The mac-address static bridge-domain vni command configures a static MAC address entry on a VXLAN tunnel-side interface.
The undo mac-address static bridge-domain vni command deletes a static MAC address entry on a VXLAN tunnel-side interface.
By default, no static MAC address entry is configured on a VXLAN tunnel-side interface.
mac-address static mac-address bridge-domain bd-id { source ip-address1 peer ip-address2 } | { source-ipv6 ipv6-address1 peer-ipv6 ipv6-address2 } vni vni-id
undo mac-address static mac-address bridge-domain bd-id { source ip-address1 peer ip-address2 } | { source-ipv6 ipv6-address1 peer-ipv6 ipv6-address2 } vni vni-id
| Parameter | Description | Value |
|---|---|---|
mac-address |
Specifies the MAC address in the static MAC address entry. |
The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address. |
bd-id |
Specifies the BD to which the outbound interface belongs. |
The value is an integer that ranges from 1 to 16777215. |
source-ip-address1 |
Specifies the source IP address of the VXLAN tunnel. |
The value is in dotted decimal notation. |
peer ip-address2 |
Specifies the remote IP address of the VXLAN tunnel. |
The value is in dotted decimal notation. |
source-ipv6 ipv6-address1 |
Specifies the source IPv6 address of the VXLAN tunnel. |
The value consists of 128 bits, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format of X:X:X:X:X:X:X:X. |
peer-ipv6 ipv6-address2 |
Specifies the remote IPv6 address of the VXLAN tunnel. |
The value consists of 128 bits, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format of X:X:X:X:X:X:X:X. |
vni-id |
Specifies the ID of a VXLAN tunnel. |
The value is an integer that ranges from 1 to 16777215. |
Usage Scenario
When the device creates a MAC address table by learning source MAC addresses, the device cannot distinguish packets from authorized and unauthorized users. This threatens network security. If an unauthorized user uses the MAC address of an authorized user as the source MAC address of attack packets and connects to another interface of the device, the device learns an incorrect MAC address entry. The device incorrectly forwards the packets to the unauthorized user. Actually, the packets should be forwarded to the authorized user. You can run the mac-address static bridge-domain vni command to add a static MAC address entry to the MAC address table on the VXLAN tunnel side. The static MAC address entry binds the MAC address to a specified interface, which prevents unauthorized users from intercepting data of authorized users. In addition, a manually configured static MAC address entry improves the unicast packet forwarding efficiency and saves bandwidth.
Precautions
If a static MAC address entry is configured on a VXLAN tunnel-side interface and the VXLAN tunnel is Down, the static MAC address entry is not displayed in the output of the display mac-address command. When the VXLAN tunnel is Up, the static MAC address entry is displayed in the output of the display mac-address command.
# On a VXLAN tunnel-side interface, configure a static MAC address entry with the destination MAC address aaaa-fccc-1212.
<HUAWEI> system-view [HUAWEI] bridge-domain 20 [HUAWEI-bd20] vxlan vni 2000 [HUAWEI-bd20] quit [HUAWEI] interface nve 1 [HUAWEI-Nve1] source 10.1.1.2 [HUAWEI-Nve1] vni 2000 head-end peer-list 10.1.2.2 [HUAWEI-Nve1] quit [HUAWEI] mac-address static aaaa-fccc-1212 bridge-domain 20 source 10.1.1.2 peer 10.1.2.2 vni 2000