Configuring Parameters for Dynamic MAC Address Entries

Aging time of dynamic MAC address entries

Dynamic MAC address entries are automatically generated on a device. They are not always valid. The system starts an aging timer for each MAC address entry. If a MAC address entry is not updated until its double aging time expires, the MAC address entry is deleted. If the MAC address entry is updated before the double aging time expires, the aging time will be recalculated. The shorter the aging time is, the more sensitive a device is to network changes.

As network topologies change constantly, a device learns more and more MAC addresses. To avoid the explosive growth of MAC address entries, set a proper aging time for dynamic MAC address entries to have invalid MAC address entries deleted regularly.

MAC address learning limit rule

As shown in Figure 1, networks with poor security management, such as community networks, are vulnerable to hackers' MAC address attacks. The capacity of a MAC address table is limited. When hackers forge a large number of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device may be filled to its full capacity. After the MAC address table of the device is filled up, the device cannot learn the source MAC addresses of valid packets it receives.

After a MAC address learning limit rule is configured, the number of access users can be controlled. When the number of learned MAC address entries reaches the maximum number allowed by the system, the system cannot learn any additional MAC addresses. The packet discarding and alarm functions can be configured to prevent MAC address attacks and improve network security.

Figure 1 Networking for configuring a MAC address learning limit rule