01-03 MAC Address Table Configuration

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3 MAC Address Table Configuration
About This Chapter
This chapter describes how to configure the Media Access Control (MAC) address
table on your switch. A MAC address table is a Layer 2 forwarding table that
stores MAC addresses learned from other devices. Your switch maintains a MAC
address table for Layer 2 data forwarding. Each workstation and server has a
unique MAC address. When the switch exchanges data with connected
workstations and servers, the switch records their MAC addresses, access
interfaces, and VLAN IDs to facilitate unicast forwarding.
3.1 Introduction to the MAC Address
3.2 Principles
3.3 Application
3.4 Configuration Task Summary
3.5 Licensing Requirements and Limitations for MAC Address Tables
3.6 Default Configuration
3.7 Configuring a MAC Address Table
You can configure functions and parameters for a MAC address table to ensure
secure communication between authorized users. The following configurations are
optional and can be performed in any order.
3.8 Configuring MAC Address Flapping Prevention
3.9 Configuring MAC Address Flapping Detection
3.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
3.11 Enabling MAC Address-Triggered ARP Entry Update
3.12 Enabling Port Bridge
3.13 Configuring Re-marking of Destination MAC Addresses
3.14 Maintaining the MAC Address Table
3.15 Configuration Examples
Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 26

Switches
3.16 Common Misconfigurations

3.17 FAQs
3.1 Introduction to the MAC Address

A MAC address defines the location of a network device. It consists of 48 bits and
is displayed as a 12-digit hexadecimal number. Bits 0 to 23 are assigned by an
institution such as the IETF to identify vendors, and bits 24 to 47 are the unique ID
assigned by vendors to identify their network adapters.
MAC addresses fall into the following types:
● Physical MAC address: uniquely identifies a terminal on an Ethernet network
and is the globally unique hardware address.
● Broadcast MAC address: used to broadcast a message to all terminals on a
LAN. The broadcast address is all 1s (FF-FF-FF-FF-FF-FF).
● Multicast MAC address: used to broadcast a message to group of terminals on
a LAN. All MAC addresses besides the broadcast MAC address with a 1 as the
eighth bit are multicast MAC addresses; for example, 01-00-00-00-00-00.
Multicast MAC addresses starting from 01-80-c2 are BPDU MAC address and
are often used as the destination MAC address of protocol packets.
3.2 Principles
3.2.1 Definition and Classification of MAC Address Entries
Definition of a MAC Address Table
A MAC address table records MAC addresses that have been learned by the switch,
interfaces on which MAC addresses are learned, and VLANs that the interfaces
belong to. Before forwarding a packet, the switch looks up the destination MAC
address of the packet in the MAC address table. If a MAC address entry matches
the destination MAC address, the switch forwards the packet from the outbound
interface recorded in the MAC address entry. If no matching MAC address entry
exists, the switch broadcasts the packet to all interfaces in the corresponding
VLAN, except the interface that received the packet.
Classification of MAC Address Entries

MAC address entries are classified as dynamic, static, and blackhole entries. In
addition, there are MAC address entries that are related to service types, for
example, secure MAC, MUX MAC, authen MAC, and guest MAC. They are
maintained by services and are converted from dynamic MAC address entries.

Switches
Table 3-1 Characteristics and functions of different MAC address entries

MAC Address Entry Characteristics Function
Type
Dynamic MAC address ● Dynamic MAC address ● You can check

entry entries are obtained by whether data is
learning the source forwarded between
MAC addresses of two connected
packets received by an devices by checking
interface, and can be the dynamic MAC
aged. address entries.
● Dynamic MAC address ● You can obtain the
entries are lost after a number of users
system restart. communicating on
an interface by
checking the number
of specified dynamic
MAC address entries.
Static MAC address entry ● Static MAC address When static MAC
entries are manually address entries are
configured. Static MAC configured, authorized
address entries never users can use network
age. resources and other
● The static MAC users are prevented
address entries saved from using the bound
in the system are not MAC addresses to
lost after a system initiate attacks.
restart.
● After an interface is
statically bound to a
MAC address, other
interfaces discard
packets from that
source MAC address.
● Each static MAC
address entry can have
only one outbound
interface.
● Statically binding an
interface to a MAC
address does not affect
the learning of
dynamic MAC address
entries on the
interface.

Switches
MAC Address Entry Characteristics Function

Type
Blackhole MAC address ● Blackhole MAC Blackhole MAC address

entry address entries are entries can filter out
manually configured. unauthorized users.
Blackhole MAC
address entries never
age.
● The blackhole MAC
address entries saved
in the system are not
lost after a system
restart.
● After blackhole MAC
address entries are
configured, the switch
discards packets from
or destined for the
blackhole MAC
addresses.
3.2.2 Elements and Functions of a MAC Address Table

Elements
Each entry in a MAC address table is identified by a MAC address and a VLAN ID
or virtual switch interface (VSI). The destination host's MAC address can be bound
to multiple VLAN IDs or VSIs in the MAC address table if it joins multiple VLANs or
VSIs. Table 3-2 lists four example MAC address entries with their associated VLAN
ID/VSI names and outbound interfaces. For example, the first MAC address entry is
used to forward the packets destined for 0011-0022-0034 and VLAN 10 through
outbound interface GE0/0/1.
Table 3-2 MAC address entries

MAC Address VLAN ID/VSI Name Outbound Interface
0011-0022-0034 10 GE0/0/1
0011-0022-0034 20 GE0/0/2
0011-0022-0035 30 Eth-Trunk 20
0011-0022-0035 huawei GE0/0/3
Functions
The MAC address table is used for unicast forwarding of packets. In Figure 3-1,
when packets sent from PC1 to PC3 reach the switch, the switch searches its MAC

Switches
address table for an entry matching the destination MAC address and VLAN ID of
the packet. In this example, it finds that MAC3 and VLAN 10 correspond to the
outbound interface Port3. The switch then forwards packets to PC3 through Port3.
Figure 3-1 Forwarding based on the MAC address table
MAC Address VLANID Port

MAC1 10 Port1
MAC2 10 Port2
PC2
MAC3 10 Port3
PC1 Swtich Port2

Port1
Port3 PC3
MAC3 MAC1 VLAN10 Type Data MAC
3
MAC
1
VLAN
10
Type
Data
3.2.3 MAC Address Entry Learning and Aging
MAC Address Entry Learning

MAC address entries are usually learned from the source MAC addresses of
received data frames.
Figure 3-2 MAC address entry learning

PortA
HostA Data frame SwitchA
In Figure 3-2, HostA sends a data frame to SwitchA. When receiving the data
frame, SwitchA obtains the MAC address of HostA and the VLAN ID from the
frame.
● If the MAC address entry does not exist in the MAC address table, SwitchA
adds an entry with the MAC address, PortA, and VLAN ID to the MAC address
table.
● If the MAC address entry exists in the MAC address table, SwitchA resets the
aging timer of the MAC address entry.

Switches
NOTE
● If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC

address entry is Eth-TrunkA.
● If the default VLAN is not changed, the VLAN ID of all MAC address entries will be
VLAN 1.
● The switch will not learn the BPDU MAC addresses (addresses in the 0180-c200-xxxx
format).
The switch will only learn and update MAC address entries when receiving data
frames.
MAC Address Entry Aging

A switch needs to update its MAC address table continuously to adapt to changing
network topologies. Dynamic MAC address entries are not always valid. Each entry
has a life cycle (aging time) and will be deleted when the aging time expires. If an
entry is updated within the aging time, the aging timer of the entry is reset.
Figure 3-3 MAC address entry aging

t1: The entry with MAC
t2-t3: No packet matching
address 00e0-fc00-0001 and
this MAC address is
VLAN ID 1 is learned, and
received, so hit flag is 0.
the hit flag is set to 1.
0 1T 2T 3T 4T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
In Figure 3-3, the aging time of MAC address entries is set to T. At t1, packets with
source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which
has joined VLAN 1. If no entry with MAC address 0e0-fc00-0001 and VLAN 1 exists
in the MAC address table, an entry is created with the hit flag of 1.
At each T, the switch checks all of its dynamic MAC address entries.
1. At t2, the switch finds that the hit flag of the MAC address entry is 1 and sets
it to 0. The MAC address entry is not deleted at this time.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the
device between t2 and t3, the hit flag of the matching MAC address entry
remains 0.
3. At t3, the switch finds that the hit flag of the matching MAC address entry is
0. The switch then deletes the MAC address entry because the aging time of
the MAC address entry has expired.

Switches
A dynamic MAC address entry can be stored on the switch for a period of T to 2T.
You can set the aging time (T) of MAC address entries to control the life cycle of
dynamic MAC address entries in a MAC address table.
NOTE
● By default, the switch does not age the MAC address entries that match the destination
MAC addresses of packets. Use the mac-address destination hit aging enable
command to configure the switch to age MAC address entries regardless of whether any
packets destined for that MAC address are received.
● When the interface frequently alternates between Up and Down, MAC address entries
may be not aged within two aging periods. If this occurs, you are advised to check the
link quality or run the port link-flap protection enable command to configure link
flapping protection.
3.2.4 MAC Address Learning Control

Hackers can send a large number of packets with different source MAC addresses
to a switch, causing useless MAC addresses to fill up the MAC address table. As a
result, the switch cannot learn source MAC addresses of valid packets and the
switch wastes bandwidth broadcasting these invalid packets.
The switch has the following MAC address learning control methods to protect
against this issue:
● Disabling MAC address learning on a VLAN or an interface
● Limiting the number of MAC address entries that can be learned from a VLAN
or an interface
Table 3-3 MAC address learning control

MAC Address Principle Application Scenario
Learning
Control Method
Disabling MAC After MAC address learning ● In most cases, attack

address learning is disabled on a VLAN or an packets enter the switch
on a VLAN or an interface, the switch does not through the same
interface learn new dynamic MAC interface. Therefore, both
address entries on that VLAN methods are effective in
or interface. The learned preventing these attack
dynamic MAC address entries packets from using up
will age out when the aging MAC address entry
time expires. They can also resources on the switch.
be manually deleted using ● Limiting the number of
commands. MAC address entries that
can be learned from a
VLAN or an interface can
also be used to limit the
number of access users.

Switches
MAC Address Principle Application Scenario

Learning
Control Method
Limiting the The switch can only learn a

number of MAC specified number of MAC
address entries address entries from a VLAN
that can be or an interface.
learned from a When the number of learned
VLAN or an MAC address entries reaches
interface the limit, the switch
generates an alarm to notify
the network administrator.
After that, the switch cannot
learn new MAC address
entries from the VLAN or
interface and discards any
packets with source MAC
addresses not in the MAC
address table.
3.2.5 MAC Address Flapping
What Is MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in
the same VLAN and the MAC address entry learned later overrides the earlier one.
Figure 3-4 shows an example of MAC address flapping. The outbound interface
for the MAC address entry with MAC address 0011-0022-0034 and VLAN 2
changes from GE0/0/1 to GE0/0/2. MAC address flapping can cause an increase in
the CPU usage on the switch.
MAC address flapping does not occur frequently on a network unless a network
loop exists. If MAC address flapping frequently occurs on your network, you can
quickly locate the fault and eliminate the loops by checking the alarms and MAC
address flapping records.

Switches
Figure 3-4 MAC address flapping
GE0/0/2
GE0/0/1
Broadcast to
two interfaces
in the VLAN MAC Address VLAN ID Port
First
First interface
interface that
0011-0022-0034 2 GE0/0/1 learns
learns this
this MAC
that
MAC address.
address.
Interface
Interface that
that learns
learns this
0011-0022-0034 2 GE0/0/2 MAC
MAC address
address later
later
this
MAC: 0011-0022-0034
How to Detect MAC Address Flapping

MAC address flapping detection determines whether MAC address flapping occurs
by checking whether outbound interfaces in MAC address entries change
frequently.
With MAC address flapping detection, the switch can generate an alarm when
MAC address flapping occurs. The alarm contains the flapping MAC address, VLAN
ID, and outbound interfaces between which the MAC address flaps. You can locate
the cause of the loop using the alarm. Alternatively, the switch can be configured
to automatically remove the interface from the VLAN (using the quit-vlan action)
or shut down the interface (using the error-down action).
Figure 3-5 MAC address flapping detection
Network
Port1 SwitchA
MAC:11-22-33
Port2 Access interface
MAC:11-22-33
User
SwitchB
SwitchC Broadcast SwitchD

storm
Incorrect connection Data flow

Switches
In Figure 3-5, a network cable is incorrectly connected between SwitchC to

SwitchD, creating a loop between SwitchB, SwitchC, and SwitchD. When Port1 of
SwitchA receives a broadcast packet, SwitchA forwards the packet to SwitchB. The
packet then goes through the loop and is sent back to Port2 of SwitchA. After
MAC address flapping detection is configured on SwitchA, SwitchA can detect that
the source MAC address of the packet flaps from Port1 to Port2. If the MAC
address flaps between Port1 and Port2 frequently, SwitchA reports a MAC address
flapping alarm to alert the network administrator.
NOTE
MAC address flapping detection allows a switch to detect changes in traffic transmission
paths based on learned MAC addresses, but the switch does not know the entire network
topology. It is recommended that this function be used on the interface connected to a user
network where loops may occur.
How to Prevent MAC Address Flapping

During network planning, you can use the following methods to prevent MAC
address flapping:
● Increase the MAC address learning priority of an interface: When the same
MAC address is learned on interfaces with different priorities, the MAC
address entry on the interface with the highest priority takes precedence.
● Prevent MAC address entries from being overridden on interfaces with the
same priority: When the same MAC address is learned on interfaces with the
same priority, the MAC address learned later will not override the original
entry. Therefore, a false entry cannot override an existing correct entry.
NOTE
If an authorized device associated with the correct entry is powered off, the MAC address
entry of another device can be learned. This will prevent the original entry to being learned
when it is powered back on.
In Figure 3-6, Port1 of the switch is connected to a server. To prevent
unauthorized users from connecting to the switch using the server's MAC address,
you can set a high MAC address learning priority for Port1.
Figure 3-6 MAC address flapping prevention

MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch
Authorized Authorized Authorized

user 1 user 2 user 3

Switches
3.2.6 MAC Address-Triggered ARP Entry Update
NOTE
Only the S5720EI, S5720SI, S5720S-SI, S5720HI, S6720EI, and S6720S-EI support this
function.
On an Ethernet network, a host sends and receives Ethernet data frames using
MAC addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC
addresses. When two devices on different network segments communicate with
each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries.
The outbound interfaces in matching MAC address and ARP entries are usually
consistent. In Figure 3-7, the outbound interface in both the MAC address entry
and ARP entry is GE0/0/1 at T1.
● Between T1 and T2, the interface for the entry changes.
● At T2, after a packet is received from a peer device, the outbound interface in
the MAC address entry is changed to GE0/0/2. However, the outbound
interface in the ARP entry remains GE0/0/1.
● At T3, the ARP entry expires, and the outbound interface in the ARP entry is
changed to GE0/0/2 through an ARP aging probe. Between T2 and T3,
GE0/0/1 is unavailable, meaning communication between devices on different
network segments is interrupted.
Figure 3-7 Without MAC address-triggered ARP entry update

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE0/0/1 10.2.2.2 11-22-34 2 GE0/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 10.2.2.2 2
11-22-34 2 GE0/0/2 11-22-34 GE0/0/1
After port switching &

ARP aging probe
T3 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/2
MAC address-triggered ARP entry update enables a device to update the

outbound interface in an ARP entry immediately after the outbound interface in
the corresponding MAC address entry changes. In Figure 3-8, MAC address-
triggered ARP entry update is enabled. At T2, after the outbound interface in the
MAC address entry is changed to GE0/0/2, the outbound interface in the ARP
entry is immediately changed to GE0/0/2. This prevents communication
interruptions encountered in the previous example.

Switches
Figure 3-8 With MAC address-triggered ARP entry update

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE0/0/1 10.2.2.2 11-22-34 2 GE0/0/1
Before port switching
Port switching
& ARP aging probe
T2 10.2.2.2 2 GE0/0/2
11-22-34 2 GE0/0/2 11-22-34
After port switching &

ARP aging probe
T3 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/2
NOTE
The MAC address-triggered ARP entry update function is often used on networks where
devices in a Virtual Router Redundancy Protocol (VRRP) group connect to servers (for more
information, see 3.3.3 Configuring MAC Address-Triggered ARP Entry Update to Improve
VRRP Switchover Performance), or Layer 3 traffic switching scenarios where STP and
Smart Link are used.
3.3 Application
3.3.1 Configuring MAC Address Flapping Prevention to Block

User Attacks
In Figure 3-9, users need to access the server connected to Port1 of the switch. If
an unauthorized user sends packets using the server's MAC address as the source
MAC address, the server's MAC address is learned on another interface of the
switch. Then packets sent to the server are sent to the unauthorized user. As a
result, users cannot access the server, and important data may be intercepted by
the unauthorized user. To prevent this, set a higher MAC address learning priority
for the interface connected to the server than other interfaces.
Figure 3-9 Networking diagram of MAC address flapping prevention

MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch


Switches
3.3.2 Configuring MAC Address Flapping Detection to Quickly

Detect Loops
When a loop occurs, MAC address flapping will occur at the failure point. You can
use MAC address flapping detection to locate these loops.
When one of the following situations occurs, enable MAC address flapping
detection to check whether a loop occurs:
● A MAC address entry alternatively appears and disappears.

● Ping operations alternatively succeed and fail.
● A high CPU usage alarm is generated.
Table 3-4 compares loop detection technologies.
Table 3-4 Comparison of loop detection technologies
Feature Advantages Disadvantages
MAC address ● Checks all interfaces and The switch can only report
flapping VLANs on a switch. alarms after detecting a loop
detection ● Is easy to configure as it but cannot eliminate the loop.
requires only one
command. This function
is enabled by default.
Loopback ● Detects loops based on This function is not enabled by

detection interfaces and VLANs. default and needs to be
● The switch can eliminate configured through
a loop after detecting commands.
the loop.
3.3.3 Configuring MAC Address-Triggered ARP Entry Update to

Improve VRRP Switchover Performance
The Virtual Router Redundancy Protocol (VRRP) groups multiple routing devices
into a virtual router. The virtual IP address of the virtual router is used as the
default gateway address for communication with an external network. When a
gateway device fails, VRRP selects another gateway device to transmit service
traffic, ensuring reliable communication.
When a VRRP group is connected to servers, you can configure MAC address-
triggered ARP entry update to speed up VRRP active/standby switchovers. This
function can reduce the service interruption time when a link or device fails.
In Figure 3-10, HostA is dual-homed to SwitchA and SwitchB through the switch.
A VRRP group is configured on SwitchA and SwitchB to implement link
redundancy. If the link between SwitchA and the switch fails, MAC address entries
and ARP entries on the switch are updated to ensure that traffic is switched to the
link between the switch and SwitchB.

Switches
Figure 3-10 VRRP networking
SwitchA SwitchB
(VRRP Master) (VRRP Backup)
Port1 Port1
Port1 Port2
Before Switch After
switchover switchover
HostA
In Figure 3-11, a server is connected to a VRRP group. Generally, a server selects

only one network interface to send packets, only selecting another if there is a
network or traffic transmission failure.
● SwitchA functions as the master device, and the server uses Port2 to send
packets. SwitchA learns the ARP entry and MAC address entry matching the
server on Port2, and SwitchB learns the server MAC address on Port1.
● When the server detects that Port2 is faulty, the server sends packets through
Port1. SwitchA then learns the server MAC address on Port1. If the server does
not send an ARP Request packet to SwitchA, SwitchA maintains the ARP entry
on Port2. In this case, packets sent from SwitchA to the server are still
forwarded through Port2 until the ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on the
switches. This function enables a switch to update the corresponding ARP entry
when the outbound interface in a MAC address entry changes.
Figure 3-11 VRRP group connects to a server
SwitchA(VRRP Master) SwitchB(VRRP Backup)
Port2 Port2
Port1 Port1
Port1 Port2
Server

Switches
3.4 Configuration Task Summary
Table 3-5 Configuration task summary for a MAC address table

Scenario Description Task
Bind static MAC Configure static MAC address 3.7.1 Configuring a

addresses and entries to bind MAC addresses and Static MAC Address
interfaces interfaces, improving security of Entry
authorized users.
Filter out attack Configure blackhole MAC address 3.7.2 Configuring a

packets entries to filter out packets from Blackhole MAC
unauthorized users, thereby Address Entry
protecting the system against
attacks.
Flexibly control For stable networks, set a long 3.7.3 Setting the
aging of dynamic aging time or set the aging time Aging Time of
MAC address as 0 to not age dynamic MAC Dynamic MAC
entries address entries. For other Address Entries
scenarios, set a short aging time.
Control MAC Certain network attacks aim to 3.7.4 Disabling MAC

address learning exhaust MAC address entries. To Address Learning
protect against this kind of attack, 3.7.5 Configuring
disable MAC address learning or the MAC Address
limit the number of MAC address Limiting Function
entries that can be learned.

Switches
Monitor the MAC You can configure various alarm 3.7.6 Enabling MAC
address table functions about MAC addresses to Address Alarm
monitor the usage of MAC Functions
address entries.
● Alarm threshold for MAC
address usage: When the MAC
address usage exceeds the
upper threshold, the switch
generates an alarm. When the
MAC address usage falls below
the lower threshold, the switch
reports a clear message.
● MAC address learning or aging
alarm: When a MAC address
entry is learned or aged out,
the switch generates an alarm.
● MAC address hash conflict
alarm: If the switch cannot
learn MAC address entries even
when its MAC address table is
not full, the switch generates
an alarm.
Quickly update Configure the MAC address- 3.11 Enabling MAC

outbound triggered ARP entry update Address-Triggered
interfaces in ARP function. When the outbound ARP Entry Update
entries interface in a MAC address entry
changes, the device updates the
outbound interface in the
corresponding ARP entry before
ARP probing. This function
shortens service interruption time.

Switches
Prevent MAC MAC address flapping occurs on a 3.8 Configuring

address flapping network when the network has a MAC Address
loop or undergoes certain attacks. Flapping Prevention
You can use the following
methods to prevent MAC address
flapping:
● Configure the MAC address
learning priorities for
interfaces. When the same
MAC address is learned by two
interfaces of different priorities,
the MAC address entries
learned by the interface with a
higher priority override the
MAC address entries learned by
the other interface.
● Prevent MAC address entries
from being overridden on
interfaces with the same
priority.
Detect MAC MAC address flapping occurs 3.9 Configuring

address flapping when a MAC address is learned by MAC Address
two interfaces in the same VLAN Flapping Detection
and the MAC address entry
learned later overrides the earlier
one.
MAC address flapping detection
enables a switch to check whether
any MAC address flaps exist
between interfaces and determine
whether a loop exists. When MAC
address flapping occurs, the
switch sends an alarm to the
NMS. The network maintenance
personnel can locate the loop
based on the alarm information
and historical records for MAC
address flapping. This greatly
simplifies network maintenance. If
the network connected to the
switch does not support loop
prevention protocols, configure
the switch to shut down the
interfaces where MAC address
flapping occurs to reduce the
impact of MAC address flapping
on the network.

Switches
Discard packets A faulty host or device may send 3.10 Configuring the
with an all-0 packets with an all-0 source or Switch to Discard
source or destination MAC address to a Packets with an
destination MAC switch. Configure the switch to All-0 MAC Address
address discard such packets and send an
alarm to the NMS to help the
network administrator locate the
faulty host or device.
Forward packets By default, an interface discards 3.12 Enabling Port

from an interface packets whose source and Bridge
when the source destination MAC addresses are the
and destination same. After the port bridge
MAC addresses are function is enabled on the
the same interface, the interface forwards
such packets. This function applies
to a switch that connects to
devices incapable of Layer 2
forwarding or functions as an
access device in a data center.
3.5 Licensing Requirements and Limitations for MAC

Address Tables
Involved Network Elements

Other network elements are not required.
Licensing Requirements
MAC address configuration commands are available only after the S1720GW,
S1720GWR, and S1720X have the license (WEB management to full management
Electronic RTU License) loaded and activated and the switches are restarted. MAC
address configuration commands on other models are not under license control.
For details about how to apply for a license, see S Series Switch License Use
Guide.
Version Requirements
Table 3-6 Products and versions supporting MAC
Product Product Software Version

Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10

Switches

Model
S1720GW, V200R010C00, V200R011C00, V200R011C10

S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10

E,
S1720GWR
-E
S1720X, V200R011C00, V200R011C10

S1720X-E
Other Models that cannot be configured using commands.

S1700 For details about features and versions, see S1700
models Documentation Bookshelf.
S2700 S2700SI V100R005C01, V100R006(C00&C01&C03&C05)
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10
S2750EI V200R003C00, V200R005C00SPC300, V200R006C00,

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)

Switches

Model
S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10

S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,

S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10
S6720LI, V200R011C00, V200R011C10

S6720S-LI
S6720SI, V200R011C00, V200R011C10

S6720S-SI
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
● Dynamic MAC address entries can be learned on an interface only after the
interface is added to an existing VLAN.
● Among existing MAC address entries, only MAC addresses of the dynamic
type can be overwritten as MAC addresses of other types.

Switches
● Each static MAC address entry can have only one outbound interface.
● When the aging time of dynamic MAC address entries is set to 0, dynamic
MAC address entries do not age. To age MAC address entries, delete the aging
time configuration.
● When MAC address learning is disabled in a VLAN and an interface in the
VLAN on the S5700EI, S5710EI, S5700HI, S5710HI, and S5720EI and the
discard action is configured for the interface, the interface does not discard
packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 in VLAN 2 and VLAN 3 has MAC
address learning disabled and the discard action is defined. In this situation,
Port1 discards packets from VLAN 3 but forwards packets from VLAN 2.
● When the interface frequently alternates between Up and Down, MAC
address entries may be not aged within two aging period. At this time, you
are advised to check the link quality or run the port link-flap protection
enable command to configure link flapping protection.
3.6 Default Configuration
Table 3-7 Default configuration of a MAC address table

Parameter Default Setting
Aging time of dynamic MAC address 300s

entries
MAC address learning Enabled
MAC address learning priority of an 0

interface
Prevent MAC address entries from Disabled

being overridden on interfaces with
the same priority
MAC address flapping detection Enabled
Aging time of flapping MAC address 300s

entries
MAC address-triggered ARP entry Disabled

update
Alarm for the MAC address usage Enabled
Alarm for MAC address learning or Disabled

aging
Alarm for MAC address hash conflicts Disabled
Discard packets with an all-0 MAC Disabled

address

Switches
Parameter Default Setting
Alarm for packets with an all-0 MAC Disabled

address
Port bridge Disabled
3.7 Configuring a MAC Address Table

You can configure functions and parameters for a MAC address table to ensure
secure communication between authorized users. The following configurations are
optional and can be performed in any order.
3.7.1 Configuring a Static MAC Address Entry

MAC addresses and interfaces are bound statically in static MAC address entries.
Context
A switch cannot distinguish packets from authorized and unauthorized users when
it learns source MAC addresses of packets to maintain the MAC address table.
Therefore, if an unauthorized user uses the MAC address of an attacker as the
source MAC address of attack packets and connects to another interface of the
switch, the switch will learn an incorrect MAC address entry. As a result, packets
destined for the authorized user are forwarded to the unauthorized user. To
improve security, you can create static MAC address entries to bind MAC addresses
of authorized users to specified interfaces. This prevents unauthorized users from
intercepting data of authorized users.
Static MAC address entries have the following characteristics:
● A static MAC address entry will not be aged out. After being created, a static
MAC address entry will not be lost after a system restart, and can only be
deleted manually.
● The VLAN bound to a static MAC address entry must already exist and be
assigned to the interface bound to the entry.
● The MAC address in a static MAC address entry must be a unicast MAC
address, and cannot be a multicast or broadcast MAC address.
● A static MAC address entry takes precedence over a dynamic MAC address
entry. The system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id

Switches
A static MAC address entry is created.
----End
Checking the Configuration

Run the display mac-address static command to check configured static MAC
address entries.
3.7.2 Configuring a Blackhole MAC Address Entry

Context
To protect a device or network against MAC address attacks from hackers,
configure MAC addresses of untrusted users as blackhole MAC addresses. The
device then directly discards received packets where the source or destination MAC
addresses match the blackhole MAC address entries.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address blackhole mac-address [ vlan vlan-id ]
A blackhole MAC address entry is configured.
----End

Run the display mac-address blackhole command to check configured blackhole
3.7.3 Setting the Aging Time of Dynamic MAC Address Entries

Context
Setting the aging time for dynamic MAC address entries helps control the number
of learned MAC address entries. The aging time needs to be set properly for
dynamic MAC address entries so that the switch can delete unneeded MAC
address entries. On network topologies that change frequently, a shorter aging
time makes the switch more sensitive to these network changes. On more stable
network topologies, a longer aging time can be used.
Procedure
Step 1 Run:
system-view

Switches
Step 2 Run:
mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.

The aging time can be 0 or an integer that ranges from 10 to 1000000, measured
in seconds. The default value is 300. The value 0 indicates that dynamic MAC
address entries will never be aged out.
NOTE
When the aging time is 0, MAC address entries are fixed. To clear the fixed MAC address
entries, set the aging time to a non-0 value. The system then automatically deletes the
MAC address entries after twice the aging time.
----End

Run the display mac-address aging-time command to view the aging time of
dynamic MAC address entries.
3.7.4 Disabling MAC Address Learning

Background
The MAC address learning function is enabled by default on the switch. When
receiving a data frame, the switch records the source MAC address of the data
frame and the interface that receives the data frame in a MAC address entry.
When receiving data frames destined for this MAC address, the switch forwards
the data frames through the outbound interface according to the MAC address
entry. The MAC address learning function reduces broadcast packets on a network.
After MAC address learning is disabled on an interface, the switch does not learn
source MAC addresses of data frames received by the interface. Dynamic MAC
address entries learned on the interface are not immediately deleted, but will be
removed after they are aged out or are manually deleted.
Procedure
● Disable MAC address learning on an interface.
a. Run:
system-view

b. Run:
interface interface-type interface-number
The interface view is displayed.

c. Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.

By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address
learning is disabled. That is, the switch forwards packets according to the

Switches
MAC address table. When the action is set to discard, the switch looks up
the source MAC address of the packet in the MAC address table. If the
source MAC address is found in the MAC address table, the switch
forwards the packet according to the matching MAC address entry. If the
source MAC address is not found, the switch discards the packet.
● Disable MAC address learning in a VLAN.
a. Run:
system-view

b. Run:
vlan vlan-id
The VLAN view is displayed.

c. Run:
mac-address learning disable
MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in a VLAN.
NOTE
When MAC address learning is disabled in a VLAN and an interface in the VLAN on
the S5720EI, and the discard action is configured for the interface, the interface does
not discard packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 has MAC address learning disabled and
performs the discard action; Port1 has been added to VLAN 2 and VLAN 3. In this
scenario, Port1 discards packets from VLAN 3 but forwards packets from VLAN 2.
● Disable MAC address learning for a specified flow.
a. Configure a traffic classifier.
i. Run:
system-view

ii. Run:
traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed,

or the existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier,
which means that:
○ If the traffic classifier contains ACL rules, packets match the
traffic classifier only when they match one ACL rule and all the
non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets
match the traffic classifier only when they match all the rules in
the classifier.
The logical operator or means that packets match the traffic
classifier as long as they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is
AND.
iii. Configure matching rules according to the following table.

Switches
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs
containing the ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-
name }, the S5720HI does not support remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-
address learning disable.
Matchin Command Remarks

g Rule
Outer if-match vlan-id start-vlan- -

VLAN ID id [ to end-vlan-id ]
(S1720GFR, S1720GW,
S1720GWR, S1720GW-E,
S1720GWR-E, S2720, S2750,
S5700LI, S5700S-LI, S5710-X-
LI, S5720LI, S5720S-LI,
S5720SI, S5720S-SI)
Inner if-match cvlan-id start- -

and vlan-id [ to end-vlan-id ]
outer [ vlan-id vlan-id ] (S5720EI,
VLAN S5720HI, S6720EI, S6720S-
IDs in EI)
QinQ
packets
802.1p if-match 8021p 8021p- If you enter multiple

priority value &<1-8> 802.1p priority values in
in VLAN one command, a packet
packets matches the traffic
classifier as long as it
matches any one of the
802.1p priorities,
regardless of whether
the relationship
between rules in the
traffic classifier is AND
or OR.
Inner if-match cvlan-8021p -

802.1p 8021p-value &<1-8>
priority (S5720EI, S5720HI, S6720EI,
in QinQ S6720S-EI)
packets

Switches

g Rule
Outer if-match vlan-id start-vlan- -

VLAN ID id [ to end-vlan-id ] [ cvlan-
or inner id cvlan-id ] (S5720EI,
and S5720HI, S6720EI, S6720S-
outer EI)
VLAN
IDs of
QinQ
packets
Drop if-match discard (S5720EI, A traffic classifier

packet S5720HI, S6720EI, S6720S- containing this
EI) matching rule can only
be bound to traffic
behaviors containing
traffic statistics
collection and flow
mirroring actions.
Double if-match double-tag -

tags in (S5720EI, S5720HI, S6720EI,
QinQ S6720S-EI)
packets
Destinati if-match destination-mac -

on MAC mac-address [ mac-address-
address mask ]
Source if-match source-mac mac- -
MAC address [ mac-address-
address mask ]
Protocol if-match l2-protocol { arp | -
type ip | mpls | rarp | protocol-
field in value }
the
Ethernet
frame
header
All if-match any After the if-match any

packets command is run, only
the matching rule
configured using this
command takes effect,
and the other matching
rules in the same traffic
classifier will become
ineffective.

Switches

g Rule
DSCP if-match dscp dscp-value ● If you enter multiple

priority &<1-8> DSCP values in one
in IP command, a packet
matches any one of
the DSCP values,
the relationship
traffic classifier is
AND or OR.
● If the relationship
between rules in a
AND, the if-match
dscp and if-match
ip-precedence
commands cannot be
used in the traffic
classifier
simultaneously.
IP if-match ip-precedence ip- ● The if-match dscp

preceden precedence-value &<1-8> and if-match ip-
ce in IP precedence
packets commands cannot be
configured in a traffic
classifier in which the
relationship between
rules is AND.
● If you enter multiple
IP precedence values
in one command, a
packet matches the
traffic classifier as
long as it matches
any one of the IP
precedence values,
the relationship
AND or OR.
Layer 3 if-match protocol { ip | -

protocol ipv6 }
type

Switches

g Rule
SYN Flag if-match tcp syn-flag { syn- -

in the flag-value | ack | fin | psh |
TCP rst | syn | urg }
packet
Inbound if-match inbound-interface A traffic policy

interface interface-type interface- containing this
number matching rule cannot be
applied to the outbound
direction or in the
interface view.
Outboun if-match outbound- A traffic policy

d interface interface-type containing this
interface interface-number (S5720EI, matching rule cannot be
S5720HI, S6720EI, S6720S- applied to the inbound
EI) direction on the
S5720HI.
The traffic policy
containing this
matching rule cannot be
applied in the interface
view.
ACL rule if-match acl { acl-number | ● When an ACL is used

acl-name } to define a traffic
classification rule, it
is recommended that
the ACL be
configured first.
● If an ACL in a traffic
classifier defines
multiple rules, a
packet matches the
ACL as long as it
matches one of rules,
the relationship
AND or OR.
ACL6 if-match ipv6 acl { acl- Before specifying an

rule number | acl-name } ACL6 in a matching
rule, configure the
ACL6.

Switches

g Rule
Flow ID if-match flow-id flow-id The traffic classifier

(S5720EI, S6720EI, S6720S- containing if-match
EI) flow-id and the traffic
behavior containing
remark flow-id must be
bound to different
traffic policies.
The traffic policy
containing if-match
flow-id can be only
applied to an interface,
a VLAN, or the system
in the inbound direction.
iv. Run:
quit
Exit from the traffic classifier view.

b. Configure a traffic behavior.
i. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is

displayed.
ii. Run:
mac-address learning disable
MAC address learning is disabled in the traffic behavior view.

NOTE
This command is only supported by the S5720HI, S5720EI, S6720EI, and

S6720S-EI.
iii. Run:
quit
Exit from the traffic behavior view.

iv. Run:
quit
Exit from the system view.

c. Configure a traffic policy.
i. Run:
system-view

ii. Run the following commands as required.
○ On the S1720GFR, S1720GW, S1720GWR, S1720GW-E,
S1720GWR-E, S2720, S2750, S5700LI, S5700S-LI, S5710-X-LI,
S5720LI, S5720S-LI, S5720SI, and S5720S-SI, run:

Switches
traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed,

or the view of an existing traffic policy is displayed.
○ On the S5720EI, S5720HI, S6720EI, and S6720S-EI, run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed,

or the view of an existing traffic policy is displayed. If no
matching order is specified when you create a traffic policy, the
default matching order is config.
After a traffic policy is applied, you cannot use the traffic policy
command to modify the matching order of traffic classifiers in
the traffic policy. To modify the matching order, delete the traffic
policy, create a traffic policy and specify the matching order.
When creating a traffic policy, you can specify the matching
order of matching rules in the traffic policy. The matching order
can be either automatic order or configuration order:
○ If automatic order is used, traffic classifiers are matched
based on the priorities of their types. The traffic classifiers
based on the following information are in descending order
of priority: Layer 2 and IPv4 Layer 3 information, advanced
ACL6 information, basic ACL6 information, Layer 2
information, IPv4 Layer 3 information, and user-defined ACL
information. The traffic classifier with the highest priority is
matched first. If data traffic matches multiple traffic
classifiers, and the traffic behaviors conflict with each other,
the traffic behavior corresponding to the highest priority
rule takes effect.
○ If configuration order is used, traffic classifiers are matched
based on the sequence in which traffic classifiers were
bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy
must be applied to an interface, a VLAN, and the system in sequence
in the outbound direction. In the preceding situation, if ACL rules need
to be updated, delete the traffic policy from the interface, VLAN, and
system and reconfigure it in sequence.
iii. Run:
classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in a traffic policy.

iv. Run:
quit
Exit from the traffic policy view.

v. Run:
quit

d. Apply the traffic policy.
▪ Applying a traffic policy to an interface

Switches
1) Run:
system-view
2) Run:
3) Run:
traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface.
A traffic policy can be applied to only one direction on an
interface, but a traffic policy can be applied to different
directions on different interfaces. After a traffic policy is applied
to an interface, the system performs traffic policing for all the
incoming or outgoing packets that match traffic classification
rules on the interface.
▪ Applying a traffic policy to a VLAN

1) Run:
system-view
2) Run:
vlan vlan-id
3) Run:
traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the VLAN.
Only one traffic policy can be applied to a VLAN in the inbound
or outbound direction.
After a traffic policy is applied, the system performs traffic
policing for the packets that belong to a VLAN and match traffic
classification rules in the inbound or outbound direction.
▪ Applying a traffic policy to the system

1) Run:
system-view
2) Run:
traffic-policy policy-name global { inbound | outbound } [ slot slot-id ]
A traffic policy is applied to the system.
Only one traffic policy can be applied to the system or slot in
one direction. A traffic policy cannot be applied to the same
direction in the system and slot simultaneously.
○ In a stack, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of all the member
switches in the stack. The system then performs traffic
policing for all the incoming and outgoing packets that
match traffic classification rules on all the member switches.

Switches
A traffic policy that is applied to a specified slot takes effect

on all the interfaces and VLANs of the member switch with
the specified stack ID. The system then performs traffic
policing for all the incoming and outgoing packets that
match traffic classification rules on this member switch.
○ On a standalone switch, a traffic policy that is applied to the
system takes effect on all the interfaces and VLANs of the
local switch. The system then performs traffic policing for all
the incoming and outgoing packets that match traffic
classification rules on the local switch. Traffic policies can be
applied to either the slot or the system for the same result.

● Run the display traffic classifier user-defined [ classifier-name ] command
to check the traffic classifier configuration on the device.
● Run the display traffic behavior user-defined [ behavior-name ] command
to check the traffic behavior configuration on the device.
● Run the display traffic policy user-defined [ policy-name [ classifier
classifier-name ] ] command to check the user-defined traffic policy
configuration.
● Run the display traffic-applied [ interface [ interface-type interface-
number ] | vlan [ vlan-id ] ] { inbound | outbound } [ verbose ] command to
check traffic actions and ACL rules associated with the system, a VLAN, or an
interface.
● Run the display traffic policy { interface [ interface-type interface-number ]
| vlan [ vlan-id ] | global } [ inbound | outbound ] command to check the
traffic policy configuration on the device.
● Run the display traffic-policy applied-record [ policy-name ] command to
check the record of the specified traffic policy.
3.7.5 Configuring the MAC Address Limiting Function

Context
The MAC address limiting function controls the number of access users to protect
MAC addresses from hackers. When hackers send a large number of forged
packets with different source MAC addresses to the switch, the MAC address table
of the switch will be filled with useless MAC address entries. As a result, the switch
cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the switch. When the
number of learned MAC address entries reaches the limit, the switch does not
learn new MAC address entries. You can also configure an action to take when the
number of MAC address entries reaches the limit. This prevents exhaustion of
MAC address entries and improves network security.
Procedure
● Limit the number of MAC address entries learned on an interface.
a. Run:
system-view

Switches

b. Run:

c. Run:
mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on

the interface is set.
By default, the number of MAC address entries learned on an interface is
not limited.
d. Run:
mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries
reaches the limit is configured.
By default, the switch discards packets with new MAC addresses when
the number of learned MAC address entries reaches the limit.
e. Run:
mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the

number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
● Limit the number of MAC address entries learned in a VLAN.
a. Run:
system-view

b. Run:
vlan vlan-id

c. Run:
mac-limit maximum max-num
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not
limited.
d. Run:
mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the

number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
----End

Switches

Run the display mac-limit command to check limiting on MAC address learning.
3.7.6 Enabling MAC Address Alarm Functions
Context
When alarm functions are enabled, the switch sends an alarm when the MAC
address usage exceeds the threshold, a MAC address changes, or a MAC address
hash conflict occurs. The alarms enable you to know the running status of the
MAC address table in real time.
MAC address entry resources are key resources for the switch. Monitoring the use
of the MAC address table is important for ensuring normal system operations. The
switch provides three alarm functions for MAC address entries.
Table 3-8 Three alarm functions for MAC address entries
Alarm Function Description
MAC address An alarm is generated when the MAC address usage is

usage out of the higher than 80%, and a clear alarm is generated when the
specified range MAC address usage is lower than 70%.
A threshold-exceeding alarm indicates that the MAC address
usage is too high. You are advised to redistribute traffic or
expand your network.
The clear alarm will only be generated if a threshold-
exceeding alarm has already been generated.
MAC address An alarm is generated when a MAC address entry is learned

learning or aging or aged.
MAC address To improve the MAC address forwarding performance, the

hash conflict MAC address table of the switch is saved using a hash chain.
When multiple MAC addresses map the same key value in
accordance with the hash algorithm, some MAC addresses
may not be learned. This is called MAC address hash
conflict.
When this occurs, MAC address entries cannot be learned
even though the MAC address table is not full.
A MAC address hash conflict does not affect traffic
forwarding. The switch broadcasts traffic destined for the
conflicting MAC addresses, occupying bandwidth and system
resources. You can replace the device or network adapter of
a terminal to prevent MAC address hash conflicts.
Procedure
● Enable the alarm function for MAC address usage out of the specified range.

Switches
a. Run:
system-view

b. Run:
mac-address threshold-alarm upper-limit upper-limit-value lower-limit lower-limit-value
The upper and lower alarm thresholds for the MAC address usage are set.
By default, the upper and lower alarm thresholds for the MAC address usage
are 80% and 70% respectively. An alarm is generated when the MAC address
usage is higher than 80%, and a clear alarm is generated when the MAC
address usage is lower than 70%.
● Enable the alarm function for MAC address learning or aging.
a. Run:
system-view

b. (Optional) Run:
mac-address trap notification interval interval-time
The interval at which the switch checks MAC address learning or aging is
set.
By default, the switch checks MAC address learning or aging at intervals
of 10s.
c. Run:

d. Run:
mac-address trap notification { aging | learn | all }
The alarm function for MAC address learning and aging is enabled on the
interface.
By default, the alarm function for MAC address learning or aging is
disabled.
● Enable the alarm function for MAC address hash conflicts.
a. Run:
system-view

b. Run:
mac-address trap hash-conflict enable
The alarm function for MAC address hash conflicts is enabled.

By default, the alarm function for MAC address hash conflicts is disabled.
c. (Optional) Run:
mac-address trap hash-conflict history history-number
The number of MAC address hash conflict alarms reported per interval is
set.
By default, 10 MAC address hash conflict alarms are reported per interval.
d. (Optional) Run:
mac-address trap hash-conflict interval interval-time

Switches
The interval at which MAC address hash conflict alarms are reported is
set.
By default, MAC address hash conflict alarms are reported at intervals of
60s.

Run the display current-configuration command to check MAC address alarm
functions on the switch.
3.7.7 Configuring a MAC Hash Algorithm

Context
A device usually uses a hash algorithm to learn MAC address entries to improve
MAC address forwarding performance. When multiple MAC addresses map the
same key value, a MAC address hash conflict may occur. This means that the
device may fail to learn many MAC addresses and can only broadcast packets
destined for these MAC addresses, leading to heavy increase in broadcast traffic. In
this case, use an appropriate hash algorithm to mitigate the hash conflict.
A proper MAC hash algorithm can reduce MAC address hash conflicts. You are not
advised to change the default hash algorithm unless you have special
requirements.
NOTE
● The device uses the hash bucket to store MAC addresses. The device that uses the hash
bucket performs hash calculation for VLAN IDs and MAC addresses in MAC address
entries to be stored and obtains hash bucket indexes. The MAC addresses with the same
hash bucket index are stored in the same hash bucket. If a hash bucket with the
maximum storage space cannot accommodate learned MAC addresses of the hash
bucket, a hash conflict occurs and MAC addresses cannot be stored. The maximum
number of MAC addresses learned by the device through the hash bucket may be not
reached.
● The S5720HI does not support this configuration.
● You are not advised to change the default hash algorithm unless you have special
requirements.
● An appropriate hash algorithm can reduce hash conflicts, but cannot completely prevent
them.
● After the hash algorithm is changed, restart the device to make the configuration take
effect.
Procedure
Step 1 Run:
system-view

Step 2 Run the following commands depending on your switch model.
● On the S1720GFR, S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2720,
S2750, S5720LI, S5720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, and
S5720S-SI:

Switches
Run:
mac-address hash-mode { xor | crc } slot slot-id
The MAC hash algorithm is configured.
● On other models:
Run:
mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb } slot slot-id
The MAC hash algorithm is configured.
By default, the hash algorithm is crc on the S1720GFR, S1720GW, S1720GWR,
S1720GW-E, S1720GWR-E, S2720, S2750, S5720LI, S5720S-LI, S5700LI, S5700S-LI,
S5710-X-LI, S5720SI, and S5720S-SI and crc32-lower on all other models.
----End

Run the display mac-address hash-mode command to check the running and
configured hash algorithms.
3.7.8 Configuring the Extended MAC Entry Resource Mode

Context
When the switch transmits heavy traffic, MAC address entries increase accordingly.
However, the switch has a limited space for MAC address entries. If the MAC
address table size cannot meet service requirements, service running efficiency is
reduced. The switch provides the extended entry space register. You can configure
an extended MAC entry resource mode to increase the MAC address table size.
NOTE
Only the S5720EI, S6720EI and S6720S-EI support this command.
Procedure
Step 1 (Optional) Run:
display resource-mode configuration
The extended entry resource mode is displayed.

Step 2 Run:
system-view

Step 3 Run:
assign resource-mode enhanced-mac slot slot-id
The extended MAC entry resource mode is configured.
NOTE
After the extended MAC entry resource mode is configured, you must restart the switch to make
the configuration take effect.
----End

Switches

Run the display resource-mode configuration command to check the configured
and current extended entry resource modes.
3.8 Configuring MAC Address Flapping Prevention
3.8.1 Configuring a MAC Address Learning Priority for an

Interface
Context
MAC address flapping occurs when a MAC address is learned by two interfaces in
the same VLAN and the MAC address entry learned later overrides the earlier one.
To prevent MAC address flapping, set different MAC address learning priorities for
interfaces. When two interfaces learn the same MAC address entries, the MAC
address entries learned by the interface with a higher priority override the MAC
address entries learned by the other interface.
Procedure
Perform the following operations on the S5720HI, S5720EI, S6720EI, and S6720S-
EI.
1. Run:
system-view
2. Run:
3. Run:
mac-learning priority priority-id
The MAC address learning priority of the interface is set.
By default, the MAC address learning priority of an interface is 0. A larger
priority value indicates a higher MAC address learning priority.
4. Run:
mac-learning priority flapping-defend action discard
The switch is configured to discard packets when the switch is configured to
prohibit MAC address flapping.
By default, the action is forward when the switch is configured to prohibit
MAC address flapping.
Perform the following operations on the S1720GFR, S1720GW, S1720GWR,
S1720GW-E, S1720GWR-E, S2720, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S5710-
X-LI, S2750EI, S5720S-SI, and S5720SI.
1. Run:
system-view

Switches
2. Run:
mac-spoofing-defend enable
Global MAC spoofing defense is enabled.

By default, global MAC spoofing defense is disabled.
3. Run:

4. Run:
mac-spoofing-defend enable
MAC spoofing defense is enabled on the interface making the interface a

trusted interface.
By default, MAC spoofing defense is disabled on an interface.

Run the display current-configuration command to check the MAC address
learning priorities of interfaces.
3.8.2 Preventing MAC Address Flapping Between Interfaces

with the Same Priority
Context
Preventing MAC address flapping between interfaces with the same priority can
improve network security.
If the switch is configured to prevent MAC address flapping between interfaces

with the same priority, the following problem may occur: If the network device
(such as a server) connected to an interface of switch is powered off and the same
MAC address is learned on another interface, the switch cannot learn the correct
MAC address on the original interface after the network device is powered on.
NOTE
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this configuration.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo mac-learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with
the same priority.
By default, the device allows MAC address flapping between interfaces with the
same priority.

Switches
Step 3 Run:
mac-learning priority flapping-defend action discard
The switch is configured to discard packets when the switch is configured to

prohibit MAC address flapping.
By default, the action is forward when the switch is configured to prohibit MAC
address flapping.
----End

Run the display current-configuration command to check whether MAC address
flapping is allowed between interfaces with the same priority.
3.9 Configuring MAC Address Flapping Detection

Context
MAC address flapping detection enables the switch to check all MAC addresses to
detect MAC address flapping.
NOTE
● Configuring an action to take for MAC address flapping on an uplink interface may
cause interruptions for important uplink traffic. Therefore, configuring an action is not
recommended.
● The switch enabled with MAC address flapping detection can detect loops on a single
point, but cannot obtain the entire network topology. If the network connected to the
switch supports loop prevention protocols, use the loop prevention protocols instead of
MAC address flapping detection to eliminate loops.
● If only a few VLANs on the user network encounter loops, it is recommended that you
set the loop prevention action to quit-vlan.
● If a large number of VLANs on the user network encounter loops, it is recommended
that you set the loop prevention action to error-down to improve system performance.
Additionally, the remote switch can detect the error-down event so that it can quickly
switch any traffic to a backup link.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address flapping detection
MAC address flapping detection is enabled.

By default, MAC address flapping detection is enabled. The switch detects MAC
address flapping in all VLANs.
mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

Switches
One or more VLANs are excluded from MAC address flapping detection.
By default, the system performs MAC address flapping detection in all VLANs. In
special scenarios, a MAC address flapping event does not need to be handled and
you can exclude a VLAN from MAC address flapping detection. For example, when
a switch is connected to a server with two network adapters in active-active
mode, the server's MAC address may be learned on two interfaces of the switch.
mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level { high |
middle | low }
The security level of MAC address flapping detection is configured in one or more
specified VLANs.
By default, the security level of MAC address flapping detection is middle. That is,
the system considers that MAC address flapping occurs when a MAC address flaps
10 times.
mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.

By default, the aging time of flapping MAC addresses is 300 seconds. If the aging
time of dynamic MAC addresses is long, a MAC address flapping event may be
detected after a long time. To ensure that the system detects MAC address
flapping quickly, shorten the aging time of flapping MAC addresses.
Step 6 (Optional) Configure an action to take after MAC address flapping is detected on
an interface and the priority of the action.
1. Run:

2. Run:
mac-address flapping action { quit-vlan | error-down }
An action is specified for the interface if MAC address flapping occurs on the
interface.
By default, no action is configured. If an interface is connected to a user
network that does not support loop prevention protocols, MAC address
flapping may occur when there is a loop on the user network. Use this
command to configure an action to take when MAC address flapping is
detected on the interface. If the action is set to error-down, the switch shuts
down the interface. If the action is set to quit-vlan, the switch removes the
interface from the VLAN where the MAC address flapping occurs. This action
can only shut down one interface per aging interval.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as
GVRP.
– When a MAC address flaps between an interface configured with the error-down
action and an interface configured with the quit-vlan action, the former interface
is shut down and the latter interface is removed from the VLAN. If a loop could be
generated between interfaces, configure the same action for all the interfaces.

Switches
3. Run:
mac-address flapping action priority priority
The priority of the action against MAC address flapping is set.
----End

Run the display mac-address flapping command to check information about
MAC address flapping detection in a VLAN.
Action to Take After MAC Address Flapping Occurs

When MAC address flapping detection is configured, the switch reports alarms
when it detects MAC address flapping. If the same alarm is reported multiple
times, a loop may exist on the network. To remove the loop, run the shutdown
command to shut down the interface specified in the MAC address flapping alarm.
Alternatively, configure an action against MAC address flapping on the interface to
remove the loop.
When configuring an action against MAC address flapping on an interface to

remove a loop, pay attention to the following points:
● When the action is set to error-down, the interface cannot be automatically

restored after it is shut down. You can only restore the interface by running
the shutdown and undo shutdown commands or the restart command in
the interface view.
To enable the interface to go Up automatically, you must run the error-down
auto-recovery cause mac-address-flapping command in the system view
before the interface enters the error-down state. This command enables an
interface in error-down state to go Up and sets a recovery time. The interface
goes Up automatically after the time expires.
● If the action is set to quit-vlan, the interface can be automatically restored
after a specified time period after it is removed from the VLAN. The default
recovery time is 10 minutes. The recovery delay time can be set using the
mac-address flapping quit-vlan recover-time time-value command in the
system view.
3.10 Configuring the Switch to Discard Packets with an

All-0 MAC Address
Context
A faulty network device may send packets with an all-0 source or destination MAC
address to the switch. You can configure the switch to discard such packets and
send an alarm to the network management system (NMS) to help the network
administrator locate the faulty device.
You can configure the switch to discard packets with an all-0 source or destination
MAC address.

Switches
Procedure
Step 1 Run:
system-view

Step 2 Run:
drop illegal-mac enable
The switch is enabled to discard packets with an all-0 MAC address.

By default, the switch does not discard packets with an all-0 MAC address.
drop illegal-mac alarm
The switch is configured to send an alarm to the NMS when receiving packets
with an all-0 MAC address.
By default, the switch does not send an alarm when receiving packets with an
all-0 MAC address.
NOTE
The drop illegal-mac alarm command allows the switch to generate only one alarm. You
must run the drop illegal-mac alarm command again if more than one alarm is required.
----End

Run the display current-configuration command to check whether the switch is
enabled to discard packets with an all-0 MAC address.
3.11 Enabling MAC Address-Triggered ARP Entry

Update
Context
MAC address-triggered ARP entry update enables the switch to update the
corresponding ARP entry when the outbound interface in a MAC address entry
changes.
Each network device uses an IP address to communicate with other devices. On an
Ethernet network, a host, switching device, or routing device sends and receives
Ethernet data frames based on MAC addresses. The ARP protocol maps IP
addresses to MAC addresses. When two devices on different network segments
communicate with each other, they need to map IP addresses to MAC addresses
and outbound interfaces according to ARP entries.
Procedure
Step 1 Run:
system-view

Switches
Step 2 Run:
mac-address update arp
The MAC address-triggered ARP entry update function is enabled.
By default, the MAC address-triggered ARP entry update function is disabled.
NOTE
● Only the S5720EI, S5720SI, S5720S-SI, S5720HI, S6720EI, and S6720S-EI support this
command.
● This command takes effect only for dynamic ARP entries. Static ARP entries are not
updated when the corresponding MAC address entries change.
● The MAC address-triggered ARP entry update function does not take effect after ARP
entry fixing is enabled using the arp anti-attack entry-check enable command.
● After the MAC address-triggered ARP entry update function is enabled, the switch
updates an ARP entry only when the outbound interface in the corresponding MAC
address entry changes.
----End

Run the display current-configuration command to check whether the MAC
address-triggered ARP entry update function is enabled.
3.12 Enabling Port Bridge

Context
By default, an interface does not forward packets whose source and destination
MAC addresses are the same. When the interface receives this kind of a packet, it
discards the packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface can
forward the packet if the destination MAC address of the packet is in the MAC
address table.
The port bridge function is used in the following scenarios:
● The switch connects to devices that do not support Layer 2 forwarding. When
users connected to the devices need to communicate, the devices send
packets of the users to the switch for packet forwarding. Because source and
destination MAC addresses of the packets are the same, a port bridge needs
to be enabled on the interface so that the interface can forward such packets.
● The switch is used as an access device in a data center and is connected to
servers. Each server is configured with multiple virtual machines. The virtual
machines need to transmit data to each other. If servers perform data
switching for virtual machines, the data switching speed and server
performance are reduced. To improve the data transmission rate and server
performance, enable a port bridge on the interfaces connected to the servers
so that the switch forwards data packets between the virtual machines.

Switches
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port bridge enable
The port bridge function is enabled on the interface.

By default, the port bridge function is disabled on an interface.
----End

Run the display current-configuration command to check whether the port
bridge function is enabled.
3.13 Configuring Re-marking of Destination MAC

Addresses
Context
The re-marking function enables the switch to change the specified fields of
packets according to traffic classification rules. After the re-marking action is
configured, the switch still processes outgoing packets based on the original
priority but the downstream device processes the packets based on the re-marked
priority. You can also configure an action to re-mark the destination MAC address
of packets in a traffic behavior so that the downstream device can identify packets
and provide differentiated services.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support this configuration.
Procedure
1. Configure a traffic classifier.
a. Run:
system-view
b. Run:
traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the existing traffic classifier view is displayed.

Switches
and is the logical operator between the rules in the traffic classifier,
which means that:
▪ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL
rules.
▪ If the traffic classifier does not contain any ACL rules, packets match
the traffic classifier only when they match all the rules in the
classifier.
The logical operator or means that packets match the traffic classifier as
long as they match one of rules in the classifier.
By default, the relationship between rules in a traffic classifier is AND.
c. Configure matching rules according to the following table.
NOTE
The S5720HI does not support traffic classifiers with advanced ACLs containing
the ttl-expired field or user-defined ACLs.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name },
the S5720HI does not support remark 8021p [ 8021p-value | inner-8021p ],
remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-address learning
disable.

g Rule
Outer if-match vlan-id start-vlan-id -

VLAN ID [ to end-vlan-id ] (S1720GFR,
S1720GW, S1720GWR,
S1720GW-E, S1720GWR-E,
S2720, S2750, S5700LI,
S5700S-LI, S5710-X-LI,
S5720LI, S5720S-LI, S5720SI,
S5720S-SI)
Inner and if-match cvlan-id start-vlan-id -

outer [ to end-vlan-id ] [ vlan-id
VLAN IDs vlan-id ] (S5720EI, S5720HI,
in QinQ S6720EI, S6720S-EI)
packets
802.1p if-match 8021p 8021p-value If you enter multiple

priority in &<1-8> 802.1p priority values in
VLAN one command, a packet
matches any one of the
802.1p priorities,
regardless of whether the
rules in the traffic
classifier is AND or OR.

Switches

g Rule
Inner if-match cvlan-8021p 8021p- -

802.1p value &<1-8> (S5720EI,
priority in S5720HI, S6720EI, S6720S-EI)
QinQ
packets
Outer if-match vlan-id start-vlan-id -

VLAN ID [ to end-vlan-id ] [ cvlan-id
or inner cvlan-id ] (S5720EI, S5720HI,
and outer S6720EI, S6720S-EI)
VLAN IDs
of QinQ
packets
Drop if-match discard (S5720EI, A traffic classifier

packet S5720HI, S6720EI, S6720S-EI) containing this matching
rule can only be bound to
traffic behaviors
containing traffic statistics
collection and flow
mirroring actions.
Double if-match double-tag -

tags in (S5720EI, S5720HI, S6720EI,
QinQ S6720S-EI)
packets
Destinati if-match destination-mac -

on MAC mac-address [ mac-address-
address mask ]
Source if-match source-mac mac- -
MAC address [ mac-address-mask ]
address
Protocol if-match l2-protocol { arp | ip -

type field | mpls | rarp | protocol-value }
in the
Ethernet
frame
header
All if-match any After the if-match any

packets command is run, only the
matching rule configured
using this command takes
effect, and the other
matching rules in the
same traffic classifier will
become ineffective.

Switches

g Rule
DSCP if-match dscp dscp-value ● If you enter multiple

priority in &<1-8> DSCP values in one
IP command, a packet
matches any one of
the DSCP values,
the relationship
traffic classifier is AND
or OR.
● If the relationship
between rules in a
traffic classifier is AND,
the if-match dscp and
if-match ip-
precedence
commands cannot be
used in the traffic
classifier
simultaneously.
IP if-match ip-precedence ip- ● The if-match dscp and

preceden precedence-value &<1-8> if-match ip-
ce in IP precedence
packets commands cannot be
configured in a traffic
classifier in which the
rules is AND.
● If you enter multiple IP
precedence values in
one command, a
packet matches the
traffic classifier as long
as it matches any one
of the IP precedence
values, regardless of
whether the
Layer 3 if-match protocol { ip | ipv6 } -

protocol
type

Switches

g Rule
SYN Flag if-match tcp syn-flag { syn- -

in the flag-value | ack | fin | psh | rst
TCP | syn | urg }
packet
Inbound if-match inbound-interface A traffic policy containing

interface interface-type interface- this matching rule cannot
number be applied to the
outbound direction or in
the interface view.
Outboun if-match outbound-interface A traffic policy containing

d interface-type interface- this matching rule cannot
interface number (S5720EI, S5720HI, be applied to the inbound
S6720EI, S6720S-EI) direction on the S5720HI.
The traffic policy
containing this matching
rule cannot be applied in
the interface view.
ACL rule if-match acl { acl-number | ● When an ACL is used

acl-name } to define a traffic
classification rule, it is
recommended that the
ACL be configured first.
● If an ACL in a traffic
classifier defines
multiple rules, a packet
matches the ACL as
long as it matches one
of rules, regardless of
whether the
ACL6 rule if-match ipv6 acl { acl- Before specifying an ACL6

number | acl-name } in a matching rule,
configure the ACL6.

Switches

g Rule
Flow ID if-match flow-id flow-id The traffic classifier

(S5720EI, S6720EI, S6720S-EI) containing if-match
flow-id and the traffic
behavior containing
remark flow-id must be
bound to different traffic
policies.
The traffic policy
containing if-match
flow-id can be only
applied to an interface, a
VLAN, or the system in
the inbound direction.
d. Run:
quit
Exit from the traffic classifier view.
2. Configure a traffic behavior.
a. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.
b. Run the command to configure the
Run:
remark destination-mac mac-address
An action is configured to re-mark destination MAC addresses of packets.
The destination MAC address to be re-marked must be a unicast MAC
address.
c. Run:
quit
Exit from the traffic behavior view.
d. Run:
quit
3. Configure a traffic policy.
a. Run:
traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed. If you do not specify a
matching order for traffic classifiers in the traffic policy, the default
matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy
command to change the matching order of traffic classifiers in the traffic
policy. To change the matching order, delete the traffic policy and create
a traffic policy with the required matching order.

Switches
When creating a traffic policy, you can specify the matching order of
traffic classifiers in the traffic policy. The traffic classifiers can be matched
in automatic order (auto) or configuration order (config):
▪ If the matching order is auto, traffic classifiers are matched in

descending order of priorities pre-defined in the system: traffic
classifiers based on Layer 2 and Layer 3 information, traffic classifiers
based on Layer 2 information, and finally traffic classifiers based on
Layer 3 information. If a data flow matches multiple traffic classifiers
that are associated with conflicting traffic behavior, the traffic
behavior associated with the traffic classifier of the highest priority
takes effect.
▪ If the matching order is config, traffic classifiers are matched in

descending order of priorities either manually or dynamically
allocated to them. This is determined by the precedence value; a
traffic classifier with a smaller precedence value has a higher priority
and is matched earlier. If you do not specify precedence-value when
creating a traffic classifier, the system allocates a precedence value
to the traffic classifier. The allocated value is [(max-precedence
+ 5)/5] x 5, where max-precedence is the greatest value among
existing traffic classifiers.
NOTE
If more than 128 rate limiting ACL rules are configured in the system, traffic
policies must be applied to the interface view, VLAN view, and system view in
sequence. To update an ACL rule, delete all the associated traffic policies from
the interface, VLAN, and system. Then, reconfigure the traffic policies and reapply
them to the interface, VLAN, and system.
b. Run:
classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.

c. Run:
quit
Exit from the traffic policy view.

d. Run:
quit

4. Apply the traffic policy.
– Applying a traffic policy to an interface
i. Run:
system-view

ii. Run:

iii. Run:
traffic-policy policy-name { inbound }
A traffic policy is applied to the interface.

Switches
– Applying a traffic policy to a VLAN

i. Run:
system-view
ii. Run:
vlan vlan-id
iii. Run:
traffic-policy policy-name { inbound }
A traffic policy is applied to the VLAN.
– Applying a traffic policy to the system
i. Run:
system-view
ii. Run:
traffic-policy policy-name global { inbound | outbound } [ slot slot-id ]
A traffic policy is applied to the system.
Only one traffic policy can be applied to the system or slot in one
direction. A traffic policy cannot be applied to the same direction in
the system and slot simultaneously.
○ In a stack, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of all the member
switches in the stack. The system then performs traffic policing
for all the incoming and outgoing packets that match traffic
classification rules on all the member switches. A traffic policy
that is applied to a specified slot takes effect on all the
interfaces and VLANs of the member switch with the specified
stack ID. The system then performs traffic policing for all the
incoming and outgoing packets that match traffic classification
rules on this member switch.
○ On a standalone switch, a traffic policy that is applied to the
system takes effect on all the interfaces and VLANs of the local
switch. The system then performs traffic policing for all the
incoming and outgoing packets that match traffic classification
rules on the local switch. Traffic policies applied to the slot and
system have the same functions.

● Run the display traffic classifier user-defined [ classifier-name ] command
to check the traffic classifier configuration on the device.
● Run the display traffic behavior user-defined [ behavior-name ] command
to check the traffic behavior configuration on the device.
● Run the display traffic policy user-defined [ policy-name [ classifier
classifier-name ] ] command to check the user-defined traffic policy
configuration.
● Run the display traffic-applied [ interface [ interface-type interface-
number ] | vlan [ vlan-id ] ] { inbound } [ verbose ] command to check

Switches
traffic actions and ACL rules associated with the system, a VLAN, or an
interface.
● Run the display traffic policy { interface [ interface-type interface-number ]
| vlan [ vlan-id ] | global } [ inbound ] command to check the traffic policy
configuration on the device.
● Run the display traffic-policy applied-record [ policy-name ] command to
check the record of the specified traffic policy.
3.14 Maintaining the MAC Address Table
3.14.1 Displaying MAC Address Entries

Table 3-9 Commands used to display MAC address entries
Purpose Command
Display all MAC address entries. display mac-address
Display static MAC address entries. display mac-address static
Display MAC address entries learned in display mac-address dynamic vlan

a VLAN. vlan-id
Display MAC address entries learned display mac-address dynamic
on an interface. interface-type interface-number
Display a specified MAC address. display mac-address mac-address
Display the aging time of dynamic display mac-address aging-time

Display statistics on MAC address ● Display the total statistics: display

entries. mac-address total-number
● Display the statistics of various
types of MAC address entries:
display mac-address summary
Display the system MAC address. display bridge mac-address
Display the MAC address of an display interface interface-type

interface. interface-number
Hardware address indicates the MAC
address of the interface.
Display the MAC address of a VLANIF display interface vlanif vlan-id

interface. Hardware address indicates the MAC
address of the VLANIF interface.

Switches
3.14.2 Deleting MAC Address Entries
Table 3-10 Commands used to delete MAC address entries
Purpose Command
Delete all MAC address entries. undo mac-address
Delete MAC address entries in a VLAN. undo mac-address vlan vlan-id
Delete MAC address entries on an undo mac-address interface-type

interface. interface-number
3.14.3 Displaying MAC Address Flapping Information
Table 3-11 Commands used to display MAC address flapping records
Purpose Command
Display alarms about MAC address Run the display trapbuffer command
flapping. to check whether the following alarms
exist:
● OID 1.3.6.1.4.1.2011.5.25.160.3.7
Display detailed MAC address flapping display mac-address flapping record

records.
3.15 Configuration Examples
3.15.1 Example for Configuring Static MAC Address Entries
Networking Requirements
In Figure 3-12, the user PC with MAC address 0002-0002-0002 connects to the
GE0/0/1 of the Switch, and the server with MAC address 0004-0004-0004 connects
to GE0/0/2 of the Switch. The user PC and server communicate in VLAN 2.
● To prevent unauthorized users from using the user PC's MAC address to
initiate attacks, configure a static MAC address entry for the user PC on the
Switch.
● To prevent unauthorized users from using the server's MAC address to
intercept information sent to other users, configure a static MAC address
entry for the server on the Switch.

Switches
NOTE
This example applies to scenarios with a small number of users. When there are many
users, use dynamic MAC address entries. For details, see Example for Configuring Port
Security in "Port Security Configuration" in the S1720, S2700, S5700, and S6720
V200R010C00 Configuration Guide - Security.
Figure 3-12 Example network for configuring static MAC address entries
Network
Switch
GE0/0/1 GE0/0/2
VLAN 2
PC:2-2-2 Server:4-4-4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server for
Layer 2 forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized
users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN
2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
# Configure static MAC address entries.

Switches
[Switch] mac-address static 2-2-2 GigabitEthernet 0/0/1 vlan 2

[Switch] mac-address static 4-4-4 GigabitEthernet 0/0/2 vlan 2
Step 2 Verify the configuration.

# Run the display mac-address static vlan 2 command in any view to check
whether the static MAC address entries are successfully added to the MAC address
table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- GE0/0/1 static
0004-0004-0004 2/- GE0/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
port link-type access
port default vlan 2
#
mac-address static 0002-0002-0002 GigabitEthernet0/0/1 vlan 2
mac-address static 0004-0004-0004 GigabitEthernet0/0/2 vlan 2
#
return
3.15.2 Example for Configuring Blackhole MAC Address

Entries
In Figure 3-13, the Switch receives packets from an unauthorized PC that has the
MAC address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry
can be configured as a blackhole MAC address entry so that the Switch filters out
packets from the unauthorized PC.

Switches
Figure 3-13 Example network for configuring a blackhole MAC address entry
Unauthorized
MAC Address VLAN ID
5-5-5 3 user
Switch

1. Create a VLAN for Layer 2 forwarding.

2. Configure a blackhole MAC address entry to filter out packets from the
unauthorized PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
[Switch] vlan 3
[Switch-vlan3] quit
# Configure a blackhole MAC address entry.

[Switch] mac-address blackhole 0005-0005-0005 vlan 3
# Run the display mac-address blackhole command in any view to check

whether the blackhole MAC address entry is successfully added to the MAC
address table.
[Switch] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0005-0005-0005 3/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End

Switches
Configuration Files
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
3.15.3 Example for Configuring MAC Address Limiting on an

Interface
In Figure 3-14, user network 1 and user network 2 connect to the Switch through
the LSW, and the LSW connects to the Switch through GE0/0/1. User network 1
and user network 2 belong to VLAN 10 and VLAN 20 respectively. On the Switch,
MAC address limiting can be configured on GE0/0/1 to control the number of
access users.
Figure 3-14 Example network for configuring MAC address limiting on an

interface
Network
Switch
GE0/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
1. Create VLANs and add the downlink interface to the VLANs to implement
Layer 2 forwarding.

Switches
2. Configure MAC address limiting on the interface to control the number of

access users.
Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add GigabitEthernet0/0/1 to VLAN 10 and
VLAN 20.
[Switch] vlan batch 10 20
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20
# Configure a MAC address limiting rule on GigabitEthernet0/0/1: In the following

configuration, a maximum of 100 MAC address entries can be learned on the
interface. When the number of learned MAC address entries reaches the limit, the
Switch forwards packets with new source MAC address entries and generates an
alarm.
[Switch-GigabitEthernet0/0/1] mac-limit maximum 100 alarm enable
[Switch-GigabitEthernet0/0/1] return
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
GE0/0/1 - - 100 - discard enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
3.15.4 Example for Configuring MAC Address Limiting in a

VLAN

Switches
In Figure 3-15, user network 1 is connected to GE0/0/1 of the Switch through
LSW1, and user network 2 is connected to GE0/0/2 of the Switch through LSW2.
GE0/0/1 and GE0/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.
Figure 3-15 Example network for MAC address limiting
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
User User
network 1 VLAN 2 network 2
1. Create a VLAN and add interfaces for Layer 2 forwarding.
2. Configure MAC address limiting in the VLAN to prevent MAC address attacks
and control access users.
Procedure
Step 1 Configure MAC address limiting.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.
[Switch] vlan 2
[Switch-vlan2] quit
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2
# Configure the following MAC address limiting rule in VLAN 2: In the following
configuration, a maximum of 100 MAC addresses can be learned. When the

Switches
number of learned MAC address entries reaches the limit, the Switch discards
packets with new source MAC address entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 alarm enable
[Switch-vlan2] return
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
#
return
3.15.5 Example for Configuring MAC Address Flapping

Prevention
In Figure 3-16, users need to access the server connected to a switch interface. If
an unauthorized user uses the MAC address of the server as the source MAC
address to send packets to another interface, then that MAC address is learned on
the interface. In this scenario, packets sent from users to the server are forwarded
to the unauthorized user. As a result, users cannot access the server, and
important data may be intercepted by the unauthorized user.
MAC address flapping prevention can be configured to protect the server against
attacks from unauthorized users.

Switches
Figure 3-16 Networking of MAC address flapping prevention
Server
MAC:11-22-33
GE0/0/1 VLAN 10
Switch
GE0/0/2 PC4
MAC:11-22-33
LSW
PC1 PC2 PC3
VLAN10
1. Create a VLAN and add interfaces for Layer 2 forwarding.

2. Configure MAC address flapping prevention on the server-side interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10.

[Switch] vlan 10
[Switch-vlan10] quit
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
Step 2 # Set the MAC address learning priority of GigabitEthernet0/0/1 to 2.

[Switch-GigabitEthernet0/0/1] mac-learning priority 2
# Run the display current-configuration command in any view to check whether

the MAC address learning priority is set correctly.

Switches
[Switch] display current-configuration interface gigabitethernet 0/0/1

#
mac-learning priority 2
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mac-learning priority 2
#
port link-type trunk
port trunk allow-pass vlan 10
#
return
3.15.6 Example for Configuring MAC Address Flapping

Detection
In Figure 3-17, a loop occurs on a user network because two LSWs are incorrectly
connected using a network cable. This loop causes MAC address flapping on the
Switch.
To detect loops in a timely manner, configure MAC address flapping detection on
the Switch. This function enables the Switch to detect loops by checking whether a
MAC address flaps between interfaces. To remove loops on the network, configure
an action against MAC address flapping on the interfaces.

Switches
Figure 3-17 Example network for MAC address flapping detection
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
Incorrect connection
1. Enable MAC address flapping detection.

2. Set the aging time of flapping MAC addresses.
3. Configure an action against MAC address flapping on the interfaces to
remove loops.
Procedure
Step 1 Enable MAC address flapping detection.
[Switch] mac-address flapping detection
Step 2 Set the aging time of flapping MAC addresses.

[Switch] mac-address flapping aging-time 500
Step 3 Configure the action against MAC address flapping as error-down on the GE0/0/1
and GE0/0/2.
[Switch-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/2] mac-address flapping action error-down
Step 4 Enable error-down interfaces to go Up automatically and set the automatic

recovery time. In the following configuration, it is set to 500s.
[Switch] error-down auto-recovery cause mac-address-flapping interval 500

Switches
When the MAC address learned on the GE moves to GE0/0/2, GE0/0/2 is shut
down automatically. You can run the display mac-address flapping record
command to view MAC address flapping records.
[Switch] display mac-address flapping record
S : start time
E : end time
(Q) : quit vlan
(D) : error down
-------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum
-------------------------------------------------------------------------------
S:2012-04-01 17:22:36 1 0000-0000-0007 GE0/0/1 GE0/0/2(D) 83
E:2012-04-01 17:22:44
-------------------------------------------------------------------------------
Total items on slot 0: 1
----End
Configuration Files
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
mac-address flapping action error-down
#
mac-address flapping action error-down
#
return
3.16 Common Misconfigurations
3.16.1 MAC Address Entries Failed to Be Learned on an

Interface
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2
forwarding failures.
Procedure
Step 1 Check the configuration on the device.

Switches
Check Item Verification Method Follow-up Operation
Whether the Run the display vlan Run the vlan vlan-id command in
VLAN that the vlan-id command in any the system view to create the
interface view. If the system VLAN.
belongs to has displays the message
been created "Error: The VLAN does
not exist", the VLAN has
not been created.
Whether the Run the display vlan Run one of the following
interface vlan-id command in any commands in the interface view
transparently view to check whether to add the interface to the VLAN.
transmits the interface name ● Run the port trunk allow-pass
packets from exists. If not, the vlan command if the interface
the VLAN interface does not is a trunk interface.
transparently transmit
packets from the VLAN. ● Run the port hybrid tagged
vlan or port hybrid untagged
vlan command if the interface
is a hybrid interface.
● Run the port default vlan
command if the interface is an
access interface.
Whether a Run the display mac- If a blackhole MAC address entry

blackhole MAC address blackhole is displayed and you want to
address entry is command in any view to delete it, run the undo mac-
configured check whether a address blackhole command in
blackhole MAC address any view.
entry is configured.
Whether MAC Run the display this | Run the undo mac-address
address learning include learning learning disable command in the
is disabled on command in the interface view or VLAN view to
the interface or interface view and VLAN enable MAC address learning.
in the VLAN view to check whether
the mac-address
learning disable
configuration exists. If
so, MAC address
learning is disabled on
the interface or in the
VLAN.

Switches
Check Item Verification Method Follow-up Operation
Whether MAC Run the display this | ● Run the mac-limit command
address limiting include mac-limit in the interface view or VLAN
is configured on command in the view to increase the maximum
the interface interface view and VLAN number of learned MAC
and in the VLAN view to check whether address entries.
the MAC address ● Run the undo mac-limit
limiting is configured. If command in the interface view
so, the maximum or VLAN view to remove the
number of learned MAC MAC address limit.
address entries is set.
Whether port Run the display this | ● Run the undo port-security
security is include port-security enable command in the
configured on command in the interface view to disable port
the interface interface view to check security.
whether port security is ● Run the port-security max-
configured. mac-num command in the
interface view to increase the
maximum number of secure
dynamic MAC address entries
on the interface.
If the fault persists, go to step 2.

Step 2 Check whether a loop is causing MAC address entry flapping.
1. Run the mac-address flapping detection command in the system view to
configure MAC address flapping detection.
2. The system checks all MAC addresses in the VLAN to detect MAC address
flapping. Run the display mac-address flapping record command to check
MAC address flapping records to determine whether a loop occurs.
3. If a loop is causing MAC address flapping, use the following methods to
remove MAC address flapping:
– Eliminate the loop.
– Run the mac-learning priority command in the interface view to
configure the MAC address learning priority for the interface to ensure
that MAC addresses are learned by the correct interface.
If no loop was detected, go to step 3.
Step 3 Check whether the number of learned MAC address entries has reached the
maximum value. If so, the device cannot learn new MAC address entries.
● If the number of MAC address entries on the interface is less than or equal to
the number of hosts connected to the interface, the device is connected to
more hosts than it supports. Adjust your network plan accordingly.
● If the interface has learned more MAC address entries than the hosts
connected to the interface, the interface may be undergoing a MAC address
attack from the attached network. Use the following table to locate the
attack source.

Switches
Scenario Solution
The interface connects to another Run the display mac-address

network device. command on the connected device
to view MAC address entries. Use
the displayed MAC address entries
to locate the interface connected to
the malicious host. If the located
interface is connected to another
network device, repeat this step
until you find the malicious host.
The interface connects to a host. – Disconnect the host after

obtaining permission from the
administrator. When the attack
stops, connect the host to the
network again.
– Run the port-security enable
command on the interface to
enable port security or run the
mac-limit command to set the
maximum number of MAC
address entries to 1.
The interface connects to a hub. – Analyze packets mirrored from

the interface or use a another
tool to analyze packets received
by the interface to locate the
attacking host. Disconnect the
host after obtaining permission
from the administrator. Connect
the host to the hub again only
after confirming that it no longer
sends attacking packets.
– Disconnect hosts connected to
the hub one by one after
obtaining permission from the
administrator. If the fault is
rectified after a host is
disconnected, the host is the
attacker. After the host stops the
attack, connect it to the hub
again.
----End
3.17 FAQs

Switches
3.17.1 How Do I Enable and Disable MAC Address Flapping

Detection?
Version Enable MAC Address Disable MAC Address

Flapping Detection Flapping Detection
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.
V200R001 and Run the mac-address Run the undo mac-address

later versions flapping detection in the flapping detection in the
support global system view. system view.
MAC address
flapping detection
in all VLANs. By
default, global
MAC address
flapping detection
is enabled.
3.17.2 How Do I Check MAC Address Flapping Information?

Version Command
Versions earlier display trapbuffer

than V200R001
V200R001 and display trapbuffer or display mac-address flapping

later versions record
3.17.3 What Should I Do When Finding a MAC Address

Flapping Alarm?
If the alarm is reported only once, ignore it.
If the alarm is reported multiple times, find the first and second interfaces where
the MAC address is learned. Shut down the second interface to locate the loop.
Then adjust the networking to remove the loop.
3.17.4 How Do I Rapidly Determine a Loop?

Switches
Check whether MAC address flapping occurs to rapidly determine a loop on a

network. Generally, a loop occurs if a MAC address flapping alarm is generated
consecutively.
Enable MAC address flapping detection according to the following table.
Version Enable MAC Address Disable MAC Address

Flapping Detection Flapping Detection
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.
V200R001 and Run the mac-address Run the undo mac-address

later versions flapping detection in the flapping detection in the
support global system view. system view.
MAC address
flapping detection
in all VLANs. By
default, global
MAC address
flapping detection
is enabled.
Check whether MAC address flapping occurs according to the following table.
Version Command
Versions earlier display trapbuffer

than V200R001
V200R001 and display trapbuffer or display mac-address flapping

later versions record

01-03 MAC Address Table Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-03 MAC Address Table Configuration

Uploaded by

Copyright:

Available Formats

S1720, S2700, S5700, and S6720 Series Ethernet

3 MAC Address Table Configuration

About This Chapter

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 26

3.16 Common Misconfigurations

3.1 Introduction to the MAC Address

Classification of MAC Address Entries

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 27

Table 3-1 Characteristics and functions of different MAC address entries

Dynamic MAC address ● Dynamic MAC address ● You can check

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 28

MAC Address Entry Characteristics Function

Blackhole MAC address ● Blackhole MAC Blackhole MAC address

3.2.2 Elements and Functions of a MAC Address Table

Table 3-2 MAC address entries

0011-0022-0035 huawei GE0/0/3

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 29

Figure 3-1 Forwarding based on the MAC address table

MAC Address VLANID Port

PC1 Swtich Port2

3.2.3 MAC Address Entry Learning and Aging

MAC Address Entry Learning

Figure 3-2 MAC address entry learning

HostA Data frame SwitchA

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 30

● If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC

MAC Address Entry Aging

Figure 3-3 MAC address entry aging

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 31

3.2.4 MAC Address Learning Control

Table 3-3 MAC address learning control

Disabling MAC After MAC address learning ● In most cases, attack

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 32

MAC Address Principle Application Scenario

Limiting the The switch can only learn a

3.2.5 MAC Address Flapping

What Is MAC Address Flapping

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 33

Figure 3-4 MAC address flapping

How to Detect MAC Address Flapping

Figure 3-5 MAC address flapping detection

SwitchC Broadcast SwitchD

Incorrect connection Data flow

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 34

In Figure 3-5, a network cable is incorrectly connected between SwitchC to

How to Prevent MAC Address Flapping

Figure 3-6 MAC address flapping prevention

Authorized Authorized Authorized

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 35

3.2.6 MAC Address-Triggered ARP Entry Update

Figure 3-7 Without MAC address-triggered ARP entry update

T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

After port switching &

MAC address-triggered ARP entry update enables a device to update the

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 36

Figure 3-8 With MAC address-triggered ARP entry update

T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

After port switching &

3.3.1 Configuring MAC Address Flapping Prevention to Block

Figure 3-9 Networking diagram of MAC address flapping prevention

Authorized Authorized Authorized

Issue 14 (2020-11-30) Copyright © Huawei Technologies Co., Ltd. 37

3.3.2 Configuring MAC Address Flapping Detection to Quickly

● A MAC address entry alternatively appears and disappears.