20Manually configuring MAC address entriesWith dynamic MAC address learning, a router does not distinguish illegitimate frames from legitimateframes. This causes security hazards. For example, if a hacker sends frames with a forged source MACaddress to a port different from the one where the real MAC address is connected, the router will createan entry for the forged MAC address, and will forward frames destined for the legal user to the hackerinstead.To enhance the security of a port, you can manually add MAC address entries in the MAC address tableof the router to bind specific user devices to the port. Because manually configured entries have higherpriority than the dynamically learned ones, this prevents hackers from stealing data using forged MACaddresses.Types of MAC address table entriesA MAC address table may contain these types of entries:• Static entries—Static entries are manually configured and never age out.• Dynamic entries—Dynamic entries can be manually configured or dynamically learned and mayage out.• Blackhole entries—Blackhole entries are manually configured and never age out. Blackhole entriesare configured for filtering out frames with specific source or destination MAC addresses. Forexample, to block all packets destined for a specific user for security concerns, you can configurethe MAC address of this user as a destination blackhole MAC address entry.NOTE:A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.MAC address table-based frame forwardingWhen forwarding a frame, the router adopts the following two forwarding modes based on the MACaddress table:• Unicast mode—If an entry is available for the destination MAC address, the router forwards theframe out the outgoing interface indicated by the MAC address table entry.• Broadcast mode—If the router receives a frame with an all-ones destination address, or no entry isavailable for the destination MAC address, the router broadcasts the frame to all the interfacesexcept the receiving interface.Configuring the MAC address tableThe configuration tasks discussed in the following sections are all optional and can be performed in anyorder.Configuring MAC address table entriesTo fence off MAC address spoofing attacks and improve port security, you can manually add MACaddress table entries to bind ports with MAC addresses.You can also configure blackhole MAC address entries to filter out packets with certain source ordestination MAC addresses.