Configuring Static MAC Address Entries
After a static MAC address entry is configured, packets with the destination MAC address matching the entry are forwarded from the specified outbound interface. This configuration protects a device from attack packets with forged MAC addresses.
Usage Scenario
If a network has fixed users or a server connects to a switch on the network, static MAC address entries need to be configured on the switch to prevent hackers from attacking the switch or the server. On the network shown in Figure 1, you can configure a static MAC address entry on the switch containing the MAC address of the server so that the switch forwards packets destined for the server through only a specified interface. This configuration prevents hackers from attacking the server using forged MAC addresses and from stealing information from the server, as well as ensures the communication between users and the server.
Pre-configuration Tasks
Before configuring a static MAC address entry, connect interfaces and set their physical parameters to ensure that the physical interface status is Up.
Procedure
- Run system-view
The system view is displayed.
- Use either or both of the following methods to add static MAC address entries.
- Run mac-address static mac-address interface-type interface-number vlan vlan-id
VLAN-based static MAC address entries are added.
- Run mac-address static mac-address interface-type interface-number vsi vsi-name [ pe-vid pe-vid [ ce-vid ce-vid ] ]
VSI-based static MAC address entries are added.
- Run mac-address static mac-address interface-type interface-number vlanif vlan-id vsi vsi-name
Static MAC address entries are configured for VSIs bound to the VLANIF interface.
Static MAC address entries take precedence over dynamic MAC address entries.
- Run mac-address static mac-address interface-type interface-number vlan vlan-id
- Run commit
The configuration is committed.
Verifying the Configuration
Run the following commands to check the previous configurations.
Run the display mac-address [ mac-address ] [ vlan vlan-id | vsi vsi-name ] [ verbose ] command to check detailed information about MAC address entries.
Run the display mac-address static [ vsi vsi-name | { vlan vlan-id | interface-type interface-number } * ] command to check static MAC address entries.