R3166-R3206-HP High-End Firewalls Network Management Configuration Guide-6PW101
42
• The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to
GigabitEthernet 0/1 of the device. To prevent MAC address spoofing, add a static entry for the host
in the MAC address table of the device.
• The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this
host once behaved suspiciously on the network, add a destination blackhole MAC address entry for
the host MAC address, so that all packets destined for the host will be dropped.
• Set the aging timer for dynamic MAC address entries to 500 seconds.
Figure 24 Network diagram for MAC address table configuration
Configuration procedure
# Add a static MAC address entry.
<Firewall> system-view
[Firewall] mac-address static 000f-e235-dc71 interface GigabitEthernet 0/1 vlan 1
# Add a destination blackhole MAC address entry.
[Firewall] mac-address blackhole 000f-e235-abcd vlan 1
# Set the aging timer for dynamic MAC address entries to 500 seconds.
[Firewall] mac-address timer aging 500
# Display the MAC address entry for port GigabitEthernet 0/1.
[Firewall] display mac-address interface ethernet 1/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-dc71 1 Config static GigabitEthernet 0/1 NOAGED
--- 1 mac address(es) found ---
# Display information about the destination blackhole MAC address table.
[Firewall] display mac-address blackhole
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000f-e235-abcd 1 Blackhole N/A NOAGED
--- 1 mac address(es) found ---
# View the aging time of dynamic MAC address entries.
[Firewall] display mac-address aging-time
Mac address aging time: 500s