The mac-address static vlanif command configures a static MAC address entry. The outgoing interface of this entry is added to the specified VLAN corresponding to the VLANIF interface. The VLANIF interface is bound to a VSI.
The undo mac-address static vlanif command deletes a static MAC address entry.
By default, the system does not configure any static MAC address entry.
mac-address static mac-address interface-type interface-number vlanif interface-number vsi vsi-name
undo mac-address static mac-address interface-type interface-number vlanif interface-number vsi vsi-name
| Parameter | Description | Value |
|---|---|---|
| static | Indicates the static entry that is not aged. When a frame of a specific MAC address is received, the frame is forwarded through the outgoing interface directly. After being configured and saved, the entries are still stored in the table even if the system is reset. | - |
| mac-address | Specifies the unicast MAC address in the format of H-H-H. | An H is a hexadecimal number of 1 to 4 bits, such as 00e0 and fc01. If you enter less than four digits, 0s are padded before the input digits. For example, if e0 is entered, 00e0 is displayed. The MAC address cannot be a broadcast MAC address (FFFF-FFFF-FFFF) or a multicast MAC address (the eighth bit is 1). |
| interface-type interface-number | Specifies the type and number of an interface.
|
- |
| vlanif interface-number | Specifies the number of the VLANIF interface bound to a VSI. | - |
| vsi vsi-name | Specifies the name of a specified VSI. | The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
The VPLS provides reachability through MAC address learning. Each PE maintains a MAC address table.
The device learns source MAC addresses and then creates the MAC address table. However, the device cannot identify whether the packets are from authorized users or hackers, which brings security threats. If a hacker sets the source MAC address of attack packets to the MAC address of an authorized user and connects to another interface of the device, the device learns an incorrect MAC address entry. The packets that should be forwarded to the authorized user are forwarded to the hacker.
To improve interface security, the network administrator can manually create MAC address entries to bind MAC addresses of authorized users to specified interfaces using the mac-address static vlanif command. This prevents hackers from intercepting data of authorized users.
Prerequisites
The network administrator is familiar with the MAC addresses of the devices on the network that need to use static MAC address entries for communications; otherwise, the configuration will interrupt authorized users' communications.
In the mac-address static vlanif command, the interface must be a Layer 2 interface that has been added to the VLAN corresponding to the VLANIF interface. The VLANIF interface must be bound to the VSI configured in the command.
Precautions
After being created, the static MAC address entries will not be aged. When receiving a frame of a specific MAC address, the device forwards the frame through the outgoing interface directly. After being configured and saved, the MAC address entries are still stored in the table even if the system is reset.
A physical interface that is associated with a VSI can be bound to several VLANs. The VSI that is bound to a VLANIF interface can be associated with several physical interfaces. Therefore, you need to specify a physical interface and a VLANIF interface when configuring static MAC address entries for VSIs bound to the VLANIF interface.
Manually created MAC address entries take precedence over automatically created MAC address entries. Static MAC address entries and blackhole MAC address entries take precedence over dynamic MAC address entries.
If the user service changes, specify a new VSI bound to the interface. In this way, data of the user is not forwarded through the previously configured static MAC address entries. You need to configure new MAC address entries on the device or enable the device to learn dynamic MAC address entries to forward the data.
# Bind VLANIF10 to the VSI named abc, and add a MAC address entry with the MAC address being 0011-2233-4455 to the VSI. When a frame that belongs to VLAN 10 and has the destination MAC address 0011-2233-4455 is received, it is forwarded through the outgoing interface GE0/0/1.
<HUAWEI> system-view [HUAWEI] vsi abc static [HUAWEI-vsi-abc] pwsignal ldp [HUAWEI-vsi-abc-ldp] vsi-id 1 [HUAWEI-vsi-abc-ldp] quit [HUAWEI-vsi-abc] quit [HUAWEI] vlan 10 [HUAWEI-vlan10] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type access [HUAWEI-GigabitEthernet0/0/1] port default vlan 10 [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] l2 binding vsi abc [HUAWEI-Vlanif10] quit [HUAWEI] mac-address static 0011-2233-4455 gigabitethernet 0/0/1 vlanif 10 vsi abc