beautypg.com

Manually configuring mac address entries, Types of mac address table entries, Mac address table-based frame forwarding – H3C Technologies H3C SecPath F1000-E User Manual

Page 187

background image

2

Manually configuring MAC address entries

With dynamic MAC address learning, a device does not tell illegitimate frames from legitimate ones.
This brings security hazards. For example, if a hacker sends frames with a forged source MAC address
to a port different from the one where the real MAC address is connected to, the device will create an
entry for the forged MAC address, and forward frames destined for the legal user to the hacker instead.

To enhance the security of a port, you can manually add MAC address entries into the MAC address
table of the device to bind specific user devices to the port. Because manually configured entries have
higher priority than dynamically learned ones, you can thus prevent hackers from stealing data using
forged MAC addresses.

Types of MAC Address Table Entries

A MAC address table may contain these types of entries:

Static entries, which are manually configured and never age out.

Dynamic entries, which can be manually configured or dynamically learned and may age out.

Blackhole entries, which are manually configured and never age out. Blackhole entries are
configured for filtering out frames with specific source or destination MAC addresses. For example,
to block all packets destined for a specific user for security concerns, you can configure the MAC
address of this user as a blackhole destination MAC address entry.

NOTE:

Dynamically-learned MAC addresses cannot overwrite static or blackhole MAC address entries, but the
latter can overwrite the former.

MAC Address Table-Based Frame Forwarding

When forwarding a frame, the device adopts the following two forwarding modes based on the MAC
address table:

Unicast mode: If an entry matching the destination MAC address exists, the device forwards the
frame directly from the sending port recorded in the entry.

Broadcast mode: If the device receives a frame with the destination address being all Fs, or no
entry matches the destination MAC address, the device broadcasts the frame to all the ports
except the receiving ports.

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: