MAC Address Management

Context

Each switch maintains a MAC address table. A MAC table records learned MAC addresses, VLAN IDs, and outbound interfaces. To forward data, the switch searches the MAC table based on destination MAC addresses and VLAN IDs carried in packets to determine the outbound interfaces for the packets. Therefore, broadcast traffic is reduced. Configure the following MAC address types and functions:

The interface obtains dynamic entries based on the learning of source MAC addresses. The dynamic entries can be aged.
Static MAC entries are manually configured and never age. For details, see Configuring a static user.
Blackhole MAC entries are used to discard data frames with the specified source or destination MAC addresses. Blackhole MAC entries are manually configured and never age. For details, see Configuring a blackhole MAC address entry.
ARP entry fixing can be configured to defend against ARP address spoofing attacks. For details, see Configuring ARP entry fixing.
Port security makes MAC addresses learned on an interface become secure MAC addresses to allow only hosts with secure MAC addresses and static MAC addresses to communicate with the switch through the interface, improving switch security. For details, see Configuring port security.

Procedure

Configuring MAC/IP address security
1. Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
2. You can enable MAC/IP address security to defend against bogus gateway attacks and attacks from ARP packets with invalid MAC addresses.
Querying MAC/IP address entries
1. Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed.
3. Select interfaces to be queried.
4. Set Search item for querying MAC/IP address entries based on the MAC address, IP address, type, outbound interface, and VLAN ID.
5. Click Search. The search result is displayed.
6. Click Refresh. The queried entries are updated.
Configuring a static user
1. Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed.
3. Select interfaces to be queried.
4. Click Create Static User. The Create Static User page is displayed.
5. Set parameters.
6. Click Confirm.
Creating a static secure MAC address
1. Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed.
3. Select interfaces to be queried.
  NOTE:
  Before creating a static secure MAC address, enable port security by referring to Configuring port security.
  After port security is enabled, a green shield identifier next to the interface is displayed.
4. Click Create Secure MAC. The Create Secure MAC page is displayed.
5. Set parameters.
6. Click Confirm.
Deleting MAC address entries
1. Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed.
3. Select interfaces to be queried.
4. Select an entry and click Delete. The system asks you whether to delete the entry.
5. Click Confirm.
Configuring a blackhole MAC address entry
1. Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed.
3. Select interfaces to be queried.
4. Select an entry and click Convert to Blackhole MAC. The system asks you whether to configure the entry as a blackhole MAC address entry.
5. Click Confirm.
Configuring ARP entry fixing
1. Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
2. Click the MAC/IP Address tab. The MAC/IP Address tab page is displayed.
3. Select interfaces to be queried.
4. Select an entry and click Fixing. The system asks you whether to fix the MAC address entry.
5. Click Confirm.

Configuring port security

Choose Configuration > MAC Management in the navigation tree. The MAC Management page is displayed.
Click the MAC Security tab. The MAC Security tab page is displayed.

Select a port.

Table 1 describes parameters on the MAC Security tab page.

**Table 1** Configuring port security
Parameter	Description	Value
Interface Name	-	-
Interface Security	If a network requires high access security, you can configure port security on specified ports. MAC addresses learned by these ports are changed to dynamic secure MAC addresses or sticky MAC addresses. When the number of learned MAC addresses reaches the limit, the ports do not learn new MAC addresses. This prevents devices with untrusted MAC addresses from connecting to these ports, improving security of the devices and the network.	The value can be Enable or Disable.
MAC Address Limit	Maximum number of MAC addresses that can be learned by a port.	The value ranges from 1 to 4096.
Sticky MAC	Sticky MAC addresses will not be aged out and will exist after the device restarts.	The value can be Enable or Disable.

Set parameters.
Click Apply.