Can an S series switch memorize MAC addresses

10

S series switches (except the S1700) cannot memorize MAC addresses.

Other related questions:
Specification of the MAC address table on an S series switch
Hi, I cannot answer this question. For details about product specifications, click http://e.huawei.com/en/service-hotline to look up the contact method of your local customer service engineers.

S series switches' support for MAC address authentication
S series switches (except the S1700) support MAC address authentication as follows: - In V100R006, switches except the S2700SI and S2710SI support MAC address authentication. - In versions later than V100R006, all switches support MAC address authentication.

Configure MAC address bypass authentication on S series switch
On S series switches (except S1700), you can enable MAC address bypass authentication for terminals such as printers on which the 802.1x client software cannot be installed or used to allow these terminals to access the network. For example, if a large number of PCs and a small number of dumb terminals are connected to GE1/0/1 and GE1/0/5, to ensure that the PCs and dumb terminals access the network, you can enable 802.1x authentication and MAC address bypass authentication on GE1/0/1 and GE1/0/5. The following describes the configuration: - Configure multiple interfaces in a batch in the system view. [HUAWEI] dot1x enable [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 [HUAWEI] dot1x mac-bypass interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 - Configure each interface in the interface view. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/5 [HUAWEI-GigabitEthernet 1/0/5] dot1x enable [HUAWEI-GigabitEthernet 1/0/5] dot1x mac-bypass Precautions: 1. In addition to performing the preceding configuration, you still need to add MAC addresses of terminals on the authentication server. For details, see the configuration guide of the authentication server. 2. In V200R005C00 and later version, S series switches support MAC address bypass authentication only in NAC traditional configuration mode.

How to bind the IP address, MAC address, and interface
The Switch implements binding between an interface and a MAC address through the traffic policy and DHCP snooping. Then the interface allows only the packets with the bound MAC address and packets matching the DHCP snooping binding table to pass through. The Switch does support binding of IP address + MAC address + interface. For example, to configure Ethernet 0/0/1 to allow only the packets with the source MAC address being 0-02-02 apart from of the packets matching the DHCP snooping binding table, and discard other packets, do as follows: # Enable DHCP snooping globally. [HUAWEI] dhcp snooping enable# Create an ACL that permits only the packets with the source MAC address being 0-02-02. [HUAWEI] acl 4000 [HUAWEI-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff-ffff [HUAWEI-acl-L2-4000] rule deny# Create a traffic classifier that matches ACL 4000. [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 4000# Create a traffic behavior and a traffic policy. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] permit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1# Apply the traffic policy to Ethernet 0/0/1 so that the interface allows only the packets with the source MAC address 0-02-02 to pass through apart from of the packets matching the DHCP snooping binding table. In V100R005C00 and later versions, the configuration is as follows: [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 4094 [HUAWEI-Ethernet0/0/1] ip source check user-bind enable [HUAWEI-Ethernet0/0/1] traffic-policy p1 inbound

How is an S series switch process the Query message with the destination MAC address as the unicast MAC address
After Layer 2 multicast is enabled on a switch, the switch checks the destination MAC addresses of received IGMP messages. If the destination MAC address of a packet does not match its destination IP address, the switch drops the packet. Therefore, when the switch receives IGMP Query messages with unicast destination MAC addresses, it drops the messages. As a result, user hosts cannot receive the Query messages, and multicast forwarding entries on the switch cannot be updated. Then multicast forwarding is interrupted. When the switch connects to an ME60 and the ME60 performs multicast replication on a per user basis, IGMP Query messages sent from the ME60 uses user MAC addresses as destination MAC addresses. The switch drops these IGMP Query messages. In this case, modify the configuration on the ME60 to ensure that the IGMP Query messages sent from the ME60 use destination MAC addresses mapping their destination IP addresses. Then the switch can generate a router port when receiving the Query messages and forward the Query message to user hosts.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top