In the networking solutions of a Metropolitan Area Network and an enterprise network, a layer 2 ring network technology is used more and more frequently. In the layer 2 ring network, a switch forwards a message in a process as follows: firstly, searching for an MAC entry according to a destination MAC address of the message, obtaining an outgoing interface for the message via the MAC entry, and sending the message from the outgoing interface, wherein the MAC entry of the switch is learnt according to the received data stream. For example, when receiving a data message from a certain interface, the switch may learn the MAC entry according to a source MAC address of the message, wherein the MAC entry includes the source MAC address and the outgoing interface of the message, and the outgoing interface is an interface from which the switch receives the message. In a case that the MAC address of the switch is attacked, the outgoing interface in the MAC entry is learnt as a wrong interface, thus a message having the MAC address as the destination address may be forwarded to the wrong interface. FIG. 1a illustrates a schematic diagram of an attack by counterfeiting the MAC address in an existing layer 2 ring network. When a user equipment A attacks by counterfeiting the MAC address of a router, the user equipment A constructs a message having the MAC address of a router R as the source MAC address, and sends the message to the layer 2 ring network. By learning the MAC address, the outgoing interface corresponding to the MAC address of the router R in the MAC entry of each switch in the layer 2 ring network is modified as an interface to the user equipment A, a message sent from other users and having the router R as the destination address will be forwarded to the user equipment A, thus the network to the router R is interrupted, and the information of other users is illegally obtained. Similarly, when the user equipment A attacks by counterfeiting the MAC address of a user equipment B to construct a message, a message sent from the router R to the user equipment B will be forwarded to the user equipment A, thus the network from the user equipment B to the router R is interrupted, and the information of the user equipment B is stolen by the user equipment A, wherein D is a ring network blocking point.
In order to prevent the MAC address from being attacked by a user, the MAC addresses of the router and all users under the layer 2 ring network may be configured as static MAC addresses on respective switches in the layer 2 ring network. Since the switch does not need to learn any static MAC address, the static MAC address will not be attacked. But the static configuration method requires each switch in the layer 2 ring network configure the MAC addresses of the router and the users under other switches as static MAC addresses, and the configuration process is complicated. In order to reduce the complexity of the static configuration, the interface security characteristics may be activated at the ring network interface of the switch, and the switch automatically converts the learnt MAC address into a static MAC address, so as to prevent the MAC address from being attacked. This method can avoid the complicated configuration process of the static MAC address. However, whether performing a static configuration or securely learning an MAC address through a ring network interface and converting it into a static MAC address, a traffic interruption always will be caused when the ring network topology of the layer 2 ring network is changed. FIG. 1b illustrates is a network schematic diagram of a protection of the MAC address of the router using a static configuration. In initial situation, all the links of the layer 2 ring network are normal, and each switch configures the MAC address of the router R as a static MAC address, wherein D is a ring network blocking point, and the outgoing interfaces corresponding to the MAC addresses of the router R configured on respective switches are as follows:
switch_2: an interface connected to switch_1;
switch_3: an interface connected to switch_1;
switch_4: an interface connected to switch_2;
switch_5: an interface connected to switch_3.
In a case that the ring network topology of the layer 2 ring network is changed, as shown in FIG. 1c, which illustrates a network schematic diagram with a failure of protecting the MAC address of the router using a static configuration, when the link between switch_1 and switch_2 fails, the ring network enables the link between switch_4 and switch_5, i.e., canceling the ring network blocking point between switch_4 and switch_5, and a ring network blocking point D may be set between switch_1 and switch_2. However, the outgoing interface on switch_4 corresponding to the MAC address of the router R is still the interface connected to switch_2, thus a message sent from the user equipment A to the router R is still forwarded by switch_4 to switch_2. Due to the link failure between switch_2 and switch_1, switch_2 cannot forward the message to the router R through switch_1, thereby causing an interruption of the traffic from the user equipment A to the router R.
In summary, when the network topology of the layer 2 ring network is changed, the current solution for preventing an attack on the MAC address will easily cause an interruption of the network traffic.