mac-address vsi

Function

The mac-address static command configures static MAC address entries for a VLAN to direct data forwarding.

The undo mac-address command deletes static MAC address entries for a VLAN.

The mac-address blackhole command configures a static blackhole MAC address entry.

The undo mac-address blackhole command deletes a static blackhole MAC address entry.

By default, no static MAC address entry for a VLAN is configured for the system, no blackhole MAC address entry is configured for the system.

Format

mac-address static mac-address { interface-type interface-number | interface-name } { { vsi vsi-name [ pe-vid pe-vid [ ce-vid { ce-vid | any } ] ] } | { interface-type interface-number | interface-name } vsi vsi-name }

mac-address blackhole mac-address vsi vsi-name

mac-address blackhole mac-address vsi vsi-name vlan vlan-id

mac-address static mac-address { interface-type interface-number | interface-name } vsi vsi-name vlan vlan-id

mac-address static mac-address peer ip-address [ pw-id pw-id ] vsi vsi-name [ vlan vlan-id ]

undo mac-address [ static ] vsi vsi-name

undo mac-address mac-address vsi vsi-name

undo mac-address blackhole [ mac-address ] vsi vsi-name

undo mac-address static mac-address { interface-type interface-number | interface-name } { { vsi vsi-name [ pe-vid pe-vid [ ce-vid { ce-vid | any } ] ] } | { interface-type interface-number | interface-name } vsi vsi-name }

undo mac-address blackhole [ mac-address ] vsi vsi-name vlan vlan-id

undo mac-address [ static [ mac-address { interface-type interface-number | interface-name } ] | mac-address ] vsi vsi-name vlan vlan-id

undo mac-address static mac-address peer ip-address [ pw-id pw-id ] vsi vsi-name [ vlan vlan-id ]

Parameters

Parameter	Description	Value
mac-address	Specifies a destination MAC address.	The value is a 12-digit hexadecimal number, in the format of H-H-H. Each H is 4 digits. If an H contains fewer than 4 digits, the left-most digits are padded with zeros. For example, e0 is displayed as 00e0. A MAC address cannot be FFFF-FFFF-FFFF or a broadcast MAC.
interface-type	Specifies the type of a VLANIF interface.	-
interface-type	Specifies the interface type.	-
interface-number	Specifies the number of a VLANIF interface.	-
interface-number	Specifies the interface number.	-
interface-name	Specifies the name of a VLANIF interface.	-
interface-name	Specifies the interface name.	-
vsi vsi-name	Specifies static MAC address entries of a Virtual Switching Instance (VSI).	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
pe-vid pe-vid	Specifies the outer VLAN tag.	The value is a decimal integer ranging from 1 to 4094.
ce-vid ce-vid	Specifies an inner VLAN tag. If pe-vid peVlan or ce-vid cevid is configured, the interface must be a sub-interface that is bound to the VSI and configured with QinQ termination.	The value is a decimal integer ranging from 1 to 4094.
any	Specifies any VLAN.	-
vlan vlan-id	Specifies a VLAN ID.	The value is a decimal integer ranging from 1 to 4094.
static	Specifies the static MAC address entries.	-
peer ip-address	Specifies an IP address for a remote VTEP.	The value is in dotted decimal notation.
pw-id pw-id	Specifies the PW ID of the device on the other end of the PW that corresponds to the static MAC address. Virtual Private LAN Service (VPLS) is a point-to-multipoint L2VPN technology. A VPLS network consists of multiple VSIs connecting PEs. VSIs can map the physical links on a VPLS network to PWs. To correctly delete the MAC addresses learned on a VPLS network, you need to specify peer peer-ip and pw-id pwidNum.	The value is a decimal integer ranging from 1 to 4294967295.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
mac	write

Usage Guidelines

Usage Scenario

MAC address table capacity attack
The attack source sends packets with different source MAC addresses to a network device. After receiving these packets, the network device learns the source MAC addresses. Since the capacity of a MAC address table is limited, when the number of the MAC addresses in the MAC address table reaches the limit, the source MAC addresses of valid packets cannot be learned. These packets sent from the attack source are also broadcast in the VLAN, consuming lots of bandwidth on the network. This may also affect the hosts attached to the network device.
MAC address entry attack
When a device learns source MAC addresses and creates a MAC address table, the system cannot identify whether the packets are from authorized users or hackers. This brings security threats. If hackers send attack packets with forged source MAC addresses and access a device through other interfaces, the device will learn incorrect MAC address entries. As a result, the packets that should be forwarded to authorized users are forwarded to hackers.
To improve interface security, a network administrator can run the mac-address static command to add specific MAC address entries to the MAC address table. User devices are bound to interfaces to prevent unauthorized users from obtaining data.

Configuration Impact

After static MAC address entries are configured, when receiving a frame with a specific MAC address, a device directly forwards the frame through the corresponding outbound interface. Static MAC address entries will not be aged and they will not be lost after the system resets or the interface board is hot-swapped.

Precautions

Manually configured MAC address entries take precedence over automatically generated entries. Static and static blackhole MAC address entries that are configured by users will not be overwritten by dynamic MAC address entries. Dynamic MAC address entries, however, can be overwritten by static and blackhole MAC address entries.

The network administrator is familiar with the MAC addresses of the network devices that need to use static MAC address entries for communication; otherwise, the configuration will interrupt authorized users' communication.

Example

# Configure a static MAC address entry based on a specified interface and VLAN.

<HUAWEI> system-view
[~HUAWEI] vlan 40
[*HUAWEI-vlan40] quit
[*HUAWEI] interface GigabitEthernet 0/1/1
[*HUAWEI-GigabitEthernet0/1/1] portswitch
[*HUAWEI-GigabitEthernet0/1/1] port trunk allow-pass vlan 40
[*HUAWEI-GigabitEthernet0/1/1] quit
[*HUAWEI] mac-address static 1-1-1 GigabitEthernet 0/1/1 vlan 40

# Configure a static MAC address entry with the outbound interface belonging to a specified VLAN.

<HUAWEI> system-view
[~HUAWEI] vlan 10
[*HUAWEI-vlan10] quit
[*HUAWEI] vlan 20
[*HUAWEI-vlan20] quit
[*HUAWEI] interface GigabitEthernet 0/1/3
[*HUAWEI-GigabitEthernet0/1/3] portswitch
[*HUAWEI-GigabitEthernet0/1/3] port default vlan 10
[*HUAWEI-GigabitEthernet0/1/3] quit
[*HUAWEI] interface GigabitEthernet 0/1/1
[*HUAWEI-GigabitEthernet0/1/1] portswitch
[*HUAWEI-GigabitEthernet0/1/1] port trunk allow-pass vlan 20
[*HUAWEI-GigabitEthernet0/1/1] quit
[*HUAWEI] mac-address static 00e0-fc12-3457 GigabitEthernet 0/1/3 vlan 10
[*HUAWEI] mac-address static 00e0-fc12-3456 GigabitEthernet 0/1/1 vlan 20