Manually configure mac address table entries, Types of mac address table entries, Mac address table-based frame forwarding – H3C Technologies H3C S12500 Series Switches User Manual
Page 59
46
Manually configure MAC address table entries
With dynamic MAC address learning, a switch does not distinguish illegitimate frames from legitimate
frames. This causes security hazards. For example, if a hacker sends frames with a forged source MAC
address to a port different from the one where the real MAC address is connected, the switch will create
an entry for the forged MAC address, and will forward frames destined for the legal user to the hacker
instead.
To enhance the security of a port, you can manually add MAC address entries in the MAC address table
of the switch to bind specific user switches to the port. Because manually configured entries have higher
priority than the dynamically learned ones, this prevents hackers from stealing data using forged MAC
addresses.
Types of MAC address table entries
A MAC address table can contain these types of entries:
•
Static entries—Manually added and never age out.
•
Dynamic entries—Manually added or dynamically learned, and might age out.
•
Blackhole entries—Manually configured and never age out. Blackhole entries include source
blackhole MAC addresses and destination blackhole MAC address entries. They are configured for
filtering out frames with specific source or destination MAC addresses. For example, to block all
packets destined for a specific user for security concerns, you can configure the MAC address of
this user as a destination blackhole MAC address entry.
•
Multiport unicast entries—Manually added for forwarding frames with a specific destination MAC
address out of multiple ports and never age out.
NOTE:
A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC
address entry, but not vice versa.
MAC address table-based frame forwarding
When forwarding a frame, the switch adopts the following two forwarding modes based on the MAC
address table:
•
Unicast mode—If an entry is available for the destination MAC address, the switch forwards the
frame directly from the hardware.
•
Broadcast mode—If the switch receives a frame with an all-ones destination address, or no entry is
available for the destination MAC address, the switch broadcasts the frame to all the interfaces
except the receiving interface.
Configuring static, dynamic, and blackhole MAC
address table entries
Usually, a switch can populate its MAC address table automatically by learning the source MAC
addresses of incoming frames.