Professional Documents
Culture Documents
01-03 MAC Address Table Configuration
01-03 MAC Address Table Configuration
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
This chapter describes how to configure the Media Access Control (MAC) address
table on your switch. A MAC address table is a Layer 2 forwarding table that
stores MAC addresses learned from other devices. Your switch maintains a MAC
address table for Layer 2 data forwarding. Each workstation and server has a
unique MAC address. When the switch exchanges data with connected
workstations and servers, the switch records their MAC addresses, access
interfaces, and VLAN IDs to facilitate unicast forwarding.
3.1 Introduction to the MAC Address
3.2 Principles
3.3 Application
3.4 Configuration Task Summary
3.5 Licensing Requirements and Limitations for MAC Address Tables
3.6 Default Configuration
3.7 Configuring a MAC Address Table
You can configure functions and parameters for a MAC address table to ensure
secure communication between authorized users. The following configurations are
optional and can be performed in any order.
3.8 Configuring MAC Address Flapping Prevention
3.9 Configuring MAC Address Flapping Detection
3.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
3.11 Enabling MAC Address-Triggered ARP Entry Update
3.12 Enabling Port Bridge
3.13 Configuring Re-marking of Destination MAC Addresses
3.14 Maintaining the MAC Address Table
3.15 Configuration Examples
3.2 Principles
3.2.1 Definition and Classification of MAC Address Entries
Definition of a MAC Address Table
A MAC address table records MAC addresses that have been learned by the switch,
interfaces on which MAC addresses are learned, and VLANs that the interfaces
belong to. Before forwarding a packet, the switch looks up the destination MAC
address of the packet in the MAC address table. If a MAC address entry matches
the destination MAC address, the switch forwards the packet from the outbound
interface recorded in the MAC address entry. If no matching MAC address entry
exists, the switch broadcasts the packet to all interfaces in the corresponding
VLAN, except the interface that received the packet.
Static MAC address entry ● Static MAC address When static MAC
entries are manually address entries are
configured. Static MAC configured, authorized
address entries never users can use network
age. resources and other
● The static MAC users are prevented
address entries saved from using the bound
in the system are not MAC addresses to
lost after a system initiate attacks.
restart.
● After an interface is
statically bound to a
MAC address, other
interfaces discard
packets from that
source MAC address.
● Each static MAC
address entry can have
only one outbound
interface.
● Statically binding an
interface to a MAC
address does not affect
the learning of
dynamic MAC address
entries on the
interface.
0011-0022-0034 10 GE0/0/1
0011-0022-0034 20 GE0/0/2
0011-0022-0035 30 Eth-Trunk 20
Functions
The MAC address table is used for unicast forwarding of packets. In Figure 3-1,
when packets sent from PC1 to PC3 reach the switch, the switch searches its MAC
address table for an entry matching the destination MAC address and VLAN ID of
the packet. In this example, it finds that MAC3 and VLAN 10 correspond to the
outbound interface Port3. The switch then forwards packets to PC3 through Port3.
Port3 PC3
MAC3 MAC1 VLAN10 Type Data MAC
3
MAC
1
VLAN
10
Type
Data
In Figure 3-2, HostA sends a data frame to SwitchA. When receiving the data
frame, SwitchA obtains the MAC address of HostA and the VLAN ID from the
frame.
● If the MAC address entry does not exist in the MAC address table, SwitchA
adds an entry with the MAC address, PortA, and VLAN ID to the MAC address
table.
● If the MAC address entry exists in the MAC address table, SwitchA resets the
aging timer of the MAC address entry.
NOTE
The switch will only learn and update MAC address entries when receiving data
frames.
0 1T 2T 3T 4T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
In Figure 3-3, the aging time of MAC address entries is set to T. At t1, packets with
source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which
has joined VLAN 1. If no entry with MAC address 0e0-fc00-0001 and VLAN 1 exists
in the MAC address table, an entry is created with the hit flag of 1.
At each T, the switch checks all of its dynamic MAC address entries.
1. At t2, the switch finds that the hit flag of the MAC address entry is 1 and sets
it to 0. The MAC address entry is not deleted at this time.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the
device between t2 and t3, the hit flag of the matching MAC address entry
remains 0.
3. At t3, the switch finds that the hit flag of the matching MAC address entry is
0. The switch then deletes the MAC address entry because the aging time of
the MAC address entry has expired.
A dynamic MAC address entry can be stored on the switch for a period of T to 2T.
You can set the aging time (T) of MAC address entries to control the life cycle of
dynamic MAC address entries in a MAC address table.
NOTE
● By default, the switch does not age the MAC address entries that match the destination
MAC addresses of packets. Use the mac-address destination hit aging enable
command to configure the switch to age MAC address entries regardless of whether any
packets destined for that MAC address are received.
● When the interface frequently alternates between Up and Down, MAC address entries
may be not aged within two aging periods. If this occurs, you are advised to check the
link quality or run the port link-flap protection enable command to configure link
flapping protection.
GE0/0/2
GE0/0/1
Broadcast to
two interfaces
in the VLAN MAC Address VLAN ID Port
First
First interface
interface that
0011-0022-0034 2 GE0/0/1 learns
learns this
this MAC
that
MAC address.
address.
Interface
Interface that
that learns
learns this
0011-0022-0034 2 GE0/0/2 MAC
MAC address
address later
later
this
MAC: 0011-0022-0034
Network
Port1 SwitchA
MAC:11-22-33
Port2 Access interface
MAC:11-22-33
User
SwitchB
NOTE
MAC address flapping detection allows a switch to detect changes in traffic transmission
paths based on learned MAC addresses, but the switch does not know the entire network
topology. It is recommended that this function be used on the interface connected to a user
network where loops may occur.
If an authorized device associated with the correct entry is powered off, the MAC address
entry of another device can be learned. This will prevent the original entry to being learned
when it is powered back on.
In Figure 3-6, Port1 of the switch is connected to a server. To prevent
unauthorized users from connecting to the switch using the server's MAC address,
you can set a high MAC address learning priority for Port1.
Switch
NOTE
Only the S5720EI, S5720SI, S5720S-SI, S5720HI, S6720EI, and S6720S-EI support this
function.
On an Ethernet network, a host sends and receives Ethernet data frames using
MAC addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC
addresses. When two devices on different network segments communicate with
each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries.
The outbound interfaces in matching MAC address and ARP entries are usually
consistent. In Figure 3-7, the outbound interface in both the MAC address entry
and ARP entry is GE0/0/1 at T1.
● Between T1 and T2, the interface for the entry changes.
● At T2, after a packet is received from a peer device, the outbound interface in
the MAC address entry is changed to GE0/0/2. However, the outbound
interface in the ARP entry remains GE0/0/1.
● At T3, the ARP entry expires, and the outbound interface in the ARP entry is
changed to GE0/0/2 through an ARP aging probe. Between T2 and T3,
GE0/0/1 is unavailable, meaning communication between devices on different
network segments is interrupted.
NOTE
The MAC address-triggered ARP entry update function is often used on networks where
devices in a Virtual Router Redundancy Protocol (VRRP) group connect to servers (for more
information, see 3.3.3 Configuring MAC Address-Triggered ARP Entry Update to Improve
VRRP Switchover Performance), or Layer 3 traffic switching scenarios where STP and
Smart Link are used.
3.3 Application
Switch
When one of the following situations occurs, enable MAC address flapping
detection to check whether a loop occurs:
MAC address ● Checks all interfaces and The switch can only report
flapping VLANs on a switch. alarms after detecting a loop
detection ● Is easy to configure as it but cannot eliminate the loop.
requires only one
command. This function
is enabled by default.
When a VRRP group is connected to servers, you can configure MAC address-
triggered ARP entry update to speed up VRRP active/standby switchovers. This
function can reduce the service interruption time when a link or device fails.
In Figure 3-10, HostA is dual-homed to SwitchA and SwitchB through the switch.
A VRRP group is configured on SwitchA and SwitchB to implement link
redundancy. If the link between SwitchA and the switch fails, MAC address entries
and ARP entries on the switch are updated to ensure that traffic is switched to the
link between the switch and SwitchB.
SwitchA SwitchB
(VRRP Master) (VRRP Backup)
Port1 Port1
Port1 Port2
Before Switch After
switchover switchover
HostA
● SwitchA functions as the master device, and the server uses Port2 to send
packets. SwitchA learns the ARP entry and MAC address entry matching the
server on Port2, and SwitchB learns the server MAC address on Port1.
● When the server detects that Port2 is faulty, the server sends packets through
Port1. SwitchA then learns the server MAC address on Port1. If the server does
not send an ARP Request packet to SwitchA, SwitchA maintains the ARP entry
on Port2. In this case, packets sent from SwitchA to the server are still
forwarded through Port2 until the ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on the
switches. This function enables a switch to update the corresponding ARP entry
when the outbound interface in a MAC address entry changes.
Port2 Port2
Port1 Port1
Port1 Port2
Server
Flexibly control For stable networks, set a long 3.7.3 Setting the
aging of dynamic aging time or set the aging time Aging Time of
MAC address as 0 to not age dynamic MAC Dynamic MAC
entries address entries. For other Address Entries
scenarios, set a short aging time.
Monitor the MAC You can configure various alarm 3.7.6 Enabling MAC
address table functions about MAC addresses to Address Alarm
monitor the usage of MAC Functions
address entries.
● Alarm threshold for MAC
address usage: When the MAC
address usage exceeds the
upper threshold, the switch
generates an alarm. When the
MAC address usage falls below
the lower threshold, the switch
reports a clear message.
● MAC address learning or aging
alarm: When a MAC address
entry is learned or aged out,
the switch generates an alarm.
● MAC address hash conflict
alarm: If the switch cannot
learn MAC address entries even
when its MAC address table is
not full, the switch generates
an alarm.
Discard packets A faulty host or device may send 3.10 Configuring the
with an all-0 packets with an all-0 source or Switch to Discard
source or destination MAC address to a Packets with an
destination MAC switch. Configure the switch to All-0 MAC Address
address discard such packets and send an
alarm to the NMS to help the
network administrator locate the
faulty host or device.
Licensing Requirements
MAC address configuration commands are available only after the S1720GW,
S1720GWR, and S1720X have the license (WEB management to full management
Electronic RTU License) loaded and activated and the switches are restarted. MAC
address configuration commands on other models are not under license control.
For details about how to apply for a license, see S Series Switch License Use
Guide.
Version Requirements
S2710SI V100R006(C03&C05)
S5710-C-LI V200R001C00
S5730SI V200R011C10
S5730S-EI V200R011C10
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
● Dynamic MAC address entries can be learned on an interface only after the
interface is added to an existing VLAN.
● Among existing MAC address entries, only MAC addresses of the dynamic
type can be overwritten as MAC addresses of other types.
● Each static MAC address entry can have only one outbound interface.
● When the aging time of dynamic MAC address entries is set to 0, dynamic
MAC address entries do not age. To age MAC address entries, delete the aging
time configuration.
● When MAC address learning is disabled in a VLAN and an interface in the
VLAN on the S5700EI, S5710EI, S5700HI, S5710HI, and S5720EI and the
discard action is configured for the interface, the interface does not discard
packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 in VLAN 2 and VLAN 3 has MAC
address learning disabled and the discard action is defined. In this situation,
Port1 discards packets from VLAN 3 but forwards packets from VLAN 2.
● When the interface frequently alternates between Up and Down, MAC
address entries may be not aged within two aging period. At this time, you
are advised to check the link quality or run the port link-flap protection
enable command to configure link flapping protection.
Context
A switch cannot distinguish packets from authorized and unauthorized users when
it learns source MAC addresses of packets to maintain the MAC address table.
Therefore, if an unauthorized user uses the MAC address of an attacker as the
source MAC address of attack packets and connects to another interface of the
switch, the switch will learn an incorrect MAC address entry. As a result, packets
destined for the authorized user are forwarded to the unauthorized user. To
improve security, you can create static MAC address entries to bind MAC addresses
of authorized users to specified interfaces. This prevents unauthorized users from
intercepting data of authorized users.
● A static MAC address entry will not be aged out. After being created, a static
MAC address entry will not be lost after a system restart, and can only be
deleted manually.
● The VLAN bound to a static MAC address entry must already exist and be
assigned to the interface bound to the entry.
● The MAC address in a static MAC address entry must be a unicast MAC
address, and cannot be a multicast or broadcast MAC address.
● A static MAC address entry takes precedence over a dynamic MAC address
entry. The system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id
----End
Procedure
Step 1 Run:
system-view
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address aging-time aging-time
NOTE
When the aging time is 0, MAC address entries are fixed. To clear the fixed MAC address
entries, set the aging time to a non-0 value. The system then automatically deletes the
MAC address entries after twice the aging time.
----End
Procedure
● Disable MAC address learning on an interface.
a. Run:
system-view
MAC address table. When the action is set to discard, the switch looks up
the source MAC address of the packet in the MAC address table. If the
source MAC address is found in the MAC address table, the switch
forwards the packet according to the matching MAC address entry. If the
source MAC address is not found, the switch discards the packet.
● Disable MAC address learning in a VLAN.
a. Run:
system-view
NOTE
When MAC address learning is disabled in a VLAN and an interface in the VLAN on
the S5720EI, and the discard action is configured for the interface, the interface does
not discard packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 has MAC address learning disabled and
performs the discard action; Port1 has been added to VLAN 2 and VLAN 3. In this
scenario, Port1 discards packets from VLAN 3 but forwards packets from VLAN 2.
● Disable MAC address learning for a specified flow.
a. Configure a traffic classifier.
i. Run:
system-view
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs
containing the ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-
name }, the S5720HI does not support remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-
address learning disable.
iv. Run:
quit
If more than 128 ACL rules defining CAR are configured, a traffic policy
must be applied to an interface, a VLAN, and the system in sequence
in the outbound direction. In the preceding situation, if ACL rules need
to be updated, delete the traffic policy from the interface, VLAN, and
system and reconfigure it in sequence.
iii. Run:
classifier classifier-name behavior behavior-name
1) Run:
system-view
The system view is displayed.
2) Run:
interface interface-type interface-number
The interface view is displayed.
3) Run:
traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface.
A traffic policy can be applied to only one direction on an
interface, but a traffic policy can be applied to different
directions on different interfaces. After a traffic policy is applied
to an interface, the system performs traffic policing for all the
incoming or outgoing packets that match traffic classification
rules on the interface.
Procedure
● Limit the number of MAC address entries learned on an interface.
a. Run:
system-view
The action to take when the number of learned MAC address entries
reaches the limit is configured.
By default, the switch discards packets with new MAC addresses when
the number of learned MAC address entries reaches the limit.
e. Run:
mac-limit alarm { disable | enable }
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not
limited.
d. Run:
mac-limit alarm { disable | enable }
Context
When alarm functions are enabled, the switch sends an alarm when the MAC
address usage exceeds the threshold, a MAC address changes, or a MAC address
hash conflict occurs. The alarms enable you to know the running status of the
MAC address table in real time.
MAC address entry resources are key resources for the switch. Monitoring the use
of the MAC address table is important for ensuring normal system operations. The
switch provides three alarm functions for MAC address entries.
Procedure
● Enable the alarm function for MAC address usage out of the specified range.
a. Run:
system-view
The upper and lower alarm thresholds for the MAC address usage are set.
By default, the upper and lower alarm thresholds for the MAC address usage
are 80% and 70% respectively. An alarm is generated when the MAC address
usage is higher than 80%, and a clear alarm is generated when the MAC
address usage is lower than 70%.
● Enable the alarm function for MAC address learning or aging.
a. Run:
system-view
The interval at which the switch checks MAC address learning or aging is
set.
By default, the switch checks MAC address learning or aging at intervals
of 10s.
c. Run:
interface interface-type interface-number
The alarm function for MAC address learning and aging is enabled on the
interface.
By default, the alarm function for MAC address learning or aging is
disabled.
● Enable the alarm function for MAC address hash conflicts.
a. Run:
system-view
The number of MAC address hash conflict alarms reported per interval is
set.
By default, 10 MAC address hash conflict alarms are reported per interval.
d. (Optional) Run:
mac-address trap hash-conflict interval interval-time
The interval at which MAC address hash conflict alarms are reported is
set.
By default, MAC address hash conflict alarms are reported at intervals of
60s.
NOTE
● The device uses the hash bucket to store MAC addresses. The device that uses the hash
bucket performs hash calculation for VLAN IDs and MAC addresses in MAC address
entries to be stored and obtains hash bucket indexes. The MAC addresses with the same
hash bucket index are stored in the same hash bucket. If a hash bucket with the
maximum storage space cannot accommodate learned MAC addresses of the hash
bucket, a hash conflict occurs and MAC addresses cannot be stored. The maximum
number of MAC addresses learned by the device through the hash bucket may be not
reached.
● The S5720HI does not support this configuration.
● You are not advised to change the default hash algorithm unless you have special
requirements.
● An appropriate hash algorithm can reduce hash conflicts, but cannot completely prevent
them.
● After the hash algorithm is changed, restart the device to make the configuration take
effect.
Procedure
Step 1 Run:
system-view
Run:
mac-address hash-mode { xor | crc } slot slot-id
The MAC hash algorithm is configured.
● On other models:
Run:
mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb } slot slot-id
The MAC hash algorithm is configured.
By default, the hash algorithm is crc on the S1720GFR, S1720GW, S1720GWR,
S1720GW-E, S1720GWR-E, S2720, S2750, S5720LI, S5720S-LI, S5700LI, S5700S-LI,
S5710-X-LI, S5720SI, and S5720S-SI and crc32-lower on all other models.
----End
NOTE
Procedure
Step 1 (Optional) Run:
display resource-mode configuration
NOTE
After the extended MAC entry resource mode is configured, you must restart the switch to make
the configuration take effect.
----End
Procedure
Perform the following operations on the S5720HI, S5720EI, S6720EI, and S6720S-
EI.
1. Run:
system-view
The system view is displayed.
2. Run:
interface interface-type interface-number
The interface view is displayed.
3. Run:
mac-learning priority priority-id
The MAC address learning priority of the interface is set.
By default, the MAC address learning priority of an interface is 0. A larger
priority value indicates a higher MAC address learning priority.
4. Run:
mac-learning priority flapping-defend action discard
The switch is configured to discard packets when the switch is configured to
prohibit MAC address flapping.
By default, the action is forward when the switch is configured to prohibit
MAC address flapping.
Perform the following operations on the S1720GFR, S1720GW, S1720GWR,
S1720GW-E, S1720GWR-E, S2720, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S5710-
X-LI, S2750EI, S5720S-SI, and S5720SI.
1. Run:
system-view
The system view is displayed.
2. Run:
mac-spoofing-defend enable
Context
Preventing MAC address flapping between interfaces with the same priority can
improve network security.
NOTE
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this configuration.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo mac-learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with
the same priority.
By default, the device allows MAC address flapping between interfaces with the
same priority.
Step 3 Run:
mac-learning priority flapping-defend action discard
----End
NOTE
● Configuring an action to take for MAC address flapping on an uplink interface may
cause interruptions for important uplink traffic. Therefore, configuring an action is not
recommended.
● The switch enabled with MAC address flapping detection can detect loops on a single
point, but cannot obtain the entire network topology. If the network connected to the
switch supports loop prevention protocols, use the loop prevention protocols instead of
MAC address flapping detection to eliminate loops.
● If only a few VLANs on the user network encounter loops, it is recommended that you
set the loop prevention action to quit-vlan.
● If a large number of VLANs on the user network encounter loops, it is recommended
that you set the loop prevention action to error-down to improve system performance.
Additionally, the remote switch can detect the error-down event so that it can quickly
switch any traffic to a backup link.
Procedure
Step 1 Run:
system-view
One or more VLANs are excluded from MAC address flapping detection.
By default, the system performs MAC address flapping detection in all VLANs. In
special scenarios, a MAC address flapping event does not need to be handled and
you can exclude a VLAN from MAC address flapping detection. For example, when
a switch is connected to a server with two network adapters in active-active
mode, the server's MAC address may be learned on two interfaces of the switch.
Step 4 (Optional) Run:
mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level { high |
middle | low }
The security level of MAC address flapping detection is configured in one or more
specified VLANs.
By default, the security level of MAC address flapping detection is middle. That is,
the system considers that MAC address flapping occurs when a MAC address flaps
10 times.
Step 5 (Optional) Run:
mac-address flapping aging-time aging-time
An action is specified for the interface if MAC address flapping occurs on the
interface.
By default, no action is configured. If an interface is connected to a user
network that does not support loop prevention protocols, MAC address
flapping may occur when there is a loop on the user network. Use this
command to configure an action to take when MAC address flapping is
detected on the interface. If the action is set to error-down, the switch shuts
down the interface. If the action is set to quit-vlan, the switch removes the
interface from the VLAN where the MAC address flapping occurs. This action
can only shut down one interface per aging interval.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as
GVRP.
– When a MAC address flaps between an interface configured with the error-down
action and an interface configured with the quit-vlan action, the former interface
is shut down and the latter interface is removed from the VLAN. If a loop could be
generated between interfaces, configure the same action for all the interfaces.
3. Run:
mac-address flapping action priority priority
----End
You can configure the switch to discard packets with an all-0 source or destination
MAC address.
Procedure
Step 1 Run:
system-view
The switch is configured to send an alarm to the NMS when receiving packets
with an all-0 MAC address.
By default, the switch does not send an alarm when receiving packets with an
all-0 MAC address.
NOTE
The drop illegal-mac alarm command allows the switch to generate only one alarm. You
must run the drop illegal-mac alarm command again if more than one alarm is required.
----End
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address update arp
NOTE
● Only the S5720EI, S5720SI, S5720S-SI, S5720HI, S6720EI, and S6720S-EI support this
command.
● This command takes effect only for dynamic ARP entries. Static ARP entries are not
updated when the corresponding MAC address entries change.
● The MAC address-triggered ARP entry update function does not take effect after ARP
entry fixing is enabled using the arp anti-attack entry-check enable command.
● After the MAC address-triggered ARP entry update function is enabled, the switch
updates an ARP entry only when the outbound interface in the corresponding MAC
address entry changes.
----End
After the port bridge function is enabled on the interface, the interface can
forward the packet if the destination MAC address of the packet is in the MAC
address table.
● The switch connects to devices that do not support Layer 2 forwarding. When
users connected to the devices need to communicate, the devices send
packets of the users to the switch for packet forwarding. Because source and
destination MAC addresses of the packets are the same, a port bridge needs
to be enabled on the interface so that the interface can forward such packets.
● The switch is used as an access device in a data center and is connected to
servers. Each server is configured with multiple virtual machines. The virtual
machines need to transmit data to each other. If servers perform data
switching for virtual machines, the data switching speed and server
performance are reduced. To improve the data transmission rate and server
performance, enable a port bridge on the interfaces connected to the servers
so that the switch forwards data packets between the virtual machines.
Procedure
Step 1 Run:
system-view
----End
Context
The re-marking function enables the switch to change the specified fields of
packets according to traffic classification rules. After the re-marking action is
configured, the switch still processes outgoing packets based on the original
priority but the downstream device processes the packets based on the re-marked
priority. You can also configure an action to re-mark the destination MAC address
of packets in a traffic behavior so that the downstream device can identify packets
and provide differentiated services.
NOTE
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
The system view is displayed.
b. Run:
traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier,
which means that:
▪ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL
rules.
▪ If the traffic classifier does not contain any ACL rules, packets match
the traffic classifier only when they match all the rules in the
classifier.
The logical operator or means that packets match the traffic classifier as
long as they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is AND.
c. Configure matching rules according to the following table.
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs containing
the ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name },
the S5720HI does not support remark 8021p [ 8021p-value | inner-8021p ],
remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-address learning
disable.
d. Run:
quit
Exit from the traffic classifier view.
2. Configure a traffic behavior.
a. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.
b. Run the command to configure the
Run:
remark destination-mac mac-address
An action is configured to re-mark destination MAC addresses of packets.
The destination MAC address to be re-marked must be a unicast MAC
address.
c. Run:
quit
Exit from the traffic behavior view.
d. Run:
quit
Exit from the system view.
3. Configure a traffic policy.
a. Run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed. If you do not specify a
matching order for traffic classifiers in the traffic policy, the default
matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy
command to change the matching order of traffic classifiers in the traffic
policy. To change the matching order, delete the traffic policy and create
a traffic policy with the required matching order.
When creating a traffic policy, you can specify the matching order of
traffic classifiers in the traffic policy. The traffic classifiers can be matched
in automatic order (auto) or configuration order (config):
If more than 128 rate limiting ACL rules are configured in the system, traffic
policies must be applied to the interface view, VLAN view, and system view in
sequence. To update an ACL rule, delete all the associated traffic policies from
the interface, VLAN, and system. Then, reconfigure the traffic policies and reapply
them to the interface, VLAN, and system.
b. Run:
classifier classifier-name behavior behavior-name
traffic actions and ACL rules associated with the system, a VLAN, or an
interface.
● Run the display traffic policy { interface [ interface-type interface-number ]
| vlan [ vlan-id ] | global } [ inbound ] command to check the traffic policy
configuration on the device.
● Run the display traffic-policy applied-record [ policy-name ] command to
check the record of the specified traffic policy.
Purpose Command
Purpose Command
Display alarms about MAC address Run the display trapbuffer command
flapping. to check whether the following alarms
exist:
● OID 1.3.6.1.4.1.2011.5.25.160.3.7
Networking Requirements
In Figure 3-12, the user PC with MAC address 0002-0002-0002 connects to the
GE0/0/1 of the Switch, and the server with MAC address 0004-0004-0004 connects
to GE0/0/2 of the Switch. The user PC and server communicate in VLAN 2.
● To prevent unauthorized users from using the user PC's MAC address to
initiate attacks, configure a static MAC address entry for the user PC on the
Switch.
● To prevent unauthorized users from using the server's MAC address to
intercept information sent to other users, configure a static MAC address
entry for the server on the Switch.
NOTE
This example applies to scenarios with a small number of users. When there are many
users, use dynamic MAC address entries. For details, see Example for Configuring Port
Security in "Port Security Configuration" in the S1720, S2700, S5700, and S6720
V200R010C00 Configuration Guide - Security.
Figure 3-12 Example network for configuring static MAC address entries
Network
Switch
GE0/0/1 GE0/0/2
VLAN 2
PC:2-2-2 Server:4-4-4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server for
Layer 2 forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized
users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN
2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] quit
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
mac-address static 0002-0002-0002 GigabitEthernet0/0/1 vlan 2
mac-address static 0004-0004-0004 GigabitEthernet0/0/2 vlan 2
#
return
Networking Requirements
In Figure 3-13, the Switch receives packets from an unauthorized PC that has the
MAC address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry
can be configured as a blackhole MAC address entry so that the Switch filters out
packets from the unauthorized PC.
Figure 3-13 Example network for configuring a blackhole MAC address entry
Unauthorized
MAC Address VLAN ID
5-5-5 3 user
Switch
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 3
[Switch-vlan3] quit
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
Networking Requirements
In Figure 3-14, user network 1 and user network 2 connect to the Switch through
the LSW, and the LSW connects to the Switch through GE0/0/1. User network 1
and user network 2 belong to VLAN 10 and VLAN 20 respectively. On the Switch,
MAC address limiting can be configured on GE0/0/1 to control the number of
access users.
Network
Switch
GE0/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add the downlink interface to the VLANs to implement
Layer 2 forwarding.
Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add GigabitEthernet0/0/1 to VLAN 10 and
VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
Networking Requirements
In Figure 3-15, user network 1 is connected to GE0/0/1 of the Switch through
LSW1, and user network 2 is connected to GE0/0/2 of the Switch through LSW2.
GE0/0/1 and GE0/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
User User
network 1 VLAN 2 network 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces for Layer 2 forwarding.
2. Configure MAC address limiting in the VLAN to prevent MAC address attacks
and control access users.
Procedure
Step 1 Configure MAC address limiting.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type hybrid
[Switch-GigabitEthernet0/0/2] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 2
[Switch-GigabitEthernet0/0/2] quit
# Configure the following MAC address limiting rule in VLAN 2: In the following
configuration, a maximum of 100 MAC addresses can be learned. When the
number of learned MAC address entries reaches the limit, the Switch discards
packets with new source MAC address entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 alarm enable
[Switch-vlan2] return
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
interface GigabitEthernet0/0/2
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
return
Networking Requirements
In Figure 3-16, users need to access the server connected to a switch interface. If
an unauthorized user uses the MAC address of the server as the source MAC
address to send packets to another interface, then that MAC address is learned on
the interface. In this scenario, packets sent from users to the server are forwarded
to the unauthorized user. As a result, users cannot access the server, and
important data may be intercepted by the unauthorized user.
MAC address flapping prevention can be configured to protect the server against
attacks from unauthorized users.
Server
MAC:11-22-33
GE0/0/1 VLAN 10
Switch
GE0/0/2 PC4
MAC:11-22-33
LSW
VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
mac-learning priority 2
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Networking Requirements
In Figure 3-17, a loop occurs on a user network because two LSWs are incorrectly
connected using a network cable. This loop causes MAC address flapping on the
Switch.
To detect loops in a timely manner, configure MAC address flapping detection on
the Switch. This function enables the Switch to detect loops by checking whether a
MAC address flaps between interfaces. To remove loops on the network, configure
an action against MAC address flapping on the interfaces.
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
Incorrect connection
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enable MAC address flapping detection.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] mac-address flapping detection
Step 3 Configure the action against MAC address flapping as error-down on the GE0/0/1
and GE0/0/2.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/2] quit
When the MAC address learned on the GE moves to GE0/0/2, GE0/0/2 is shut
down automatically. You can run the display mac-address flapping record
command to view MAC address flapping records.
[Switch] display mac-address flapping record
S : start time
E : end time
(Q) : quit vlan
(D) : error down
-------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum
-------------------------------------------------------------------------------
S:2012-04-01 17:22:36 1 0000-0000-0007 GE0/0/1 GE0/0/2(D) 83
E:2012-04-01 17:22:44
-------------------------------------------------------------------------------
Total items on slot 0: 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
interface GigabitEthernet0/0/1
mac-address flapping action error-down
#
interface GigabitEthernet0/0/2
mac-address flapping action error-down
#
return
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2
forwarding failures.
Procedure
Step 1 Check the configuration on the device.
Whether the Run the display vlan Run the vlan vlan-id command in
VLAN that the vlan-id command in any the system view to create the
interface view. If the system VLAN.
belongs to has displays the message
been created "Error: The VLAN does
not exist", the VLAN has
not been created.
Whether the Run the display vlan Run one of the following
interface vlan-id command in any commands in the interface view
transparently view to check whether to add the interface to the VLAN.
transmits the interface name ● Run the port trunk allow-pass
packets from exists. If not, the vlan command if the interface
the VLAN interface does not is a trunk interface.
transparently transmit
packets from the VLAN. ● Run the port hybrid tagged
vlan or port hybrid untagged
vlan command if the interface
is a hybrid interface.
● Run the port default vlan
command if the interface is an
access interface.
Whether MAC Run the display this | Run the undo mac-address
address learning include learning learning disable command in the
is disabled on command in the interface view or VLAN view to
the interface or interface view and VLAN enable MAC address learning.
in the VLAN view to check whether
the mac-address
learning disable
configuration exists. If
so, MAC address
learning is disabled on
the interface or in the
VLAN.
Whether MAC Run the display this | ● Run the mac-limit command
address limiting include mac-limit in the interface view or VLAN
is configured on command in the view to increase the maximum
the interface interface view and VLAN number of learned MAC
and in the VLAN view to check whether address entries.
the MAC address ● Run the undo mac-limit
limiting is configured. If command in the interface view
so, the maximum or VLAN view to remove the
number of learned MAC MAC address limit.
address entries is set.
Whether port Run the display this | ● Run the undo port-security
security is include port-security enable command in the
configured on command in the interface view to disable port
the interface interface view to check security.
whether port security is ● Run the port-security max-
configured. mac-num command in the
interface view to increase the
maximum number of secure
dynamic MAC address entries
on the interface.
Scenario Solution
----End
3.17 FAQs
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.
If the alarm is reported multiple times, find the first and second interfaces where
the MAC address is learned. Shut down the second interface to locate the loop.
Then adjust the networking to remove the loop.
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.
Check whether MAC address flapping occurs according to the following table.
Version Command