beautypg.com

Configuring the mac address table, Overview, How a mac address table entry is created – H3C Technologies H3C SecPath F1000-E User Manual

Page 72: Mac address learning, Manually configuring mac address entries

background image

47

Configuring the MAC address table

NOTE:

The MAC address configuration is support only on Layer 2 Ethernet interfaces and Layer 2 aggregate
interfaces.

This document covers only the management of static, dynamic and blackhole unicast MAC address
table entries. The management of multicast MAC address entries is not introduced here.

Overview

An Ethernet device uses a MAC address table for forwarding frames through unicast instead of
broadcast. This table describes from which port a MAC address (or host) can be reached. When

forwarding a frame, the device first looks up the MAC address of the frame in the MAC address table for

a match. If an entry is found, the device forwards the frame out of the outgoing port in the entry. If no

entry is found, the device broadcasts the frame out of all but the incoming port.

How a MAC address table entry is created

The entries in the MAC address table come from two sources: automatically learned by the firewall and

manually added by the administrator.

MAC address learning

The firewall can automatically populate its MAC address table by learning the source MAC addresses of

incoming frames on each port.
When a frame arrives at a port, Port A, for example, the firewall performs the following tasks:

1.

Checks the source MAC address (MAC-SOURCE for example) of the frame.

2.

Looks up the MAC address in the MAC address table.

{

If an entry is found, the firewall updates the entry.

{

If no entry is found, the firewall adds an entry for MAC-SOURCE and Port A.

3.

After learning this source MAC address, when the firewall receives a frame destined for
MAC-SOURCE, the firewall finds the MAC-SOURCE entry in the MAC address table and forwards

the frame out Port A.

The firewall performs the learning process each time it receives a frame from an unknown source MAC
address, until the MAC address table is fully populated.

Manually configuring MAC address entries

With dynamic MAC address learning, a network device does not distinguish between illegitimate frames

and legitimate frames, which can invite security hazards. For example, if a hacker sends frames with a
forged source MAC address to a port different from the one where the real MAC address is connected

to, the device creates an entry for the forged MAC address, and forwards frames destined for the legal

user to the hacker instead.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: