mac-address blackhole

Function

The mac-address blackhole command configures a blackhole MAC address entry.

The undo mac-address blackhole command deletes a blackhole MAC address entry.

By default, no blackhole MAC address entry is configured.

Format

mac-address blackhole mac-address [ vlan vlan-id | vsi vsi-name ]

undo mac-address blackhole [ mac-address ] [ vlan vlan-id | vsi vsi-name ]

Parameters

Parameter	Description	Value
mac-address	Specifies the MAC address in a blackhole MAC address entry.	The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.
vlan vlan-id	Specifies the VLAN ID in a blackhole MAC address entry.	The value is an integer that ranges from 1 to 4094.
vsi vsi-name	Specifies the name of a VSI in a blackhole MAC address entry. The VSI must have been created. NOTE: Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730S-H, and S6730-H support this parameter.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To protect a device or network against MAC address attacks, configure MAC addresses of untrusted users as blackhole MAC addresses. The device then directly discards the received packets of which the source or destination MAC addresses match the blackhole MAC address entries.

Prerequisites

The network administrator is familiar with the MAC addresses of all devices on the network. If the MAC address of an authorized user is configured as a blackhole MAC address, the user's communications will be interrupted.

Configuration Impact

If the source or destination MAC address of a packet matches a blackhole MAC address entry, the packet will be discarded. After being configured and saved, blackhole MAC address entries are not lost after the system reset.

Precautions

Blackhole MAC address entries can be added or deleted, and they will not be aged.
Unlike configuring a static MAC entry, you can configure a blackhole MAC entry without specifying an outbound interface.
If the specified VLAN is the control VLAN for Rapid Ring Protection Protocol (RRPP), the mac-address blackhole command cannot be run.
Blackhole MAC address entries fall into global and VLAN- or VSI-based blackhole MAC address entries. Global blackhole MAC address entries are configured using the mac-address blackhole command with only a MAC address specified. They do not occupy the MAC address table space.
If you configure a VLAN- or VSI-based blackhole MAC address entry when the MAC address table is full, the device processes the MAC address entry as follows:
- If a dynamic MAC address entry with the same MAC address and VLAN ID or VSI name exists in the MAC address table, the blackhole MAC address entry replaces the dynamic MAC address entry.
- If no dynamic MAC address entry with the same MAC address exists in the MAC address table, the system deletes one dynamic MAC address entry and adds the blackhole MAC address entry to the MAC address table.
You can run the mac-address blackhole command multiple times to configure multiple blackhole MAC address entries.
For the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, or S6720-SI switch, if both traffic policy-based redirection action and VLAN-based blackhole MAC address are configured, the switch will not discard the packet if its source or destination MAC address is a blackhole MAC address and the packet matches the redirection policy. For other device models, the switch discards the packet.

Example

# Add a blackhole MAC address entry to the MAC address table. In the blackhole MAC address entry, the MAC address is 0004-0004-0004 and the VLAN ID is VLAN 5.

<HUAWEI> system-view
[HUAWEI] vlan 5
[HUAWEI-vlan5] quit
[HUAWEI] mac-address blackhole 0004-0004-0004 vlan 5

# Configure a global blackhole MAC address entry in which the MAC address is 0005-0005-0005.

<HUAWEI> system-view
[HUAWEI] mac-address blackhole 0005-0005-0005

# Add a blackhole MAC address entry in which the MAC address is 0011-2233-4455 to VSI a2. The device directly discards the received frame in which the source or destination MAC address is 0011-2233-4455 and the VSI name is a2.

<HUAWEI> system-view
[HUAWEI] mac-address blackhole 0011-2233-4455 vsi a2