What is the purpose of the MAC Pinning feature in ZyXEL Ethernet Switches?
The MAC Pinning feature allows you to prohibit the movement of dynamically learned MAC addresses in the switching table of an Ethernet switch.
When an Ethernet frame is received, the switch adds an entry to its switching table with the port mapping to which this frame was received with the connected device's MAC address and writes the VLAN number to which the host belongs. The switching table is then used by the switch to decide on the forwarding of Ethernet frames. Dynamically learned MAC addresses have a specific lifetime.
When the switch receives an Ethernet frame with the source MAC address of a previously learned host in the same VLAN to its other port, the switch immediately updates its switch table, deleting the old entry and adding a new MAC-VLAN binding to the new port.
The MAC Pinning feature allows you to explicitly specify the port(s) that prioritise learning MAC addresses. This means that on those ports where MAC Pinning is enabled, the host’s MAC address addresses (and their VLAN-IDs) learned by the switch cannot be transferred (learned) on any other switch port until the dynamic recording in the MAC table.
The MAC-Pinning function helps to increase security. Consider an example:
Clients working with the server are connected to the switch. The attacker (A) wants to impersonate a server (B) to intercept user messages. To do this, the attacker starts sending messages to the hosts, replacing his MAC address (MAC spoofing) with the server's MAC address, trying to impersonate the server and forcing the switch to update the MAC table entry. If the MAC Pinning function is enabled on the switch port to which the server is connected, the switch will not update its MAC table, and clients will send data to the source server, and the attacker’s attempt to impersonate the server will fail.
The MAC Pinning feature is configured via the device’s web configurator from the Advanced Application -> MAC Pinning section.
Configurable via CLI:
sysname(config)# interface port-channel 1
sysname# show mac-pinning
The MAC Pinning function works “one way” - to prohibit movement of the learned MAC-VLAN from the port where the function is enabled to any other. Enabling the MAC Pinning feature on a port does not prohibit the appearance on it of a MAC-VLAN, previously studied on other ports where this feature is disabled.
Attention! The MAC Pinning and Port Security features cannot be used simultaneously on the same port.
Please sign in to leave a comment.