Mac Address Features Supported By The S7700 - Huawei Quidway S7700 Configuration Manual - Ethernet

Quidway S7700 Smart Routing Switch
Configuration Guide - Ethernet
l
l

7.2 MAC Address Features Supported by the S7700

This section describes the MAC address features supported by the S7700 and provides usage
scenarios of the features to help you complete configuration tasks quickly and accurately.
You can configure the following MAC address features to improve device security and control
the number of entries in the MAC address table:
l
l
l
You can use the following methods to improve security or meet special requirements:
l
l
l
l
l
l
l
l
Issue 01 (2011-07-15)
Unicast mode: If the destination MAC address of a packet can be found in the MAC address
table, the S7700 forwards the packet through the outbound interface specified in the
matching entry.
Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC
address cannot be found in the MAC address table, the S7700 broadcasts the packet to all
the interfaces except the inbound interface of the packet.
Create static MAC address entries for MAC addresses of fixed upstream devices or trusted
user devices to improve communication security.
Configure blackhole MAC address entries to protect the S7700 from attacks.
Set a proper aging time for dynamic MAC addresses to prevent sharp increase of dynamic
MAC address entries.
Disable MAC address learning. This method can be used on a network where the topology
seldom changes or forwarding paths are specified in static MAC address entries. This
method prevents users with unknown MAC addresses from accessing the network, protects
the network from MAC address attacks, and improves network security.
Limit the number of MAC addresses that can be learned. This method can be used on an
insecure network to prevent untrusted users from connecting to the network.
Enable port security. If a network requires high security, port security can be configured
on the interfaces connected to trusted devices. The port security function prevents devices
with untrusted MAC addresses from accessing these interfaces and improves device
security.
Configure MAC address anti-flapping. If an interface is connected to a trusted upstream
device or server, you can set a high MAC address learning priority for the interface. The
MAC address learned by the interface will not be overridden by an entry learned by another
interface. This protects the S7700 from MAC address attacks.
Configure MAC address flapping detection. This function reduces impact of loops on the
S7700.
Discard packets with an all-0 MAC address. A faulty device may send packets with an all-0
source or destination MAC address to the S7700. You can configure the S7700 to discard
such packets and send a trap to the network management system (NMS). You can locate
the faulty device according to the trap message.
Enable MAC address triggered ARP entry update. This function enables the S7700 to
update the corresponding ARP entry when the outbound interface in a MAC address entry
changes.
Enable port bridge. This function enables an interface to process packets in which the source
and destination MAC addresses are the same. It can be configured on an S7700 connected
to a device without Layer 2 forwarding capability or an S7700 functioning as an access
device in a data center.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MAC Address Table Configuration
345