MAC Address Table Configuration

introduction introduction the mac address table records mac addresses, interfaces, and the associated vlan information when the device forwards packets, it consults the mac table if the destination mac address in the packet is found in the table, the device forwards the packet through the corresponding outbound interface specified in the table entry if the destination mac address is not in the table, the device broadcasts the packet within the corresponding vlan, allowing all interfaces except the receiving one to receive the packet generation of mac address table entries generation of mac address table entries there are two methods for generating mac address tables automatic generation and static configuration automatic generation automatic generation in general, the mac table is automatically generated through mac address learning from source mac addresses when interface a on a device receives a data frame, it analyzes the source mac address of that frame if the mac address table already contains the mac address, the corresponding table entry is updated if the mac address is not in the table, a new entry is added to the mac table with the new mac address associated with interface a to adapt to changes in the network topology, the mac table needs constant updates automatically generated entries in the mac table are not always valid; each entry has a lifespan referred to as the aging time entries that are not refreshed before reaching their aging time will be removed if an entry is refreshed before reaching its aging time, the aging time for that entry is recalculated static configuration static configuration when the device generates the mac table through mac address learning from source mac addresses, it cannot distinguish between legitimate and illegitimate user packets this introduces security risks if an illegitimate user disguises the source mac of an attack packet as a legitimate user's mac and enters through another interface of the device, the device learns incorrect mac table entries and forwards packets intended for legitimate users to the illegitimate user to enhance security, specific entries can be manually added to the mac table through static configuration this binds user devices with interfaces, preventing illegitimate users from deceiving data transmission classification of mac address table entries classification of mac address table entries mac address table entries can be categorized as static mac, dynamic mac, and black hole mac static mac configured manually by users these entries do not age static mac entries take precedence over dynamically generated mac entries entries are retained even after configuration saves and system reboots dynamic mac automatically generated through mac address learning from source mac addresses these entries can age dynamic entries are lost after a system reboot black hole mac configured manually by users for discarding packets with source or destination mac addresses matching a specified mac for example, this can be used to prohibit a specific user from sending or receiving packets black hole mac entries do not age entries are retained even after configuration saves and system reboots configuring mac address configuring mac address default setting for mac address entry default setting for mac address entry parameter default value aging time of a dynamic mac entry 600 seconds mac address learning on an interface, in a vlan enable limit on the number of mac addresses learned on an interface or in a vlan unlimited mac address flapping detection disable limit the number of mac address learning on an interface or vlan unlimited configuring static mac entries configuring static mac entries static mac addresses have the following characteristics static mac table entries are retained even after configuration saves and system reboots; they can only be manually deleted the specified vlan must have been created and have member ports the provided mac address must be a unicast mac address and cannot be a multicast or broadcast mac address static mac table entries take precedence over dynamic mac entries operation command description enter the system configuration view configure configure static mac address mac address static hh\ hh\ hh\ hh\ hh \ hh vlan vlan id interface type interface name the interface type can be selected as either "ethernet" or "link aggregation" delete static mac address no mac address static hh\ hh\ hh\ hh\ hh \ hh vlan vlan id configuring blackhole mac address entries configuring blackhole mac address entries to prevent known network attacks, you can configure mac addresses of untrusted users as blackhole mac addresses when the device receives a packet with a destination mac or source mac matching a blackhole mac address, and the vlan id matches the vlan id in the table entry, the packet will be discarded operation command description enter the system configuration view configure configure blackhole mac address mac address blackhole hh\ hh\ hh\ hh\ hh \ hh vlan vlan id delete blackhole mac address no mac address blackhole hh\ hh\ hh\ hh\ hh \ hh vlan vlan id configuring aging time for dynamic mac entries configuring aging time for dynamic mac entries configuring the aging time for dynamic mac entries is a crucial parameter that affects the self learning behavior of a switch's mac table dynamic mac entries that exceed the aging time are automatically deleted, prompting the device to re learn mac addresses and build a new mac table unlike dynamic entries, static mac entries are unaffected by aging time setting the aging time too long or too short can impact device performance an excessively long aging time might cause the switch to retain numerous outdated mac entries, consuming memory and preventing the mac table from refreshing conversely, an overly short aging time might lead to the rapid removal of valid mac entries, resulting in an abundance of broadcast traffic and increased network load users should configure the aging time based on their specific circumstances in a stable network topology, a longer aging time or even no aging at all could be set in a less stable network, a shorter aging time might be preferable for example, in a highly stable network with infrequent traffic, dynamic mac entries could be entirely deleted over time, potentially causing the switch to broadcast a large volume of data packets suddenly to mitigate this security risk, users can extend the aging time or set it to unlimited for dynamic mac entries, reducing broadcast traffic, and enhancing network stability and security operation command description enter the system configuration view configure configure aging time for dynamic mac entries mac address timer aging seconds configure dynamic mac entries to not age mac address timer no aging disabling mac address learning disabling mac address learning to prevent situations where the device receives a large number of forged packets with different source mac addresses, potentially exceeding the capacity of the mac address table and hindering mac learning, you can disable the mac address learning feature this action can effectively mitigate flooding attacks in the network that could lead to bandwidth consumption and broadcast storms operation command description enter the system configuration view configure enter the interface configuration view interface interface type interface name disable mac address learning based on an interface disable mac learning mac learning disable enable mac learning no mac learning disable enter the vlan configuration view vlan vlan id disable mac address learning based on a vlan disable mac learning mac learning disable enable mac learning no mac learning disable configure mac address learning limit configure mac address learning limit to control the number of accessing users or prevent attacks on the mac address table, the number of mac addresses that a switch is allowed to learn can be limited this helps control the number of accessing users and improves network security operation command description enter the global configuration view configure terminal enter the interface view interface interface type interface name vlan vlan id based on the interface view, configure mac address learning limits in the vlan view the options are ethernet, link aggregation, and vlan configure mac address learning limit mac limit value value range 1 32000 remove mac address learning restrictions no mac limit configure mac flapping detection configure mac flapping detection mac address flapping means that a mac address learned by one interface on a device is also learned by another interface in the same vlan, and the newly learned mac address entry overwrites the original one mac address flapping may be caused by the following reasons there are loops in the network there are malicious attacks by illegal users in the network enable the mac flapping detection function enable the mac flapping detection function operation command description enter the vlan view vlan vlan id enable mac flapping detection mac flapping detect enable disable mac flapping detection no mac flapping detect enable configure the mac flapping detection time configure the mac flapping detection time define a time window within this window, if the number of times the same mac address moves between different interfaces exceeds the threshold set by "detect level", the system will determine it as a real mac flapping and trigger corresponding actions operation command description enter the vlan view vlan vlan id configure the mac flapping detection time mac flapping detect aging time value range 10 7200, unit second configure the number of mac flapping detections configure the number of mac flapping detections in some unstable networks, there is turbulence, and mac addresses migrate, but it is not necessarily a flapping users determine that a flapping has occurred only when mac migration happens a specified number of times, based on the network status and the configured number of mac flapping detection times operation command description enter the vlan view vlan vlan id configure the number of mac flapping detections mac flapping detect level level range of values 5 500 configure mac flapping handling actions configure mac flapping handling actions after a vlan is configured with a mac address flapping handling action, if the system detects that the number of times a mac address flaps within the time configured by the mac flapping detect aging command exceeds the number configured by the mac flapping detect level command, it will force the shutdown of the interface where the mac address was last learned operation command description enter the vlan view vlan vlan id shut down after mac flapping occurs on the configuration interface mac flapping detect action error down disable the shutdown after mac flapping occurs on the interface no mac flapping detect action error down note by default, once the interface is shut down, it will not recover automatically it needs to be manually restored by the administrator by first executing the shutdown command and then the no shutdown command display and maintenance display and maintenance operation command description view the mac table show mac address \[ interface type interface name ] check the configured limit on the number of mac address learning entries show mac limit \[{ port interface name | vlan id }] the interface type can be selected as ethernet, vlan, link aggregation, or no specific interface can be selected to view all check the configuration information of the mac address flapping detection function show mac flapping config check the records of mac address flapping show mac flapping status vlan the vlan where the migration occurred mac the mac address that migrated times the number of times the mac address migrated within the detection period the count restarts from 0 every detect aging interval lastupdate the interface where the mac address was last migrated errordown whether lastupdate was forced to shutdown because the number of mac address migrations reached the upper limit clear the mac table clear mac address \[ ethernet|link aggregation interface id ] \[ vlan id ] {static|dynamic} clear all mac table clear mac address all configuration examples configuration examples network requirements network requirements user host a, with mac address e2 8c 56 85 4a 11, belongs to vlan100 and connects to the device port ethernet1 to prevent illegal users from fraudulently obtaining data by impersonating their identity, add a static table entry for this user in the mac table of the device user host b, with mac address 00 1b 5e 47\ c9 08, belongs to vlan100, connects to the device port ethernet2, has been blacklisted due to having accessed the device network for illegal operations, and requests to add a blackhole mac table entry on the device, so that the user host cannot receive messages user host c, with mac address 00 21 4e 56\ c9 84, belongs to vlan 100 and connects to device port ethernet3 configure the dynamic mac table entry aging time of the device to 720s procedure procedure create vlan100 and add interfaces ethernet1, ethernet2 and ethernet3 to vlan100 sonic(config)# vlan 100 sonic(config)# interface etherent 1 sonic(config if 1)# switchport access vlan 100 sonic(config)# interface etherent 2 sonic(config if 2)# switchport access vlan 100 sonic(config)# interface etherent 3 sonic(config if 3)# switchport access vlan 100 configure static mac sonic(config)# mac address static e2 8c 56 85 4a 11 vlan 100 ethernet 1 configure the black hole mac sonic(config)# mac address static a0 1b 5e 47\ c9 08 vlan 100 configure dynamic mac aging time to 720s sonic(config)# mac address timer aging 720 verify configuration verify configuration suppose a and c belong to the same network segment, then a can ping through c ping the ip address of pc b on pc a the ping operation succeeds view mac table sonic# show mac address no vlan macaddress port type \ 1 100 e2 8c 56 85 4a 11 ethernet1 static 2 100 a0 1b 5e 47\ c9 08 none blackhole 3 100 00 21 4e 56\ c9 84 ethernet3 dynamic total number of entries 3