An edge device (e.g., a bridge or a router) is a network device that connects nodes in one network to nodes in another network. The edge device maintains a media access control (MAC) forwarding table that stores entries that map MAC addresses of network nodes to the ports of the network bridge. When an ingress packet is received at a port, the edge device performs a forwarding phase lookup of the destination MAC address in the received packet and a learning phase lookup of the source MAC address in the received packet.
In the forwarding phase lookup mode of operation, the edge device looks for the destination address in the received ingress packet in the MAC forwarding table. If an entry containing the destination address is found, the edge device forwards the packet to the port listed in the entry; otherwise, the edge device may “flood” the packet on all output ports of the edge device except the port on which the packet was received.
In the learning phase mode of operation, the edge device looks up the source address in the received ingress packet in the MAC forwarding table. If an entry containing the source address is not found, the edge device adds a new entry to the MAC forwarding table that maps the source address to the port on which the packet was received. If an entry containing the source address is found, the edge device determines whether the entry associates the source address with the current port on which the packet was received or a different port. If the current port is the same as the port listed in the identified forwarding table entry, the learning phase ends. If the current port is different from the port listed in the identified forwarding table entry, the edge device determines that the source address has moved (i.e., that a MAC move has occurred) and updates the MAC forwarding table to reflect the new MAC address to port mapping.
Some edge devices are configured to implement one or more security protocols. For example, an edge device may be restricted to a maximum number of source MAC addresses that can be learned for each VLAN (virtual local area network). In another example, the edge device may be configured to lock down the MAC forwarding table in response to receipt of a MAC lock down command. In accordance with these approaches, after the maximum number of source MAC addresses has been learned or the MAC lock down command has been received, the edge device discards packets that contain source MAC addresses that are not listed in the current MAC address table. In another example, the number of moves of the MAC address over time is tracked in order to detect and prevent bridge forwarding loops. If the number of MAC moves of a particular source MAC address over a given period is above a threshold number, the edge device may block all packets that are associated with that source MAC address and issue a loop detection warning.
Systems and methods of managing MAC moves with secure port groups are described herein.