Scenario |
Description | Task |
|---|---|---|
MAC addresses and interfaces need to be bound statically. |
Configure static MAC address entries to bind MAC addresses and interfaces, improving security of authorized users. |
|
Attack packets from unauthorized users need to be filtered out. |
Configure blackhole MAC address entries to filter out packets from unauthorized users, thereby protecting the system against attacks. |
|
Aging of dynamic MAC address entries needs to be flexibly controlled. |
Set the aging time of dynamic MAC address entries according to your needs. Set the aging time to a large value or 0 (not to age dynamic MAC address entries) on a stable network; set a short aging time in other situations. |
|
MAC address learning needs to be controlled. |
Disable MAC address learning or limit the number of learned MAC address entries to prevent attacks from exhausting MAC address entries. |
|
The MAC address table needs to be monitored. |
Configure one or more of the following trap functions to monitor the usage of MAC address entries:
|
|
The outbound interfaces in ARP entries need to be updated quickly. |
Enable the MAC address-triggered ARP entry update function to minimize the service interruption time caused when the outbound interface in a MAC address entry changes. |
|
MAC address flapping needs to be prevented. |
Use the following methods to prevent MAC address flapping:
|
|
MAC address flapping needs to be detected. |
Configure MAC address flapping detection so that the switch can check whether MAC addresses flap between interfaces and determine whether loops occur. If MAC address flapping occurs, the switch sends an alarm to the NMS. The network maintenance personnel can locate the loop based on the alarm information and historical records for MAC address flapping. This greatly improves network maintainability. If the network connected to the switch does not support loop prevention protocols, configure the switch to shut down the interfaces where MAC address flapping occurs to reduce the impact of MAC address flapping on the network. MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN and the MAC address entry learned later overrides the earlier one. |
|
The switch needs to discard packets with an all-0 source or destination MAC address. |
Configure the switch to discard packets with an all-0 source or destination MAC address and send an alarm to the NMS. Such packets may be sent by a faulty host or device. |
Configuring the Switch to Discard Packets with an All-0 MAC Address |
An interface needs to forward packets whose source and destination MAC addresses are both learned on the interface. |
Enable the port bridge function on an interface to allow the interface to forward packets whose source and destination MAC addresses are both learned on the interface. By default, an interface regards such a packet as an invalid packet and discards it. This function applies to a switch that connects to devices incapable of Layer 2 forwarding or functions as an access device in a data center. |