MAC Configuration Guide

Generation of MAC Address Table Entries

There are two methods for generating MAC address tables: automatic generation and static configuration.

Automatic Generation

In general, the MAC table is automatically generated through MAC address learning from source MAC addresses.

When interface A on a device receives a data frame, it analyzes the source MAC address of that frame. If the MAC address table already contains the MAC address, the corresponding table entry is updated. If the MAC address is not in the table, a new entry is added to the MAC table with the new MAC address associated with interface A.

To adapt to changes in the network topology, the MAC table needs constant updates. Automatically generated entries in the MAC table are not always valid; each entry has a lifespan referred to as the aging time. Entries that are not refreshed before reaching their aging time will be removed. If an entry is refreshed before reaching its aging time, the aging time for that entry is recalculated.

Static Configuration

When the device generates the MAC table through MAC address learning from source MAC addresses, it cannot distinguish between legitimate and illegitimate user packets. This introduces security risks. If an illegitimate user disguises the source MAC of an attack packet as a legitimate user’s MAC and enters through another interface of the device, the device learns incorrect MAC table entries and forwards packets intended for legitimate users to the illegitimate user. To enhance security, specific entries can be manually added to the MAC table through static configuration. This binds user devices with interfaces, preventing illegitimate users from deceiving data transmission.

Classification of MAC Address Table Entries

MAC address table entries can be categorized as static MAC, dynamic MAC, and black hole MAC.

Static MAC

Configured manually by users. These entries do not age. Static MAC entries take precedence over dynamically generated MAC entries. Entries are retained even after configuration saves and system reboots.

Dynamic MAC

Automatically generated through MAC address learning from source MAC addresses. These entries can age. Dynamic entries are lost after a system reboot.

Black Hole MAC

Configured manually by users for discarding packets with source or destination MAC addresses matching a specified MAC. For example, this can be used to prohibit a specific user from sending or receiving packets. Black hole MAC entries do not age. Entries are retained even after configuration saves and system reboots.

Configuring MAC Address

Default Setting

Parameter	Default value
Aging time of a dynamic MAC entry	No aging
MAC address learning on an interface, in a VLAN	Enable
Limit on the number of MAC addresses learned on an interface or in a VLAN	Unlimited
MAC address flapping detection	Disable

Configuring Static MAC Entries

Static MAC addresses have the following characteristics:

• Static MAC table entries are retained even after configuration saves and system reboots; they can only be manually deleted.
• The specified VLAN must have been created and have member ports.
• The provided MAC address must be a unicast MAC address and cannot be a multicast or broadcast MAC address.
• Static MAC table entries take precedence over dynamic MAC entries.

Operation	Command	Description
Enter the system configuration view	configure
Configure static MAC address	mac-address static HH:HH:HH:HH:HH:HH vlan vlan-id interface-type interface-name	The interface type can be selected as either “ethernet” or “link-aggregation”.
Delete static MAC address	no mac-address static HH:HH:HH:HH:HH:HH vlan vlan-id

Configuring Blackhole MAC Address Entries

To prevent known network attacks, you can configure MAC addresses of untrusted users as blackhole MAC addresses. When the device receives a packet with a destination MAC or source MAC matching a blackhole MAC address, and the VLAN ID matches the VLAN ID in the table entry, the packet will be discarded.

Operation	Command	Description
Enter the system configuration view	configure	-
Configure blackhole MAC address	mac-address blackhole HH:HH:HH:HH:HH:HH vlan vlan-id	-
Delete blackhole MAC address	no mac-address blackhole HH:HH:HH:HH:HH:HH vlan vlan-id	-

Configuring Aging Time for Dynamic MAC Entries

Configuring the aging time for dynamic MAC entries is a crucial parameter that affects the self-learning behavior of a device’s MAC table. Dynamic MAC entries that exceed the aging time are automatically deleted, prompting the device to re-learn MAC addresses and build a new MAC table. Unlike dynamic entries, static MAC entries are unaffected by aging time.

Setting the aging time too long or too short can impact device performance. An excessively long aging time might cause the device to retain numerous outdated MAC entries, consuming memory and preventing the MAC table from refreshing. Conversely, an overly short aging time might lead to the rapid removal of valid MAC entries, resulting in an abundance of broadcast traffic and increased network load.

Users should configure the aging time based on their specific circumstances. In a stable network topology, a longer aging time or even no aging at all could be set. In a less stable network, a shorter aging time might be preferable. For example, in a highly stable network with infrequent traffic, dynamic MAC entries could be entirely deleted over time, potentially causing the device to broadcast a large volume of data packets suddenly. To mitigate this security risk, users can extend the aging time or set it to unlimited for dynamic MAC entries, reducing broadcast traffic, and enhancing network stability and security.

Operation	Command	Description
Enter the system configuration view	configure	-
Configure aging time for dynamic MAC entries	mac-address timer aging seconds
Configure dynamic MAC entries to not age	mac-address timer no-aging

Display and Maintenance

Operation	Command	Description
View the MAC table	**show mac-address ** [interface-type interface-name]
Clear the MAC table	**clear mac-address ** [{ethernet|link-aggregation} interface-id | vlan vlan-id] dynamic

Configuration Examples

Network requirements

• User host A, with MAC address E2:8C:56:85:4A:11, belongs to VLAN100 and connects to the device port Ethernet1. To prevent illegal users from fraudulently obtaining data by impersonating their identity, add a static table entry for this user in the MAC table of the device.
• User host B, with MAC address 00:1B:5E:47:C9:08, belongs to VLAN100, connects to the device port Ethernet2, has been blacklisted due to having accessed the device network for illegal operations, and requests to add a blackhole MAC table entry on the device, so that the user host cannot receive messages.
• User host C, with MAC address 00:21:4E:56:C9:84, belongs to VLAN 100 and connects to device port Ethernet3.
• Configure the dynamic MAC table entry aging time of the device to 720s.

Procedure

1.Create VLAN100 and add interfaces Ethernet1, Ethernet2 and Ethernet3 to VLAN100

sonic(config)# vlan 100
sonic(config)# interface etherent 1
sonic(config-if-1)# switchport access vlan 100
sonic(config)# interface etherent 2
sonic(config-if-2)# switchport access vlan 100
sonic(config)# interface etherent 3
sonic(config-if-3)# switchport access vlan 100

2.Configure static MAC

sonic(config)# mac-address static E2:8C:56:85:4A:11 vlan 100 ethernet 1

3.Configure the black hole MAC

sonic(config)# mac-address blackhole A0:1B:5E:47:C9:08 vlan 100

4.Configure dynamic MAC aging time to 720s

sonic(config)# mac-address timer aging 720

Verify configuration

1.Suppose A and C belong to the same network segment, then A can Ping through C.

2.Ping the IP address of PC B on PC A. The ping operation succeeds.

3.View MAC table.

sonic# show mac-address
No. Vlan MacAddress Port Type
----- ------ ----------------- --------- ---------
1 100 E2:8C:56:85:4A:11 Ethernet1 Static
2 100 A0:1B:5E:47:C9:08 None BlackHole
3 100 00:21:4E:56:C9:84 Ethernet3 Dynamic
Total number of entries 3