A blackhole FDB
entry discards all packets addressed to or received from the specified MAC address. A
significant difference between the above ACL policy and the create fdb command blackhole option is the hardware used to implement the feature. Platforms with
limited hardware ACL table sizes are able to implement this feature using the FDB table
instead of an ACL table.
To create a blackhole FDB entry, use the command:
create fdb mac_addr
vlan
vlan_name [ports
port_list | blackhole]
There is no software indication or notification when packets
are discarded because they match blackhole entries.
The blackhole option is also supported through
access lists.
Note
Blackhole is not supported on port-specific
VLAN tags.
For example, the following ACL policy would
also blackhole traffic destined to or sourced from a specific MAC
address:
entry blackhole_dest {
if {
ethernet-destination-address 00:00:00:00:00:01;
} then {
deny;
}
}
entry blackhole_source {
if {
ethernet-source-address 00:00:00:00:00:01;
} then {
deny;
}
}
