mac-address bridge-domain

Function

The mac-address blackhole bridge-domain command specifies a static blackhole MAC address entry in a BD.

The undo mac-address blackhole bridge-domain command deletes a static blackhole MAC address entry from a BD.

The mac-address static bridge-domain command specifies a static MAC address used to forward packets in a BD.

The undo mac-address static bridge-domain command deletes a static MAC address used to forward packets in a BD.

By default, no static blackhole MAC address entry or static MAC address entry is configured.

Format

mac-address blackhole mac-address bridge-domain bd-id

mac-address static mac-address { interface-type interface-number | interface-name } bridge-domain bd-id { untag | default | vid pe-vid [ ce-vid { ce-vid | default } ] }

undo mac-address blackhole { mac-address bridge-domain bd-id | bridge-domain bd-id }

undo mac-address { mac-address bridge-domain bd-id | bridge-domain bd-id | static { bridge-domain bd-id | mac-address { interface-type interface-number | interface-name } bridge-domain bd-id } }

Parameters

Parameter	Description	Value
mac-address	Specifies a destination MAC address.	The value is a 12-digit hexadecimal number, in the format of H-H-H. Each H is 4 digits. If an H contains fewer than 4 digits, the left-most digits are padded with zeros. For example, e0 is displayed as 00e0.
bd-id	Specifies the ID of a bridge domain to which an outbound interface belongs.	The value is an integer ranging from 1 to 16777215.
interface-type	Specifies the interface type.	-
interface-number	Specifies the interface number.	-
interface-name	Specifies the interface name.	-
untag	Enables untagged encapsulation on an EVC Layer 2 sub-interface.	-
default	Enables default encapsulation on an EVC Layer 2 sub-interface.	-
vid pe-vid	Specifies the outer tag carried in packets that an outbound interface. receives.	The value is an integer ranging from 1 to 4096.
ce-vid ce-vid	Specifies the inner tag carried in packets that an EVC Layer 2 sub-interface receives. This parameter is configured only when QinQ encapsulation is used on an EVC Layer 2 sub-interface.	The value is an integer ranging from 1 to 4096.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
mac	write

Usage Guidelines

Usage Scenario

A device learns MAC addresses and adds MAC address entries to a MAC address table. The device cannot identify whether packets are from authorized users or hackers, which brings security threats. If hackers set the source MAC addresses of attack packets to the MAC addresses of authorized users and access a device through different interfaces from authorized users' access interfaces, the device learns incorrect MAC address entries. As a result, the packets that should be forwarded to authorized users are forwarded to hackers.

To improve interface security, run the mac-address blackhole bridge-domain command to configure a static blackhole MAC address entry to enable a device to discard packets with a specified destination MAC address. You can also run the mac-address static bridge-domain command to add a specified user MAC address to a MAC address table so that a user device is bound to a local device interface, which prevents hackers from accessing the local device and obtaining data.

Prerequisites

Before running the mac-address blackhole bridge-domain command, perform the following operations:

An administrator has recorded the MAC address of each device on a network. An authorized user's MAC address is not configured as a blackhole entry, which prevents authorized user's communication interruptions.
A bridge domain has been created using the bridge-domain bd-id command in the system view.
Before running the mac-address static bridge-domain command, ensure that:
Static MAC addresses of the devices have been obtained on the network.
A bridge domain has been created using the bridge-domain bd-id command in the system view.
An EVC Layer 2 sub-interface has been created using the interface interface-type interface-number.subnum mode l2 command in the system view.
An encapsulation type has been specified using the encapsulation command in the EVC Layer 2 sub-interface view.
An EVC Layer 2 sub-interface has been added to a bridge domain using the bridge-domain bd-id command in a specific EVC Layer 2 sub-interface view.

Configuration Impact

If a device receives packets with a destination address matching the static blackhole MAC address, the device discards the packets. The configured static blackhole MAC address entry will not be lost even if the device is reset or an board on the device is hot swapped.

The configured static MAC address entry cannot age. After a device receives a frame with the specified static MAC address, the device forwards the frame through the specified outbound interface. The configured static MAC address entry will not be lost even if the device is reset or an board on the device is hot swapped.

Precautions

A static blackhole MAC address entry can be added or deleted but cannot age.

Manually configured MAC address entries take precedence over dynamically generated entries. Static and static blackhole MAC address entries can overwrite dynamic MAC address entries, but cannot be overwritten by dynamic MAC address entries.

Example

# Enable a device to forward packets destined for MAC address 1-1-1 through outbound interface GE0/1/1.1 with qinq encapsulation in bridge domain 10.

<HUAWEI> system-view
[~HUAWEI] bridge-domain 10
[*HUAWEI-bd10] quit
[*HUAWEI] interface GigabitEthernet 0/1/1.1 mode l2
[*HUAWEI-GigabitEthernet 0/1/1.1] bridge-domain 10
[*HUAWEI-GigabitEthernet 0/1/1.1] encapsulation qinq vid 10 ce-vid 100
[*HUAWEI-GigabitEthernet 0/1/1.1] quit
[*HUAWEI] mac-address static 1-1-1 GigabitEthernet 0/1/1.1 bridge-domain 10 vid 10 ce-vid 100

# Add a blackhole entry with MAC address 00e0-fc12-3456 to a bridge domain of ID 10. When packets with destination MAC address 00e0-fc12-3456 belonging to the bridge domain 10 arrive, the packets are discarded.

<HUAWEI> system-view
[~HUAWEI] bridge-domain 10
[*HUAWEI-bd10] quit
[*HUAWEI] mac-address blackhole 00e0-fc12-3456 bridge-domain 10