c9 08 none blackhole 3 100 00 21 4e 56\ c9 84 ethernet3 dynamic total number of entries 3