(Optional) Configuring Static MAC Address Entries and MAC Address Limiting

Static MAC address entries can be configured for traffic forwarding, and MAC address limiting can be configured to improve VXLAN security.

Context

After the source NVE on a VXLAN tunnel receives broadcast, unknown unicast, and multicast (BUM) packets, the local VTEP sends a copy of the BUM packets to every VTEP in the ingress replication list. Configuring static MAC address entries helps reduce broadcast traffic and prevent unauthorized data access from bogus users.

The maximum number of MAC addresses that a device can learn can be configured to limit the number of access users and prevent against attacks on MAC address tables. If the device has learned the maximum number of MAC addresses allowed, no more addresses can be learned. The device can also be configured to discard packets after learning the maximum allowed number of MAC addresses, improving network security.

If Layer 3 VXLAN gateway does not need to learn MAC addresses of packets in a BD, MAC address learning can be disabled from the BD to conserve MAC address entry resources. If the network topology of a VXLAN becomes stable and MAC address entry learning is complete, MAC address learning can also be disabled.

Configuring static MAC address entries and MAC address limiting applies to Layer 2 VXLAN gateways; disabling MAC address limiting applies to both Layer 2 and Layer 3 VXLAN gateways.

Procedure

Configure a static MAC address entry.
1. Run system-view
  
  The system view is displayed.
2. Run mac-address static mac-address bridge-domain bd-id source source-ip-address peer peer-ip vni vni-id
  
  A static MAC address entry is configured.
3. Run commit
  
  The configuration is committed.
Configure MAC address limiting.
1. Run system-view
  
  The system view is displayed.
2. Run bridge-domain bd-id
  
  The BD view is displayed.
3. Run mac-limit { action { discard | forward } | maximum max [ rate interval ] } ^{^*}
  
  MAC address limiting is configured.
4. (Optional) Run mac-limit up-threshold up-threshold down-threshold down-threshold
  
  The threshold percentage of MAC addresses that have alarms generated and cleared is configured.
5. Run commit
  The configuration is committed.
Disable MAC address learning.
1. Run system-view
  
  The system view is displayed.
2. Run bridge-domain bd-id
  
  The BD view is displayed.
3. Run mac-address learning disable
  
  MAC address learning is disabled.
4. Run commit
  
  The configuration is committed.