MAC address management is a basic Layer 2 management feature that enables system administrators to use the functions listed in the following table.
Sub-function of MAC Address Management:
Setting the MAC address aging time
Limiting the number of learnable dynamic MAC addresses
Setting the static MAC address
Benefits
Benefits for Carriers
1, The system ages dynamic MAC addresses to ensure timely updates of the MAC address table. If the MAC address table is full and not updated, the system will fail to learn new MAC addresses and will consequently fail to forward data.
2, By limiting the number of learnable dynamic MAC addresses, the system administrator can limit the number of MAC addresses that can be used to enter the network and hence alleviate the load of network devices.
3, By configuring static MAC addresses, the system administrator prohibits unauthorized users from accessing the system.
Benefits for Subscribers
Improved user security: After the system administrator sets the static MAC address of a service port and sets the maximum number of learnable MAC addresses to 0, the port receives only user data carrying the specified static MAC address.
The access node provides multiple MAC address security features to protect networks against forged MAC addresses, please refer to 23 MAC Address Security Features.
Address Management Process
MAC address management includes MAC address table establishment and management.
Establishing MAC Address Tables
The system establishes a MAC address table by learning source MAC addresses or after users configure static MAC address entries.
MAC address learning
− When Huawei OLT functions as a Layer 2 switching device, it learns MAC addresses in the distributed mode. Specifically, each board learns the source MAC address of packets sent from the board of its own and then forwards packets according to their destination MAC addresses. The learned MAC addresses are stored in the system buffer. Generally, the system buffer can hold a limited number of MAC address entries. If all these entries are filled in, no more MAC addresses can be learned.
− Configuration command: mac-address learning vlan
Configuration of static MAC address entries
− A user can manually configure static MAC address entries in which user device MAC addresses are bound to ports. After this configuration, the packets whose MAC addresses are included in the MAC address entries are always forwarded through the bound ports. This configuration improves the efficiency for forwarding packets and improves the security of ports because it denies access from unauthenticated users. This method of establishing MAC address tables is widely used in private networks.
− Configuration command: mac-address static
The following table shows an example of a simplified MAC address table established by configuring static MAC address entries. The table lists the mapping between MAC addresses, ports, and VLAN IDs.
Managing MAC Address Tables
When managing MAC address tables, users can configure MAC-related attributes as allowed by system resources and network security policies against potential risks. The optimized MAC address tables can better meet requirements of a live network. These MAC-related attributes are as follows:
Maximum number of MAC addresses learned based on service flows
− After the number of access users reaches the limit, no new access user addresses will be learned. This attribute setting applies to networks, such as residential access networks and low-security internal enterprise networks, that have fixed access users but are not sufficiently secure.
Setting the function of sensing excess MAC addresses
When a lot of MAC addresses are learnt by the system, it is difficult for trouble locating. When the function of sensing excess MAC addresses is enabled, the board software queries the actual MAC address specifications of the board every 15 minutes and determines whether an alarm needs to be reported according to the query result. If the query result exceeds the upper threshold for sensing excess MAC addresses set by users, an excess MAC address alarm is generated. If the query result is smaller than the lower threshold for sensing excess MAC addresses set by users, a fault clearing alarm is generated.
Configuration command: overload-aware mac-address
MAC address aging
Generally, the system automatically establishes a MAC address table by learning source MAC addresses. The established MAC address table has to be updated according to network changes. However, after the network topology changes, the dynamic MAC address entries will not be automatically updated in a timely manner. Then the system cannot learn more MAC addresses and user data
No comments:
Post a Comment