Foundry NetIron M2404C and M2404F Metro Access Switches
Switch Administration (Rev. 03)
Managing the MAC Address Table © 2008 Foundry Networks, Inc.
Page 6 of 87
Associating QoS Profiles with a MAC Address Table
Entry
QoS can be associated with the MAC address (and VLAN) of a device by creating a permanent
MAC address table entry and specifying QoS profiles. To associate a QoS profile with a MAC
address table entry, use the
qos mac
command in Global Configuration mode. For more
information, please refer to chapter “
Configuring Quality of Service (QoS)”.
Filtering MAC Addresses
The application software provides the ability to deny MAC addresses that are known as
“dangerous” in the network. The system administrator can filter such MAC addresses once they are
detected, thereby denying their access to the device and their passage to other parts of the network.
The filtering of MAC addresses can be done by the
mac-address-table filtered
command in
Global Configuration mode. A filtered entry is identified by the “filtered” flag in the
show mac-
address-table
output.
The MAC Address Table Aging Time
Dynamic addresses are source MAC addresses that the device learns and then drops when they are
not in use. The aging time parameter defines how long the device retains unseen addresses in the
table. This parameter is applied to all VLANs.
If the value assigned to the aging time is too short, addresses may be removed from the table too
soon. This would increase the amount of packets received by the device with unknown
destinations, impairing performance by causing the device to flood such packets to all ports in the
VLAN that includes the receiving port. If the value assigned to the aging time is too long, the
address table may be loaded with addresses that are no longer in use.
MAC Based DoS-Attack Prevention
A data-link Denial of service (DoS) attack can target either a host or a network. Data-link DoS
attacks are launched to disable the ability of hosts to access the local network even though the
hosts are still connected. An example of this would be flooding a non-switched Ethernet network
with invalid source MAC addresses. An attacker (or sometimes a malfunctioning NIC) can
repeatedly send a packet with a source MAC address as a multicast or broadcast address. The
application software blocks Data-link DoS attacks and prevents them from propagating to hosts on
the network.
MAC Address Default Configuration
Table 1
shows the MAC address table default configuration.
Table 1: MAC Address Table Default Configuration
Parameter
Default Value
MAC Address aging time
300 seconds