(Optional) Configuring a Static MAC Address Entry
Context
When the device creates a MAC address table by learning source MAC addresses, the device cannot distinguish packets from authorized and unauthorized users. This threatens network security. If an unauthorized user uses the MAC address of an authorized user as the source MAC address of attack packets and connects to another interface of the device, the device learns an incorrect MAC address entry. The device incorrectly forwards the packets to the unauthorized user. Actually, the packets should be forwarded to the authorized user. You can manually add a static MAC address entry to the MAC address tables on the VXLAN access side and tunnel side. The static MAC address entry binds the MAC address to a specified interface, which prevents unauthorized users from intercepting data of authorized users. In addition, a manually configured static MAC address entry improves the unicast packet forwarding efficiency and saves bandwidth.
Procedure
- Configure a static MAC address entry on a VXLAN access-side interface.
- Run mac-address static mac-address interface-type interface-number.subnum bridge-domain bd-id { default | untag | vid vlan-id1 [ cevid vlan-id2 ] }
A static MAC address entry is configured on a Layer 2 sub-interface on a VXLAN access-side interface.
Alternatively, run mac-address static mac-address interface-type interface-number bridge-domain bd-id vid vlan-id3
A VLAN-based static MAC address entry is configured on a VXLAN access-side interface.
Before you configure a static MAC address entry on a VXLAN access-side interface, the interface must be connected to the VXLAN network first. Parameters here must be the same as those configured to connect to the interface to the VXLAN network.
- Run mac-address static mac-address interface-type interface-number.subnum bridge-domain bd-id { default | untag | vid vlan-id1 [ cevid vlan-id2 ] }
- Configure a static MAC address entry on a VXLAN tunnel-side interface.
- Run mac-address static mac-address bridge-domain bd-id source-ipv6-ipv6-address1 peer-ipv6 ipv6-address2 vni vni-id
A static MAC address entry is configured on a VXLAN tunnel-side interface.
Before you configure a static MAC address entry on a VXLAN tunnel-side interface, a VXLAN tunnel must have been created. Parameters here must be the same as those configured to create a VXLAN tunnel.
- Run mac-address static mac-address bridge-domain bd-id source-ipv6-ipv6-address1 peer-ipv6 ipv6-address2 vni vni-id