R21xx-HP FlexFabric 11900 Layer 2 LAN Switching Configuration Guide
25
Step Command Remarks
3. Configure the MAC learning
limit on the interface and
configure the interface to
forward frames with unknown
source MAC addresses when
the MAC learning limit is
reached.
mac-address max-mac-count
{ count | enable-forwarding }
By default, no limit is configured..
When the MAC learning limit is
reached, frames with unknown
source MAC addresses are
forwarded by default.
Assigning MAC learning priority to interfaces
All networks that perform MAC-based forwarding are facing MAC address spoofing attacks. Even in a
hierarchical network, likelihood exists that a device learns the MAC address of an upper layer device, a
gateway for example, to a downlink interface, due to a loop or attack to the downlink interface.
To avoid the situation, the idea of MAC learning priority is introduced, where each interface is assigned
either low priority or high priority. An interface with high MAC learning priority can learn MAC
addresses as usual, but an interface with low MAC learning priority is not allowed to learn MAC
addresses already learned on a high-priority interface.
The MAC learning priority mechanism can help defend your network against MAC address spoofing
attacks. What you need to do is to assign an uplink interface high MAC learning priority, and a
downlink interface low MAC learning priority, preventing the downlink interface from learning the MAC
address of an upper layer device.
To assign MAC learning priority to an interface:
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter interface view.
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Enter S-channel interface view:
interface s-channel
interface-number.channel-id
N/A
3. Assign MAC learning priority.
mac-address mac-learning priority
{ high | low }
By default, low MAC learning
priority is used.
Enabling MAC address synchronization
To avoid unnecessary broadcasts and improve forwarding speed, make sure all cards possess the same
MAC address table. After you enable MAC address table synchronization on a device operating in
standalone mode, each card advertises learned MAC address entries to other cards. After you enable
MAC address table synchronization on an IRF fabric, each card advertises learned MAC address entries
to other cards of all the IRF member devices.