mac-address vlan (System view)

Function

The mac-address blackhole command configures a static blackhole MAC address entry.

The undo mac-address blackhole command deletes a static blackhole MAC address entry.

The mac-address static vlan command configures static MAC address entries for a VLAN to direct data forwarding.

The undo mac-address command deletes static MAC address entries for a VLAN.

By default, no static blackhole MAC address entry is configured for the system, no static MAC address entry for a VLAN is configured for the system.

Format

mac-address blackhole mac-address vlan vlan-id

mac-address static mac-address { interface-type interface-number | interface-name } { vlan vlan-id } [ ce-vlan ce-vlan-id | ce-default ]

undo mac-address mac-address vlan vlan-id

undo mac-address { { interface-type interface-number | interface-name } vlan vlan-id | vlan vlan-id [ interface-type interface-number | interface-name ] }

undo mac-address blackhole [ mac-address ] vlan vlan-id

undo mac-address static { { mac-address { interface-type interface-number | interface-name } vlan vlan-id } | { { interface-type interface-number | interface-name } vlan vlan-id | vlan vlan-id [ interface-type interface-number | interface-name ] } }

Parameters

Parameter	Description	Value
mac-address	Specifies a destination MAC address.	The value is in the format of H-H-H. Each H is a 4-digit hexadecimal number, such as 00e0 or fc01. If an H contains less than four bits, 0s are padded ahead. For example, if an H is e0, it is equal to 00e0. A MAC address cannot be FFFF-FFFF-FFFF.
vlan vlan-id	Specifies a VLAN to which the outbound interface belongs.	The value is an integer ranging from 1 to 4094.
static	Specifies the static MAC address entries.	-
interface-type	Specifies the interface type.	-
interface-number	Specifies the interface number.	-
interface-name	Specifies the interface name.	-
ce-vlan ce-vlan-id	Specifies the VLAN ID received during the configuration of VLAN mapping.	The value is an integer ranging from 1 to 4094.
ce-default	Specifies that the static MAC address entry is created based on ce-default-vlan.	-
blackhole	Black hole item.	-

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
mac	write

Usage Guidelines

Usage Scenario

MAC address table capacity attack
The attack source sends packets with different source MAC addresses to a network device. After receiving these packets, the network device learns the source MAC addresses. Since the capacity of a MAC address table is limited, when the number of the MAC addresses in the MAC address table reaches the limit, the source MAC addresses of valid packets cannot be learned. These packets sent from the attack source are also broadcast in the VLAN, consuming lots of bandwidth on the network. This may also affect the hosts attached to the network device.
MAC address entry attack
When a device learns source MAC addresses and creates a MAC address table, the system cannot identify whether the packets are from authorized users or hackers. This brings security threats. If hackers send attack packets with forged source MAC addresses and access a device through other interfaces, the device will learn incorrect MAC address entries. As a result, the packets that should be forwarded to authorized users are forwarded to hackers.
To improve interface security, a network administrator can run the mac-address static command to add specific MAC address entries to the MAC address table. User devices are bound to interfaces to prevent unauthorized users from obtaining data.

Configuration Impact

After static MAC address entries are configured, when receiving a frame with a specific MAC address, a device directly forwards the frame through the corresponding outbound interface. Static MAC address entries will not be aged and they will not be lost after the system resets or the interface board is hot-swapped.

Precautions

Manually configured MAC address entries take precedence over automatically generated entries. Static and static blackhole MAC address entries that are configured by users will not be overwritten by dynamic MAC address entries. Dynamic MAC address entries, however, can be overwritten by static and blackhole MAC address entries.

The network administrator is familiar with the MAC addresses of the network devices that need to use static MAC address entries for communication; otherwise, the configuration will interrupt authorized users' communication.

Example

# Configure a static MAC address entry based on a specified interface and VLAN.

<HUAWEI> system-view
[~HUAWEI] vlan 40
[*HUAWEI-vlan40] quit
[*HUAWEI] interface GigabitEthernet 0/1/1
[*HUAWEI-GigabitEthernet0/1/1] portswitch
[*HUAWEI-GigabitEthernet0/1/1] port link-type trunk
[*HUAWEI-GigabitEthernet0/1/1] port trunk allow-pass vlan 40
[*HUAWEI-GigabitEthernet0/1/1] quit
[*HUAWEI] mac-address static 1-1-1 GigabitEthernet 0/1/1 vlan 40

# Configure a static MAC address entry with the outbound interface belonging to a specified VLAN.

<HUAWEI> system-view
[~HUAWEI] vlan 10
[*HUAWEI-vlan10] quit
[*HUAWEI] vlan 20
[*HUAWEI-vlan20] quit
[*HUAWEI] interface GigabitEthernet 0/1/3
[*HUAWEI-GigabitEthernet0/1/3] portswitch
[*HUAWEI-GigabitEthernet0/1/3] port default vlan 10
[*HUAWEI-GigabitEthernet0/1/3] quit
[*HUAWEI] interface GigabitEthernet 0/1/1
[*HUAWEI-GigabitEthernet0/1/1] portswitch
[*HUAWEI-GigabitEthernet0/1/1] port link-type trunk
[*HUAWEI-GigabitEthernet0/1/1] port trunk allow-pass vlan 20
[*HUAWEI-GigabitEthernet0/1/1] quit
[*HUAWEI] mac-address static 00e0-fc12-3457 GigabitEthernet 0/1/3 vlan 10
[*HUAWEI] mac-address static 00e0-fc12-3456 GigabitEthernet 0/1/1 vlan 20