The mac-address static vsi command configures a static MAC address entry. The outgoing interface in this entry is bound to a specified VSI.
The undo mac-address static vsi command deletes a static MAC address entry.
By default, the system does not configure any static MAC address entry.
mac-address static mac-address interface-type interface-number vsi vsi-name
undo mac-address static mac-address interface-type interface-number vsi vsi-name
undo mac-address static vsi vsi-name
| Parameter | Description | Value |
|---|---|---|
static |
Indicates the static entry that is not aged. When a frame of a specific MAC address is received, the frame is forwarded through the outgoing interface directly. After being configured and saved, the entries are still stored in the table even if the system is reset. |
- |
mac-address |
Specifies the unicast MAC address in the format of H-H-H. |
An H is a hexadecimal number of 1 to 4 bits, such as 00e0 and fc01. If you enter less than four digits, 0s are padded before the input digits. For example, if e0 is entered, 00e0 is displayed. The MAC address cannot be a broadcast MAC address (FFFF-FFFF-FFFF) or a multicast MAC address (the eighth bit is 1). |
interface-type interface-number |
Specifies the type and number of an interface.
|
The interface can be a GE interface, a GE sub-interface, a XGE interface, a XGE sub-interface, a 25GE interface, a 25GE sub-interface, a MultiGE interface, a MultiGE sub-interface, a 40GE interface, a 40GE sub-interface, a 100GE interface, a 100GE sub-interface, an Eth-Trunk interface, or an Eth-Trunk sub-interface. The interface in this command is a Layer 3 interface bound to a VSI. |
vsi vsi-name |
Specifies the name of a specified VSI. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Scenario
The VPLS provides reachability through MAC address learning. Each PE maintains a MAC address table.
The device learns source MAC addresses and then creates the MAC address table. However, the device cannot identify whether the packets are from authorized users or hackers, which brings security threats. If a hacker sets the source MAC address of attack packets to the MAC address of an authorized user and connects to another interface of the device, the device learns an incorrect MAC address entry. The packets that should be forwarded to the authorized user are forwarded to the hacker.
To improve interface security, the network administrator can manually create MAC address entries to bind MAC addresses of authorized users to specified interfaces using the mac-address static vlanif command. This prevents hackers from intercepting data of authorized users.
Prerequisites
The network administrator is familiar with the MAC addresses of the devices on the network that need to use static MAC address entries for communications; otherwise, the configuration will interrupt authorized users' communications.
In the mac-address static vsi command, the interface must be a Layer 3 interface bound to a VSI.
Precautions
After being created, the static MAC address entries will not be aged. When receiving a frame of a specific MAC address, the device forwards the frame through the outgoing interface directly. After being configured and saved, the MAC address entries are still stored in the table even if the system is reset.
Manually created MAC address entries take precedence over automatically created MAC address entries. Static MAC address entries and blackhole MAC address entries take precedence over dynamic MAC address entries.
If the user service changes, specify a new VSI bound to the interface. In this way, data of the user is not forwarded through the previously configured static MAC address entries. You need to configure new MAC address entries on the device or enable the device to learn dynamic MAC address entries to forward the data.
# Add a static MAC address entry to the VSI named abc. When the destination MAC address of a received frame is 0011-2233-4455, the frame is forwarded in the VSI named abc.
<HUAWEI> system-view [HUAWEI] vsi abc static [HUAWEI-vsi-abc] pwsignal ldp [HUAWEI-vsi-abc-ldp] vsi-id 1 [HUAWEI-vsi-abc-ldp] quit [HUAWEI-vsi-abc] quit [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] l2 binding vsi abc [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] mac-address static 0011-2233-4455 gigabitethernet 0/0/1 vsi abc