01-02 MAC Address Table Configuration

S300, S500, S2700, S5700 and S6700 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration
2 MAC Address Table Configuration
2.1 Overview of MAC Addresses

2.2 Understanding MAC Address Tables
2.3 Application Scenarios for MAC Address Tables
2.4 Summary of MAC Address Table Configuration Tasks
2.5 Licensing Requirements and Limitations for MAC Address Tables
2.6 Default Settings for MAC Address Tables
2.7 Configuring MAC Address Tables
2.8 Configuring MAC Address Flapping Prevention
2.9 Configuring MAC Address Flapping Detection
2.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
2.11 Enabling MAC Address-triggered ARP Entry Update
2.12 Enabling Port Bridge
2.13 Configuring Re-marking of Destination MAC Addresses
2.14 Disabling Real-Time MAC Address Synchronization Suppression
2.15 Disabling Unknown Unicast Traffic Suppression
2.16 Maintaining MAC Address Tables
2.17 Configuration Examples for MAC Address Tables
2.18 Troubleshooting MAC Address Tables
2.19 FAQ About MAC Address Tables
2.1 Overview of MAC Addresses
Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 21

Switches
Basic Concepts
A MAC address uniquely identifies a network interface card (NIC) of a network
device. A MAC address consists of 48 bits and is displayed as a 12-digit
hexadecimal number. Bits 0 to 23 are assigned by the IETF and other institutions
to identify vendors, and bits 24 to 47 are the unique ID assigned by vendors to
identify their NICs.
MAC addresses fall into the following types:
● Physical MAC address: uniquely identifies a terminal on an Ethernet network

and is the globally unique hardware address.
● Broadcast MAC address: indicates all terminals on a LAN. The broadcast
address is all 1s (FF-FF-FF-FF-FF-FF).
● Multicast MAC address: indicates a group of terminals on a LAN. All the MAC
addresses with the eighth bit as 1 are multicast MAC addresses (for example,
01-00-00-00-00-00), excluding the broadcast MAC address. The multicast
MAC address starting from 01-80-c2 is the BPDU MAC address, and is often
used as the destination MAC address of protocol packets.
Supported MAC Addresses

The MAC addresses of a switch are classified into the system MAC address and
interface MAC addresses. The MAC addresses of an interface include the
management interface MAC address, VLANIF interface MAC address, Layer 2
physical interface MAC address, Layer 3 interface MAC address, sub-interface MAC
addresses, Layer 2 Eth-Trunk interface MAC address, and Layer 3 Eth-Trunk
interface MAC address. The system MAC address is also called the device MAC
address, which can be displayed using the display bridge mac-address command.
The management interface MAC address, sub-interface MAC addresses, Layer 2
physical interface MAC address, and Layer 2 Eth-Trunk interface MAC address are
the same as the system MAC address. The other interface MAC addresses are
different from the system MAC address and can be displayed using the display
interface command.
2.2 Understanding MAC Address Tables
2.2.1 Definition and Classification of MAC Address Entries
Definition of a MAC Address Table

A MAC address table is used by the switch to record the mappings between
learned MAC addresses of other devices and interfaces on which MAC addresses
are learned, as well as VLANs to which the interfaces belong. When the switch
receives a packet, it searches the MAC address table for the MAC address of the
destination. If the switch finds the MAC address, it forwards the packet from the
corresponding outbound interface in the MAC address entry. Otherwise, the switch
broadcasts the packet to all interfaces (except the interface on which the packet
was received) in the associated VLAN.

Switches
Classification of MAC Address Entries

MAC address entries are classified into dynamic, static, and blackhole entries.
Service modules may further classify dynamic MAC address entries according to
service types, for example, secure MAC, MUX MAC, authen MAC, and guest MAC.
Table 2-1 Characteristics and functions of different MAC address entries

MAC Address Entry Characteristics Function
Type
Dynamic MAC address ● Dynamic MAC address ● You can check

entry entries are obtained by whether data is
learning the source forwarded between
MAC address of a two connected
packet received on an devices by checking
interface, and can be dynamic MAC
aged. address entries.
● Dynamic MAC address ● You can obtain the
entries do not persist number of
across system restart. communicating users
connected to an
interface by checking
the number of
specified dynamic
MAC address entries.

Switches
MAC Address Entry Characteristics Function

Type
Static MAC address entry ● Static MAC address A static MAC address
entries are manually entry can be configured
configured. Static MAC to allow an authorized
address entries are not user to access network
aged. resources and prevent
● The static MAC other users from using
address entries persist the bound MAC address
across system restart to initiate attacks.
once saved in the
system.
● Interfaces other than
that statically bound
to the MAC address in
the entry discard
packets that originate
from this MAC address.
● A static MAC address
entry can have only
one outbound
interface.
● Statically binding an
interface to a MAC
address does not affect
the learning of
dynamic MAC address
entries on the
interface.
Blackhole MAC address ● Blackhole MAC A blackhole MAC

entry address entries are address entry can be
manually configured. configured to filter out
Blackhole MAC unauthorized users.
address entries are not
aged.
● The blackhole MAC
address entries persist
across system restart
once saved in the
system.
● The switch discards
packets from or
destined to a
blackhole MAC
address.

Switches
2.2.2 Elements and Functions of a MAC Address Table
Elements
A MAC address table contains entries that are identified by a MAC address and a
VLAN ID or VSI name. Each entry specifies the outbound interface through which
packets with the specified destination MAC address and VLAN ID or VSI are
forwarded. If a destination host joins multiple VLANs or VSI names, the host's
MAC address corresponds to multiple VLAN IDs or VSI names. Table 2-2 provides
an example of this scenario. In this case, packets with the destination MAC
address 00e0-fc22-0034 and VLAN 10 are forwarded through the outbound
interface GE0/0/1.
Table 2-2 MAC address entries
MAC Address VLAN ID/VSI Name Outbound Interface
00e0-fc22-0034 10 GE0/0/1
00e0-fc22-0034 20 GE0/0/2
00e0-fc22-0035 30 Eth-Trunk20
00e0-fc22-0035 huawei GE0/0/3
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 2-1,
when packets sent from PC1 to PC3 reach the switch, the switch searches its MAC
address table for the destination MAC address MAC3 and VLAN 10 in the packets
to obtain outbound interface Port3. The switch then forwards packets to PC3
through Port3.
Figure 2-1 Forwarding based on the MAC address table

Switches
2.2.3 MAC Address Entry Learning and Aging
MAC Address Entry Learning

Generally, MAC address entries are learned from source MAC addresses of data
frames.
Figure 2-2 MAC address entry learning
In Figure 2-2, HostA sends a data frame to SwitchA. When receiving the data
frame, SwitchA obtains the source MAC address (HostA's MAC address) and VLAN
ID of the frame.
● If the MAC address entry is not present in the MAC address table, SwitchA
adds an entry with the new MAC address, PortA, and VLAN ID to the MAC
address table.
● If the MAC address entry is present in the MAC address table, SwitchA resets
the aging timer of the MAC address entry and updates the entry.
NOTE
● If PortA is a member interface of an Eth-Trunk, the outbound interface in the MAC

address entry is the Eth-Trunk.
● By default, all interfaces of a switch belong to VLAN 1 and the VLAN ID of all MAC
address entries is VLAN 1.
● The switch does not learn the BPDU MAC address similar to 0180-c200-xxxx.However,
the switch learns the source MAC address of BPDUs transparently transmitted through
VXLAN or VPLS.
MAC address entry learning and update are triggered on a device only when the
switch receives data frames.
MAC Address Entry Aging

Dynamic MAC address entries may become invalid if the network topology
changes. Therefore, to ensure its MAC address table remains current, a switch uses
a mechanism called aging. Each entry has a life cycle (aging time) and will be
deleted when the aging time expires. If an entry is updated within the aging time,
the aging timer of the entry is reset.

Switches
Figure 2-3 MAC address entry aging
As shown in Figure 2-3, the aging time of MAC address entries is set to T. At t1,
packets with source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an
interface, which has joined VLAN 1. If no entry with MAC address 0e0-fc00-0001
and VLAN 1 exists in the MAC address table, the MAC address is learned as a
dynamic MAC address entry in the MAC address table, and the hit flag of the
entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC
address entry with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device
sets the hit flag to 0 but does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the
device between t2 and t3, the hit flag of the matching MAC address entry
remains as 0.
3. At t3, the device finds that the hit flag of the matching MAC address entry is
0. The device considers that the aging time of the MAC address entry has
expired and deletes the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on
the device.
You can set the aging time of MAC address entries to control the life cycle of
dynamic MAC address entries in a MAC address table.
NOTE
If the interface frequently alternates between Up and Down, MAC address entries may be
not aged within twice the aging time. In this case, you are advised to check the link quality
or run the port link-flap protection enable command to configure link flapping
protection.
2.2.4 MAC Address Learning Control

To consume MAC address table resources of a switch and thereby prevent the
switch from learning new entries, a malicious user may send large numbers of

Switches
packets with spurious source MAC addresses. Such an attack will also consume
bandwidth resources because the switch broadcasts the packets that do not match
To address the preceding issue, the switch provides the following MAC address
learning control methods:
● Disabling MAC address learning on a VLAN or an interface

● Limiting the number of learned MAC address entries on a VLAN or an
interface
Table 2-3 MAC address learning control
MAC Address Description Application Scenario

Learning
Control Method
Disabling MAC After MAC address learning ● Generally, a malicious user

address learning is disabled on a VLAN or an will send packets to only
on a VLAN or an interface, the switch does not one interface on the
interface learn new dynamic MAC switch. Therefore, you can
address entries on the VLAN use either of the two
or interface. The dynamic methods to protect MAC
MAC address entries already address table resources.
learned are aged out when ● The method of limiting
the aging time expires. These the number of learned
entries can also be manually MAC address entries on a
deleted through commands. VLAN or an interface can
Limiting the The switch can learn only the also be used to limit the
number of specified number of MAC number of access users.
learned MAC address entries on a VLAN or
address entries an interface.
on a VLAN or an When the specified number
interface is reached, the switch reports
an alarm.
Subsequently, the switch
cannot learn new MAC
address entries on the VLAN
or interface and discards the
packets whose source MAC
address is not in the MAC
address table.
2.2.5 MAC Address Flapping
What Is MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in
the same VLAN and the MAC address entry learned later overrides the earlier one.

Switches
Figure 2-4 shows how MAC address flapping occurs. In the MAC address entry
with MAC address 00e0-fc22-0034 and VLAN 2, the outbound interface is changed
from GE0/0/1 to GE0/0/2. MAC address flapping can cause an increase in the CPU
usage on the switch.
Generally, MAC address flapping does not occur unless a network loop occurs. If
frequent MAC address flapping occurs on your network, alarms and MAC address
flapping records provide insight for locating faults and eliminating loops.
Figure 2-4 MAC address flapping
How to Detect MAC Address Flapping

MAC address flapping detection checks whether outbound interfaces in MAC
address entries change frequently.
After MAC address flapping detection is enabled, the switch reports an alarm if
MAC address flapping occurs (for example, due to a loop between the outbound
interfaces). The alarm contains the flapping MAC address, VLAN ID, and outbound
interfaces between which the MAC address flaps. The network administrator can
locate the cause of the loop based on the alarm. As an alternative, the switch can
perform the action specified in the configuration of MAC address flapping
detection to remove the loop automatically. The action can be quit-vlan (remove
the interface from the VLAN) or error-down (shut down the interface).

Switches
Figure 2-5 Networking of MAC address flapping detection
In Figure 2-5, a network cable is incorrectly connected between SwitchC and

SwitchD, causing a loop between SwitchB, SwitchC, and SwitchD. When Port1 of
SwitchA receives a broadcast packet, SwitchA forwards the packet to SwitchB. The
packet is then sent to Port2 of SwitchA. After being configured with MAC address
flapping detection, SwitchA can detect that the source MAC address of the packet
flaps from Port1 to Port2. If the MAC address flaps between Port1 and Port2
frequently, SwitchA reports an alarm.
NOTE
MAC address flapping detection allows a switch to detect changes in traffic transmission
paths based on learned MAC addresses. However, the switch cannot obtain the entire
network topology. It is recommended that this function be used on an interface connected
to a user network where loops may occur.
How to Prevent MAC Address Flapping

MAC address flapping occurs on a network when loops or attacks occur.
During network planning, you can use the following methods to prevent MAC
address flapping:
● Increase the MAC address learning priority of an interface: If the same MAC
address is learned on interfaces that have different priorities, the MAC address
entry on the interface with the highest priority overrides that on the other
interfaces.
● Prevent MAC address entries from being overridden on interfaces with the
same priority: If the interface connected to a bogus network device has the
same priority as the interface connected to an authorized device, the MAC
address entry of the bogus device learned later does not override the original
correct MAC address entry. If the authorized device is powered off, the MAC
address entry of the bogus device is learned. After the authorized device is
powered on again, its MAC address cannot be learned.

Switches
In Figure 2-6, Port1 of the switch is connected to a server. To prevent

unauthorized users from connecting to the switch using the server's MAC address,
you can set a high MAC address learning priority for Port1.
Figure 2-6 Networking of MAC address flapping prevention
2.2.6 MAC Address-Triggered ARP Entry Update
NOTE
Only the S5720I-SI, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S support this function.
Hosts on an Ethernet LAN send and receive Ethernet data frames based on MAC
addresses. To map IP addresses to MAC addresses, the Address Resolution Protocol
(ARP) is used. When two hosts on different network segments communicate with
each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries.
Generally, the outbound interfaces in the matching MAC address entries and ARP
entries are consistent. In Figure 2-7, the outbound interface in both the MAC
address entry and ARP entry is GE0/0/1 at T1. The interface is then changed. At
T2, after a packet is received from the peer device, the outbound interface in the
MAC address entry is immediately changed to GE0/0/2. However, the outbound
interface in the ARP entry remains as GE0/0/1. At T3, the aging time of the ARP
entry expires, and the outbound interface in the ARP entry is changed to GE0/0/2
through ARP aging probe. Between T2 and T3, the outbound interface in the ARP
entry is unavailable, interrupting communication between devices on different
network segments.

Switches
Figure 2-7 MAC address-triggered ARP entry update is not enabled
MAC address-triggered ARP entry update enables a switch to update the

outbound interface in an ARP entry immediately after the outbound interface in
the corresponding MAC address entry changes. Figure 2-8 shows a scenario where
MAC address-triggered ARP entry update is enabled. At T2, after the outbound
interface in the MAC address entry is changed to GE0/0/2, the outbound interface
in the ARP entry is immediately changed to GE0/0/2. This function ensures
communication is not interrupted between T2 and T3 due to the incorrect
outbound interface in the ARP entry.
Figure 2-8 MAC address-triggered ARP entry update is enabled

Switches
NOTE
The MAC address-triggered ARP entry update function is often used in scenarios where
switches in a Virtual Router Redundancy Protocol (VRRP) group connect to servers (see
2.3.3 Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP
Switchover Performance), or Layer 3 traffic switching scenarios where STP and Smart Link
are used.
2.3 Application Scenarios for MAC Address Tables
2.3.1 Configuring MAC Address Flapping Prevention to Block

User Attacks
When you deploy a Layer 2 network, you can configure MAC address flapping
prevention to block attacks from unauthorized users.
In Figure 2-9, employees of an enterprise need to access the server connected to
Port1 of the switch. If an unauthorized user sends packets using the server's MAC
address as the source MAC address, the server's MAC address is learned on
another interface of the switch. Subsequently, packets sent by employees to the
server are sent to the unauthorized user. As a result, the unauthorized user may
intercept data and prevent employees from accessing the server. To prevent
unauthorized users from using the server's MAC address to attack the switch, set a
higher MAC address learning priority for the interface connected to the server
than the interfaces connected to unauthorized users. In this case, MAC address
flapping will not occur if unauthorized users attack the switch.
Figure 2-9 Networking of MAC address flapping prevention

Switches
2.3.2 Configuring MAC Address Flapping Detection to Quickly

Detect Loops
If a loop occurs, MAC address flapping must have occurred on the failure point.
You can use the MAC address flapping function to locate the loop.
Enable MAC address flapping detection to check whether a loop occurs in the
following scenarios:
● A MAC address entry alternates between appearing and disappearing.

● Ping operations alternate between being successful and failing.
● A high CPU usage alarm is generated.
MAC address flapping detection is easier to configure than many other loop
detection technologies. Table 2-4 compares the loop detection technologies.
Table 2-4 Comparison of loop detection technologies
Feature Advantage Disadvantage
MAC address ● Checks all interfaces and After detecting a loop, the
flapping VLANs on a device. switch only reports alarms; it
detection ● Requires only one cannot eliminate the loop.
command and is
enabled by default.
Loopback ● Detects loops based on This function is not enabled by

detection interfaces and VLANs. default and needs to be
● Eliminates a loop after configured through
detecting it. commands.
2.3.3 Configuring MAC Address-Triggered ARP Entry Update to

Improve VRRP Switchover Performance
In scenarios where a Virtual Router Redundancy Protocol (VRRP) group connects
to servers, MAC address-triggered ARP entry update can be configured to speed
up VRRP active/standby switchovers. This function minimizes the service
interruption time if a link or switch fails.
VRRP groups multiple routing devices into a virtual router, which functions as the
virtual gateway for users. Its virtual IP address is used as the default gateway
address to implement communication with an external network. If a gateway fails,
VRRP selects another gateway to transmit service traffic, ensuring reliable
communication.
In Figure 2-10, HostA is dual-homed to SwitchA and SwitchB through the switch.
A VRRP group is configured on SwitchA and SwitchB to implement link
redundancy. If the link between SwitchA and the switch fails, MAC address entries
and ARP entries on the switch are updated to ensure that traffic is switched to the
link between the switch and SwitchB.

Switches
Figure 2-10 VRRP networking
A VRRP group may connect to a server but not a switch, as shown in Figure 2-11.
Generally, a server selects only one network interface to send packets. When the
server detects a network failure or traffic transmission failure, it sends packets
through another network interface.
● SwitchA functions as the master device, and the server uses Port2 to send
packets. SwitchA learns the ARP entry and MAC address entry matching the
server on Port2, and SwitchB learns the server MAC address on Port1.
● When the server detects that Port2 is faulty, the server sends packets through
Port1. SwitchA then learns the server MAC address on Port1. If the server does
not send an ARP Request packet to SwitchA, SwitchA still maintains the ARP
entry on Port2. In this case, packets sent from SwitchA to the server are still
forwarded through Port2 until the ARP entry is aged out.
To address the preceding issue, configure MAC address-triggered ARP entry update
on the switches. This function enables the switches to update the corresponding
ARP entry when the outbound interface in a MAC address entry changes.
Figure 2-11 VRRP group connecting to a server

Switches
2.4 Summary of MAC Address Table Configuration

Tasks
Table 2-5 MAC address table configuration tasks

Scenario Description Task
MAC addresses and Configure static MAC address 2.7.1 Configuring a

interfaces need to entries to bind MAC addresses and Static MAC Address
be bound statically. interfaces, improving security of Entry
authorized users.
Attack packets Configure blackhole MAC address 2.7.2 Configuring a

from unauthorized entries to filter out packets from Blackhole MAC
users need to be unauthorized users, thereby Address Entry
filtered out. protecting the system against
attacks.
Aging of dynamic Set the aging time of dynamic 2.7.3 Setting the
MAC address MAC address entries according to Aging Time of
entries needs to be your needs. Set the aging time to Dynamic MAC
flexibly controlled. a large value or 0 (not to age Address Entries
dynamic MAC address entries) on
a stable network; set a short
aging time in other situations.
MAC address Disable MAC address learning or 2.7.4 Disabling MAC

learning needs to limit the number of learned MAC Address Learning
be controlled. address entries to prevent attacks 2.7.5 Configuring
from exhausting MAC address the MAC Address
entries. Limiting Function

Switches
The MAC address Configure one or more of the 2.7.6 Enabling MAC
table needs to be following trap functions to Address Trap
monitored. monitor the usage of MAC Functions
address entries:
● Configure an alarm threshold
for MAC address usage. When
the MAC address usage
exceeds the upper threshold,
the switch generates an alarm.
When the MAC address usage
falls below the lower threshold,
the switch reports a clear
alarm.
● Enable the trap function for
MAC address learning or aging.
When a MAC address entry is
learned or aged out, the switch
sends an alarm.
● Enable the trap function for
MAC address hash conflicts. If
the switch cannot learn MAC
address entries while its MAC
address table is not full, the
switch reports an alarm about
a MAC address hash conflict.
The outbound Enable the MAC address-triggered 2.11 Enabling MAC

interfaces in ARP ARP entry update function to Address-triggered
entries need to be minimize the service interruption ARP Entry Update
updated quickly. time caused when the outbound
interface in a MAC address entry
changes.
MAC address Use the following methods to 2.8 Configuring

flapping needs to prevent MAC address flapping: MAC Address
be prevented. ● Configure the MAC address Flapping Prevention
learning priorities for
interfaces. When the same
MAC address is learned by two
interfaces that have different
priorities, the MAC address
entries learned by the interface
with a higher priority override
the MAC address entries
learned by the other interface.
● Prevent MAC address entries
from being overridden on
interfaces with the same
priority.

Switches
MAC address Configure MAC address flapping 2.9 Configuring

flapping needs to detection so that the switch can MAC Address
be detected. check whether MAC addresses Flapping Detection
flap between interfaces and
determine whether loops occur. If
MAC address flapping occurs, the
switch sends an alarm to the
NMS. The network maintenance
personnel can locate the loop
based on the alarm information
and historical records for MAC
address flapping. This greatly
improves network maintainability.
If the network connected to the
switch does not support loop
prevention protocols, configure
the switch to shut down the
interfaces where MAC address
flapping occurs to reduce the
impact of MAC address flapping
on the network.
MAC address flapping occurs
when a MAC address is learned by
two interfaces in the same VLAN
and the MAC address entry
learned later overrides the earlier
one.
The switch needs Configure the switch to discard 2.10 Configuring the
to discard packets packets with an all-0 source or Switch to Discard
with an all-0 destination MAC address and send Packets with an
source or an alarm to the NMS. Such All-0 MAC Address
destination MAC packets may be sent by a faulty
address. host or device.
An interface needs Enable the port bridge function on 2.12 Enabling Port
to forward packets an interface to allow the interface Bridge
whose source and to forward packets whose source
destination MAC and destination MAC addresses
addresses are both are both learned on the interface.
learned on the By default, an interface regards
interface. such a packet as an invalid packet
and discards it. This function
applies to a switch that connects
to devices incapable of Layer 2
forwarding or functions as an
access device in a data center.

Switches
2.5 Licensing Requirements and Limitations for MAC

Address Tables
Involved Network Elements

Other network elements are not required.
Licensing Requirements
The MAC address table is a basic feature of a switch and is not under license
control.
Feature Support in V200R021C10

All models of S300, S500, S2700, S5700, and S6700 series switches support MAC.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
The S5731-L and S5731S-L are remote units and do not support web-based management,
YANG, or commands. They can be configured only through configuration delivery by the
central device. For details, see "Simplified Architecture Configuration (the Solar System
Solution)" in the S300, S500, S2700, S5700, and S6700 V200R021C10 Configuration Guide -
Device Management.
Feature Limitations
● Dynamic MAC address entries can be learned on an interface only after the
interface is added to an existing VLAN.
● Among existing MAC address entries, only MAC addresses of the dynamic
type can be overwritten as MAC addresses of other types.
● Each static MAC address entry can have only one outbound interface.
● When the aging time of dynamic MAC address entries is set to 0, dynamic
MAC address entries do not age. To age MAC address entries, delete the aging
time configuration.
● When MAC address learning is disabled in a VLAN and an interface in the
VLAN on the S5700-EI, S5710-EI, S5700-HI, S5710-HI, and S5720-EI and the
discard action is configured for the interface, the interface does not discard
packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 in VLAN 2 and VLAN 3 has MAC
address learning disabled and the discard action is defined. In this situation,
Port1 discards packets from VLAN 3 but forwards packets from VLAN 2.
● When the interface frequently alternates between Up and Down, MAC
address entries may be not aged within two aging period. At this time, you
are advised to check the link quality or run the port link-flap protection
enable command to configure link flapping protection.

Switches
2.6 Default Settings for MAC Address Tables
Table 2-6 Default setting for MAC address tables

Parameter Default Setting
Aging time of dynamic MAC address 300s

entries
MAC address learning Enabled
MAC address learning priority of an 0

interface
Preventing MAC address entries from Disabled

being overridden on interfaces with
the same priority
MAC address flapping detection Enabled
Aging time of flapping MAC address 300s

entries
MAC address-triggered ARP entry Disabled

update
Trap function for the MAC address Enabled

usage
Trap function for MAC address Disabled

learning or aging
Trap function for MAC address hash Disabled

conflicts
Discarding packets with an all-0 MAC Disabled

address
Trap function for packets with an all-0 Disabled

MAC address
Port bridge Disabled
2.7 Configuring MAC Address Tables
2.7.1 Configuring a Static MAC Address Entry

Switches
Context
To keep its MAC address table current, a switch learns source MAC addresses of
packets. However, the switch cannot distinguish packets from authorized and
unauthorized users, leading to security risks. For example, if an unauthorized user
spoofs the MAC address of an authorized user and connects to another interface
of the switch, the switch learns an incorrect MAC address entry. As a result,
packets destined for the authorized user are forwarded to the unauthorized user.
To address this issue, create static MAC address entries to bind MAC addresses of
authorized users to specified interfaces.
Static MAC address entries have the following characteristics:
● A static MAC address entry will not be aged out. After being saved, a static
MAC address entry will not be lost after a system restart, and can only be
deleted manually.
● The MAC address in a static MAC address entry must be a unicast MAC
address, and cannot be a multicast or broadcast MAC address.
● A static MAC address entry takes precedence over a dynamic MAC address
entry. The system discards packets with flapping static MAC addresses.
● An existing MAC address entry of the authen, pre-authen, security, or sticky
type cannot be configured as a static MAC address entry.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.
----End
Verifying the Configuration

Run the display mac-address static command to check configured static MAC
address entries.
2.7.2 Configuring a Blackhole MAC Address Entry
Context
To protect a switch or network against MAC address attacks, configure MAC
addresses of untrusted users as blackhole MAC addresses. After blackhole MAC
address entries are configured, the switch discards packets whose source or
destination MAC addresses match these entries.
Procedure

Switches
Step 2 Run mac-address blackhole mac-address [ vlan vlan-id ]
A blackhole MAC address entry is configured.
----End

Run the display mac-address blackhole command to check configured blackhole
2.7.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
Frequent topology changes result in the switch learning a large number of
dynamic MAC addresses, some of which may no longer be in use. You can
configure how long these entries remain in the MAC address table before the
switch deletes them. A shorter aging time is suitable if the topology changes
frequently, whereas a longer aging time is suitable if the topology remains stable.
Procedure
Step 2 Run mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.
The aging time is 0 or an integer from 10 to 1000000, in seconds. The value 0

indicates that dynamic MAC address entries will not be aged out. The default
value is 300.
NOTE
If the aging time is set to 0, MAC address entries become fixed and never age out. To clear
these entries, set the aging time to a non-0 value. The system then deletes these entries
after twice the aging time.
----End

Run the display mac-address aging-time command to view the aging time of
dynamic MAC address entries.
2.7.4 Disabling MAC Address Learning

Context
You can disable MAC address learning on an interface, in a VLAN, and for a
specified flow.

Switches
The MAC address learning function is enabled by default on the switch. When
receiving a data frame, the switch records the source MAC address of the data
frame and the interface that receives the data frame in a MAC address entry.
When receiving data frames destined for this MAC address, the switch forwards
the data frames through the outbound interface according to the MAC address
entry. The MAC address learning function reduces broadcast packets on a network.
After MAC address learning is disabled on an interface, the switch does not learn
source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These
dynamic MAC address entries are deleted after the aging time expires or can be
manually deleted using commands.
Procedure
● Disable MAC address learning on an interface.
a. Run system-view
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
If action is specified, the switch handles packets based on the selected
action. The forward action causes the switch to forward packets
according to the MAC address table (this is the default action). The
discard action causes the switch to forward packets according to the
MAC address table only if an entry matching the source MAC address is
found. If no entry is found, the switch discards the packets.
● Disable MAC address learning in a VLAN.
a. Run system-view
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
● Disable MAC address learning for a specified flow.
a. Configure a traffic classifier.
i. Run system-view
ii. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed,
or the view of an existing traffic classifier is displayed.
The logical operator and between the rules in the traffic classifier
means that:

Switches
○ If the traffic classifier contains ACL rules, packets match the

traffic classifier only if they match one ACL rule and all the non-
ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets
match the traffic classifier only if they match all the rules in the
classifier.
The logical operator or means that packets match the traffic
classifier if they match one of the rules in the classifier.
By default, the relationship between rules in a traffic classifier is or.
iii. Configure matching rules in the traffic classifier according to the
following table.
NOTE
Only the S6720-EI, S6735-S, and S6720S-EI support traffic classifiers with
advanced ACLs containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-
name }, the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H,
S6730S-H, S6730-S, and S6730S-S do not support remark 8021p [ 8021p-
value | inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id,
and mac-address learning disable.
For the S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, and S500, S5735-S-I, S5735S-S, if a traffic policy is
applied to the outbound direction and the relationship between rules in a
traffic classifier is AND:
● Rules for matching the source IPv6 address and those for matching the
destination IPv6 address cannot be configured in the same traffic
classifier.
● Rules for matching IPv6 information (for example, if-match protocol
ipv6 and if-match ipv6 acl) and those for matching the source MAC
address, destination MAC address, source IPv6 address, or destination
IPv6 address of packets cannot be configured in the same traffic
classifier. (ACL6 rules can be used to match the source or destination
IPv6 address of packets.)
● Rules for matching IPv4 information (IP address and UDP port
number) and those for matching some Layer 2 information (for
example, if-match source-mac, if-match destination-mac, and if-
match l2-protocol { mpls | rarp | protocol-value }) cannot be
configured in the same traffic classifier.

Switches
Matching Command Remarks

Rule
Outer if-match vlan-id start- Only the S5735S-H, S5736-

VLAN ID vlan-id [ to end-vlan- S, S5731-H, S5731-S,
or inner id ] [ cvlan-id cvlan- S5731S-H, S5731S-S,
and outer id ] S5732-H, S2730S-S, S5735-
VLAN IDs L-I, S5735-L1,S300, S5735-
of QinQ L, S5735S-L, S5735S-L1,
packets S5735S-L-M, S5735-S, S500,
S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S
support the cvlan-id cvlan-
id parameter.
Inner and if-match cvlan-id Only the S5735S-H, S5736-
outer start-vlan-id [ to end- S, S5731-H, S5731-S,
VLAN IDs vlan-id ] [ vlan-id S5731S-H, S5731S-S,
in QinQ vlan-id ] S5732-H, S2730S-S, S5735-
packets L-I, S5735-L1,S300, S5735-
L, S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S, S500,
S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S
support this matching rule.
802.1p if-match 8021p If you specify multiple

priority in 8021p-value &<1-8> values for 8021p-value in
VLAN one command, a packet
packets matching any of the values
matches the traffic
classifier, regardless of
whether the relationship
between rules in the traffic
classifier is AND or OR.
Inner if-match cvlan-8021p Only the S5735S-H, S5736-

802.1p 8021p-value &<1-8> S, S5731-H, S5731-S,
priority in S5731S-H, S5731S-S,
QinQ S5732-H, S2730S-S, S5735-
packets L-I, S5735-L1, S300, S5735-
L, S5735S-L1, S5735S-L,
S5735S-L-M, S500, S5735-S,
S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S

Switches

Rule
Discarded if-match discard Only the S5731-H, S5731-S,

packet S5731S-H, S5731S-S,
S5732-H, S6735-S, S6720-
EI, S6720S-EI, S6730-H,
S6730S-H, S6730-S, and
S6730S-S support this
matching rule.
A traffic classifier
containing this matching
rule can only be bound to
traffic behaviors containing
the traffic statistics
collection and flow
mirroring actions.
Double if-match double-tag Only the S5731-H, S5731-S,

tags in S5731S-H, S5731S-S,
QinQ S5732-H, S2730S-S, S5735-
packets L-I, S5735-L1, S300, S5735-
L, S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, S500,
S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S
EXP if-match mpls-exp Only the S5731-H, S5731S-

priority in exp-value &<1-8> H, S5732-H, S6720-EI,
MPLS S6720S-EI, S6730S-H, and
packets S6730-H support this
matching rule.
If you specify multiple
values for exp-value in one
command, a packet
matching any of the values
matches the traffic
between rules in the traffic
Destinatio if-match destination- -

n MAC mac mac-address
address [ mac-address-mask ]
Source if-match source-mac -

MAC mac-address [ mac-
address address-mask ]

Switches

Rule
Protocol if-match l2-protocol -

type in the { arp | ip | mpls | rarp |
Ethernet protocol-value }
frame
header
All packets if-match any After the if-match any

command is run, only the
matching rule configured
using this command takes
effect, and the other
matching rules in the same
traffic classifier will become
ineffective.
DSCP if-match dscp dscp- ● If you specify multiple

priority in value &<1-8> values for dscp-value in
IP packets one command, a packet
matching any of the
values matches the
traffic classifier,
regardless of whether
the relationship between
rules in the traffic
● The if-match dscp and
if-match ip-precedence
commands cannot be
configured in the same
traffic classifier in which
rules is AND.

Switches

Rule
IP if-match ip- ● If you specify multiple

precedence precedence ip- values for ip-
in IP precedence-value precedence-value in one
packets &<1-8> command, a packet
matching any of the
values matches the
traffic classifier,
● The if-match dscp and
if-match ip-precedence
commands cannot be
rules is AND.
Layer 3 if-match protocol { ip -

protocol | ipv6 }
type
SYN flag in if-match tcp syn-flag -

the TCP { syn-flag-value | ack |
packet fin | psh | rst | syn |
urg }
Inbound if-match inbound- A traffic policy containing

interface interface interface- this matching rule cannot
type interface-number be applied to the outbound
direction or in the interface
view.

Switches

Rule
Outbound if-match outbound- The S2720-EI, S5720-LI,

interface interface interface- S5720S-LI, S5720I-SI,
type interface-number S5735S-H, and S5736-S do
not support this matching
rule.
A traffic policy containing
this matching rule cannot
be applied to the inbound
direction on the S5731-H,
S5731-S, S5731S-H,
S5731S-S, S5732-H,
S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L,
S5735S-L1, S5735S-L,
S5735S-L-M, S500, S5735-S,
S5735S-S, S5735-S-I,
S6730-H, S6730S-H, S6730-
S, and S6730S-S.
be applied in the interface
view.
ACL rule if-match acl { acl- ● Before specifying an ACL

number | acl-name } in a matching rule,
configure the ACL.
● If an ACL in a traffic
classifier defines
multiple rules and a
packet matches any of
the rules, the packet
matches the ACL,
● If the vpn-instance
parameter is specified in
an ACL rule, a traffic
policy that defines a
traffic classifier with this
ACL rule does not take
effect.

Switches

Rule
ACL6 rule if-match ipv6 acl Before specifying an ACL6

{ acl-number | acl- in a matching rule,
name } configure the ACL6.
If the vpn-instance
parameter is specified in an
ACL6 rule, a traffic policy
that defines a traffic
classifier with this ACL6
rule does not take effect.
On the S2730S-S, S5735-L-
I, S5735-L1, S300, S5735-L,
S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, and
S500, S5735-S-I, S5735S-S,
if a traffic policy is applied
to the outbound direction,
and an ACL6 rule for
matching the source IPv6
address of packets and an
ACL6 rule for matching the
destination IPv6 address of
packets are respectively
configured in two traffic
classifiers:
● If the traffic behaviors
corresponding to the
two traffic classifiers do
not conflict, the two
traffic classifiers and
their corresponding
traffic behaviors take
effect.
corresponding to the
two traffic classifiers
conflict, the traffic
behavior and traffic
classifier defining the
ACL6 rule for matching
the source IPv6 address
of packets take effect.

Switches

Rule
Flow ID if-match flow-id flow- Only the S5731-H, S5731-S,

id S5731S-S, S5731S-H,
S5732-H, S2730S-S, S5735-
L-I, S5735-L1, S300, S5735-
L, S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, S500,
S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S
support matching of flow
IDs.
A traffic classifier
containing if-match flow-
id and a traffic behavior
containing remark flow-id
must be bound to different
traffic policies.
if-match flow-id can be
only applied to an
interface, a VLAN, a
VLANIF interface, or the
system in the inbound
direction.
Inner if-match vxlan Only the S5731-H, S5731-S,

informatio [ transit ] vni vni-id S5731S-H, S5731S-S,
n of S5732-H, S6735-S, S6720-
VXLAN EI, S6720S-EI, S6730-H,
packets S6730S-H, S6730-S, and
matching rule.
be applied to the outbound
direction.
If a traffic classifier
contains this matching rule,
it supports only traffic
behaviors of traffic policing,
packet filtering, and traffic
statistics collection.

Switches

Rule
Application if-match application Only the S5731-H, S5731S-

name name appname H, S5731-S, S5731S-S,
S5732-H, S6730-H, S6730S-
H, S6730-S, S6730S-S
this matching rule can be
applied only to the inbound
direction.
iv. Run quit

Exit from the traffic classifier view.
b. Configure a traffic behavior.
i. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is
displayed.
ii. Run mac-address learning disable
MAC address learning is disabled in the traffic behavior view.
NOTE
This command is supported only by the S5731-H, S5731-S, S5731S-H,

S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S.
iii. Run quit
Exit from the traffic behavior view.
iv. Run quit
Exit from the system view.
c. Configure a traffic policy.
i. Run traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or
the view of an existing traffic policy is displayed. If you do not specify
a matching order for traffic classifiers in the traffic policy, the default
matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy
command to modify the matching order of traffic classifiers in the
traffic policy. To modify the matching order, delete the traffic policy,
create a traffic policy, and then specify the matching order.
When creating a traffic policy, you can specify the matching order of
matching rules in the traffic policy. The matching order can be either
the automatic order (auto) or configuration order (config):
○ If the automatic order is used, traffic classifiers are matched
based on the priorities of their types. If the traffic policy is
applied to the inbound direction on the S6720-EI, S6735-S, and
S6720S-EI, traffic classifiers based on the following information

Switches
are matched in descending order of priority: Layer 2 and IPv4

Layer 3 information > advanced ACL6 > basic ACL6 > IPv4 Layer
3 information > Layer 2 information > user-defined ACL
information. In other cases, traffic classifiers based on the
following information are matched in descending order of
priority: Layer 2 and IPv4 Layer 3 information > advanced ACL6
information > basic ACL6 information > Layer 2 information >
IPv4 Layer 3 information > user-defined ACL information. If data
traffic matches multiple traffic classifiers and the bound traffic
behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.
○ If the configuration order is used, traffic classifiers are matched
based on the sequence in which they are bound to traffic
behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy
must be applied to an interface, a VLAN, and the system in sequence in the
outbound direction. In the preceding situation, if ACL rules need to be
updated, delete the traffic policy from the interface, VLAN, and system and
re-configure a traffic policy in sequence.
ii. Run classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.
iii. Run quit
Exit from the traffic policy view.
iv. Run quit
d. Apply the traffic policy.
▪ Applying a traffic policy to an interface

1) Run system-view
2) Run interface interface-type interface-number
3) Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface.
A traffic policy can be applied to only one direction on an
interface, but a traffic policy can be applied to different
directions on different interfaces. After a traffic policy is applied
to an interface, the system performs traffic policing for all the
incoming or outgoing packets that match traffic classification
rules on the interface.
▪ Applying a traffic policy to a VLAN

1) Run system-view
2) Run vlan vlan-id

Switches
3) Run traffic-policy policy-name { inbound | outbound }

A traffic policy is applied to the VLAN.
Only one traffic policy can be applied to a VLAN in the inbound
or outbound direction.
After a traffic policy is applied, the system performs traffic
policing for the packets that belong to a VLAN and match traffic
classification rules in the inbound or outbound direction.
▪ Applying a traffic policy to the system

1) Run system-view
2) Run traffic-policy policy-name global { inbound | outbound }
[ slot slot-id ]
A traffic policy is applied to the system.
Only one traffic policy can be applied to the system or slot in
one direction. A traffic policy cannot be applied to the same
direction in the system and slot simultaneously.
In a stack, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of all the member
switches in the stack. The system then performs traffic policing
for all the incoming and outgoing packets that match traffic
classification rules on all the member switches. A traffic policy
that is applied to a specified slot takes effect on all the
interfaces and VLANs of the member switch with the specified
stack ID. The system then performs traffic policing for all the
incoming and outgoing packets that match traffic classification
rules on this member switch.
On a standalone switch, a traffic policy that is applied to the
system takes effect on all the interfaces and VLANs of the local
switch. The system then performs traffic policing for all the
rules on the local switch. Traffic policies applied to the slot and
system have the same functions.

● Run the display traffic classifier user-defined [ classifier-name ] command
to check the traffic classifier configuration on the switch.
● Run the display traffic behavior user-defined [ behavior-name ] command
to check the traffic behavior configuration on the switch.
● Run the display traffic policy user-defined [ policy-name [ classifier
classifier-name ] ] command to check the user-defined traffic policy
configuration.
● Run the display traffic-applied [ interface [ interface-type interface-
number ] | vlan [ vlan-id ] ] { inbound | outbound } [ verbose ] command to
check traffic actions and ACL rules associated with the system, a VLAN, or an
interface.
● Run the display traffic policy { interface [ interface-type interface-number ]
| vlan [ vlan-id ] | global } [ inbound | outbound ] command to check the
traffic policy configuration on the switch.

Switches
● Run the display traffic-policy applied-record [ policy-name ] command to

check the record of the specified traffic policy.
2.7.5 Configuring the MAC Address Limiting Function
Context
The MAC address limiting function controls the number of MAC address entries
the switch can learn on an interface or in a VLAN. An insecure network is
vulnerable to MAC address attacks. A malicious user may attempt to consume
MAC address table resources and thereby prevent the switch from learning new
entries by sending large numbers of packets with spurious source MAC addresses.
To address this issue, you can limit the number of MAC address entries the switch
can learn on an interface or in a VLAN. You can also configure an action to take
when the limit is reached.
Procedure
● Limit the number of MAC address entries learned on an interface.
a. Run system-view
c. Run mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on
the interface is set.
By default, the number of MAC address entries learned on an interface is
not limited.
d. Run mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries
reaches the limit is configured.
By default, the switch discards packets with new MAC addresses when
the number of learned MAC address entries reaches the limit.
e. Run mac-limit alarm { disable | enable }
The switch is configured to generate or not generate an alarm when the
number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
● Limit the number of MAC address entries learned in a VLAN.
a. Run system-view
b. Run vlan vlan-id

Switches
c. Run mac-limit maximum max-num

The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not
limited.
d. Run mac-limit alarm { disable | enable }
The switch is configured to generate or not generate an alarm when the
number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
----End

Run the display mac-limit command to check limiting on MAC address learning.
2.7.6 Enabling MAC Address Trap Functions
Context
When trap functions are enabled on the switch, it sends an alarm if the MAC
address usage exceeds the threshold, a MAC address changes, or a MAC address
hash conflict occurs. The switch provides three trap functions for MAC address
entries, enabling you to monitor the usage of MAC address table resources.
Table 2-7 Three trap functions for MAC address entries

Trap Function Description
MAC address An alarm is generated when the MAC address usage is

usage out of the higher than 80%, and a clear alarm is generated when the
specified range MAC address usage is lower than 70%.
A clear alarm can be generated only if a threshold-
exceeding alarm has been generated.
A threshold-exceeding alarm indicates that the MAC address
usage is too high. You are advised to redistribute traffic or
expand the network.
MAC address An alarm is generated when a MAC address entry is learned

learning or aging or aged.

Switches
Trap Function Description
MAC address To improve the MAC address forwarding performance, the

hash conflict MAC address table of the switch is saved using a hash chain.
If multiple MAC addresses map the same key value in
accordance with the hash algorithm, some MAC addresses
may not be learned. That is, a MAC address hash conflict
occurs.
In this situation, the MAC address entries cannot be learned
even though the MAC address table is not full.
A MAC address hash conflict does not affect traffic
forwarding. The switch broadcasts traffic destined for the
conflicting MAC addresses, occupying bandwidth and system
resources. You can replace the network adapter of the
switch or terminal to prevent MAC address hash conflicts.
Procedure
● Enable the trap function for MAC address usage out of the specified range.
a. Run system-view
b. Run mac-address threshold-alarm upper-limit upper-limit-value lower-
limit lower-limit-value
The upper and lower alarm thresholds for the MAC address usage are set.
By default, the upper and lower alarm thresholds for the MAC address usage
are 80% and 70% respectively. That is, if the MAC address usage is greater
than or equal to 80%, an alarm is generated; If the MAC address usage is less
than 70%, the alarm is cleared.
● Enable the trap function for MAC address changes.
a. Run system-view
b. (Optional) Run mac-address trap notification interval interval-time
The interval at which the switch checks MAC address learning or aging is
set.
By default, the switch checks MAC address learning or aging at an
interval of 10 seconds.
c. Run interface interface-type interface-number
d. Run mac-address trap notification { aging | learn | all }
The trap function for MAC address learning or aging is enabled on the
interface.
By default, the trap function for MAC address learning or aging is
disabled.
● Enable the trap function for MAC address hash conflicts.

Switches
a. Run system-view
b. Run mac-address trap hash-conflict enable
The trap function for MAC address hash conflicts is enabled.
By default, the trap function for MAC address hash conflicts is enabled.
c. (Optional) Run mac-address trap hash-conflict history history-number
The number of MAC address hash conflict alarms reported at an interval
is set.
By default, 10 MAC address hash conflict alarms are reported at an
interval.
d. (Optional) Run mac-address trap hash-conflict interval interval-time
The interval at which MAC address hash conflict alarms are reported is
set.
By default, MAC address hash conflict alarms are reported at an interval
of 60 seconds.
e. (Optional) Run mac-address trap hash-conflict threshold threshold-
value
The lower alarm threshold for MAC address hash conflicts is set.
By default, the lower alarm threshold for MAC address hash conflicts is 0.

Run the display current-configuration command to check whether the MAC
address trap functions are configured on the switch.
2.7.7 Configuring a MAC Hash Algorithm

Context
The switch typically uses a hash algorithm to learn MAC address entries. However,
conflicts may occur if two or more MAC addresses produce the same hash value.
In this case, the switch may fail to learn many MAC addresses and then will
broadcast traffic destined for these MAC addresses. The heavy broadcast traffic
increases the load on the switch. To mitigate this issue, use an appropriate hash
algorithm to mitigate the hash conflict.

Switches
NOTE
● The switch uses the hash bucket to store MAC addresses. The switch that uses the hash
bucket performs hash calculation for VLAN IDs and MAC addresses in MAC address
entries to be stored and obtains hash bucket indexes. The MAC addresses with the same
hash bucket index are stored in the same hash bucket. If a hash bucket with the
maximum storage space cannot accommodate learned MAC addresses of the hash
bucket, a hash conflict occurs and MAC addresses cannot be stored. The maximum
number of MAC addresses learned by the switch through the hash bucket may be not
reached.
● The S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735-S-I, S5735S-
S, S6730-H, S6730S-H, S6730-S, and S6730S-S do not support this function.
● MAC addresses are distributed on a network randomly, so the best hash algorithm
cannot be determined. Generally, it is recommended the default MAC hash algorithm be
used unless you have specific requirements.
● An appropriate hash algorithm can reduce hash conflicts, but cannot prevent them.
● After the hash algorithm is changed, restart the switch to make the configuration take
effect.
Procedure
Step 2 Configure a hash algorithm.
● Run the mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower
| crc32-upper | lsb | enhanced } slot slot-id command on the S6735-S,
S6720-EI and S6720S-EI.
● Run the mac-address hash-mode { xor | crc } slot slot-id command on other
models except the S6735-S, S6720-EI and S6720S-EI.
By default, the hash algorithm is crc32-lower on the S6735-S, S6720-EI and
S6720S-EI and crc on other models.
Step 3 Run mac-address hash-bucket-mode { size4 | size8 | size12 | size16 }
The hash bucket size is configured for the MAC address table.
By default, the hash bucket size of a MAC address table is 4.
NOTE
● This function is supported only by the S5720I-SI, S5720-LI, and S5720S-LI.

● A larger hash bucket size will lower device forwarding performance.
● After you change the hash bucket size to a smaller value, you need to restart the switch.
----End

Run the display mac-address hash-mode command to check the running and
configured hash algorithms.
2.7.8 Configuring the Extended MAC Entry Resource Mode

Switches
Context
You can increase the MAC address table size by changing the MAC entry resource
mode.
When the switch transmits heavy traffic, MAC address entries increase accordingly.
If the current MAC address table size cannot meet service requirements, service
running efficiency is reduced. The switch provides an extended register that you
can use to increase the size of the MAC address table, thereby enabling the switch
to learn more MAC addresses.
NOTE
Only the S6735-S, S6720-EI and S6720S-EI support this function.
Procedure
Step 1 (Optional) Run display resource-mode configuration
The extended entry resource mode is displayed.
Step 3 Run assign resource-mode enhanced-mac slot slot-id
The extended MAC entry resource mode is configured.
NOTE
After the extended MAC entry resource mode is configured, you must restart the switch to make
the configuration take effect.
----End

Run the display resource-mode configuration command to check the configured
and current extended entry resource modes.
2.8 Configuring MAC Address Flapping Prevention
2.8.1 Configuring a MAC Address Learning Priority for an

Interface
Context
To prevent MAC address flapping, set different MAC address learning priorities for
interfaces. When two interfaces learn the same MAC address entries, the MAC
address entries learned by the interface with a higher priority override the MAC
address entries learned by the other interface.

Switches
Procedure
For S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H, S6730-S, and S6730S-S switches, perform the following
operations.
1. Run system-view
2. Run interface interface-type interface-number
3. Run mac-learning priority priority-id
The MAC address learning priority of the interface is set.
By default, the MAC address learning priority of an interface is 0. A larger
priority value indicates a higher MAC address learning priority.
4. Run mac-learning priority flapping-defend action discard
The switch is configured to discard packets when configured to prohibit MAC
address flapping.
By default, the action is forward when configured to prohibit MAC address
flapping.
For S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L,

S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-S-I,
S5735S-H, S5736-S perform the following operations.
1. Run system-view
2. Run mac-spoofing-defend enable
Global MAC spoofing defense is enabled.
By default, global MAC spoofing defense is disabled.
4. Run mac-spoofing-defend enable
MAC spoofing defense is enabled on the interface so that the interface
becomes a trusted interface.
By default, MAC spoofing defense is disabled on an interface.
NOTE
On the S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-

M, S5735-S, S500, S5735-S-I, and S5735S-S, after MAC spoofing defense is enabled
globally, the real-time performance of MAC address flapping detection on the
interfaces that are not enabled with MAC spoofing defense decreases.

Run the display current-configuration command to check the MAC address
learning priorities of interfaces.

Switches
2.8.2 Preventing MAC Address Flapping Between Interfaces

with the Same Priority
Context
Preventing MAC address flapping between interfaces with the same priority can
improve network security.
After this configuration is complete, the following issue may occur: If a network
device (such as a server) connected to an interface of the switch is powered off
and the same MAC address is learned on another interface, the switch cannot
learn the correct MAC address on the original interface after the network device is
powered on.
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this configuration.
Procedure
Step 2 Run undo mac-learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with
the same priority.
By default, the device allows MAC address flapping between interfaces with the
same priority.
Step 3 Run mac-learning priority flapping-defend action discard
The switch discards packets when configured to prohibit MAC address flapping.
By default, the action is forward when configured to prohibit MAC address

flapping.
----End

Run the display current-configuration command to check whether MAC address
flapping is allowed between interfaces with the same priority.
2.9 Configuring MAC Address Flapping Detection

Context
MAC address flapping detection enables the device to check all MAC addresses to
detect MAC address flapping.

Switches
NOTE
● You are advised not to configure an action to take for MAC address flapping on an
uplink interface because it may interrupt uplink traffic.
● When MAC address flapping detection is enabled, the switch can detect loops on a
single point, but cannot obtain the entire network topology. If the network connected to
the device supports loop prevention protocols, use the loop prevention protocols instead
of MAC address flapping detection to eliminate loops.
● If loops may occur on only a few VLANs, it is recommended that you set the loop
prevention action to quit-vlan.
● If loops may occur on a large number of VLANs, it is recommended that you set the
loop prevention action to error-down. This action improves system performance.
Additionally, the remote device can detect the error-down event so that it can quickly
switch traffic to a backup link (if any).
Procedure
Step 2 Run mac-address flapping detection
MAC address flapping detection is enabled.
By default, MAC address flapping detection is enabled. The device detects MAC
address flapping in all VLANs.
Step 3 (Optional) Run mac-address flapping detection exclude vlan { vlan-id1 [ to
vlan-id2 ] } &<1-10>
One or more VLANs are excluded from MAC address flapping detection.
By default, the switch performs MAC address flapping detection in all VLANs. In
special scenarios, for example, when a switch is connected to a server with two
network adapters in active-active mode, the server's MAC address may be learned
on two interfaces of the switch. Such a MAC address flapping event does not need
to be handled. You can exclude the VLAN where the server resides from MAC
address flapping detection.
Step 4 (Optional) Run mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] }
&<1-10> | all } security-level { high | middle | low }
The security level of MAC address flapping detection is configured in one or more
specified VLANs.
By default, the security level of MAC address flapping detection is middle. That is,
the switch considers that MAC address flapping occurs when a MAC address flaps
10 times.
Step 5 (Optional) Run mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.
By default, the aging time of flapping MAC addresses is 300 seconds. If the aging
time of dynamic MAC addresses is excessive, a long time may elapse before MAC
address flapping events can be detected.
Step 6 (Optional) Configure an action to take and the priority of the action after MAC
address flapping is detected on an interface.

Switches

2. Run mac-address flapping action { quit-vlan | error-down }
An action is configured for the interface if MAC address flapping occurs on
the interface.
By default, no action is configured. If an interface is connected to a network
that does not support loop prevention protocols, MAC address flapping may
occur when the network contains a loop. Use this command to configure an
action on the interface. When MAC address flapping is detected on the
interface, the device takes the configured action. If the action is set to error-
down, the device shuts down the interface. If the action is set to quit-vlan,
the device removes the interface from the VLAN where MAC address flapping
occurs. Only one interface can be shut down during one aging time of
flapping MAC addresses.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as
GVRP.
– When a MAC address flaps between an interface configured with the error-down
action and an interface configured with the quit-vlan action, the former interface
is shut down and the latter interface is removed from the VLAN. If a loop may
occur between interfaces, you are advised not to configure the same action for the
susceptible interfaces.
3. Run mac-address flapping action priority priority
The priority of the action against MAC address flapping is set.
----End

Run the display mac-address flapping command to check information about
MAC address flapping detection in a VLAN.
Action to Take After MAC Address Flapping Occurs

When MAC address flapping detection is configured, the switch reports alarms if it
detects MAC address flapping. Multiple occurrences of the same alarm may
indicate that a loop exists on the network. To remove the loop, run the shutdown
command to shut down the interface specified in the MAC address flapping alarm.
Alternatively, configure an action against MAC address flapping on the interface to
remove the loop.
When configuring an action, pay attention to the following points:
● If the action is set to error-down, the interface cannot be automatically
restored after it is shut down. You can restore the interface by running the
shutdown and undo shutdown commands or the restart command in the
interface view.
To enable the interface to go Up automatically, you must run the error-down
auto-recovery cause mac-address-flapping command in the system view
before the interface enters the error-down state. This command enables an

Switches
interface in error-down state to go Up and sets a recovery delay. The interface

goes Up automatically after the delay.
● If the action is set to quit-vlan, the interface can be automatically restored
after a delay following its removal from the VLAN. The default recovery delay
is 10 minutes. The recovery delay time can be set using the mac-address
flapping quit-vlan recover-time time-value command in the system view.
2.10 Configuring the Switch to Discard Packets with an

All-0 MAC Address
Context
If the switch receives packets that contain an all-0 source or destination MAC
address, it may indicate that the sending device is faulty. You can configure the
switch to discard these packets and send an alarm to the network management
system (NMS). The alarm contains information that is useful for troubleshooting
the faulty device.
Procedure
Step 2 Run drop illegal-mac enable
The switch is enabled to discard packets with an all-0 MAC address.
By default, the switch does not discard packets with an all-0 MAC address.
Step 3 (Optional) Run drop illegal-mac alarm
The switch is configured to send an alarm to the NMS when receiving packets
with an all-0 MAC address.
By default, the switch does not send an alarm when receiving packets with an
all-0 MAC address.
NOTE
The drop illegal-mac alarm command allows the switch to generate one alarm. You must
configure the drop illegal-mac alarm command multiple times if more than one alarm is
required.
----End

Run the display current-configuration command to check whether the switch is
enabled to discard packets with an all-0 MAC address.

Switches
2.11 Enabling MAC Address-triggered ARP Entry

Update
Context
Devices on an Ethernet LAN send and receive Ethernet data frames based on MAC
addresses. To map IP addresses to MAC addresses, the Address Resolution Protocol
(ARP) is used. When two devices on different network segments communicate
with each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries. MAC address-triggered ARP entry update
enables a switch to update the outbound interface in an ARP entry immediately
after the outbound interface in the corresponding MAC address entry changes.
Procedure
Step 2 Run mac-address update arp
The MAC address-triggered ARP entry update function is enabled.
By default, the MAC address-triggered ARP entry update function is disabled.
NOTE
● This function takes effect only for dynamic ARP entries. Static ARP entries are not
updated when the corresponding MAC address entries change.
● The MAC address-triggered ARP entry update function does not take effect after ARP
entry fixing is enabled using the arp anti-attack entry-check enable command.
● After the MAC address-triggered ARP entry update function is enabled, the switch
updates an ARP entry only when the outbound interface in the corresponding MAC
address entry changes.
----End

Run the display current-configuration command to check whether the MAC
address-triggered ARP entry update function is enabled.
2.12 Enabling Port Bridge
Context
The port bridge function enables an interface to forward packets whose source
and destination MAC addresses are both learned on the interface. By default, an
interface discards packets whose source and destination MAC addresses are both
learned on the interface.

Switches
When enabled with the port bridge function, the interface forwards such packets if
their destination MAC addresses are found in the MAC address table.
The port bridge function is used in the following scenarios:
● The switch connects to devices that do not support Layer 2 forwarding. When
users connected to the devices need to communicate, the devices send user
packets to the switch for forwarding. Because source and destination MAC
addresses of the packets are learned on the same interface, the port bridge
function needs to be enabled on the interface so that the interface can
forward such packets.
● The switch is used as an access device in a data center and is connected to
servers. For example, take multiple servers hosting multiple virtual machines
that need to transmit data to each other. By enabling the port bridge function
on the interfaces connected to the servers, you allow the switch to forward
data packets between the virtual machines at a higher speed than if the
servers perform the switching operations.
Procedure
Step 2 Run interface interface-type interface-number
Step 3 Run port bridge enable
The port bridge function is enabled on the interface.
By default, the port bridge function is disabled on an interface.
----End

Run the display current-configuration command to check whether the port
bridge function is enabled.
2.13 Configuring Re-marking of Destination MAC

Addresses
Context
The re-marking function enables a switch to set the specified fields of packets that
match traffic classification rules. After a re-marking action is configured, the
switch continues to process outgoing packets based on the original priority, but
the downstream device processes the packets based on the re-marked priority. You
can configure an action that re-marks the destination MAC address of packets in a
traffic behavior so that the downstream device can identify packets and provide
differentiated services.

Switches
NOTE
Only the S6735-S, S6720-EI and S6720S-EI support this function.
Procedure
1. Configure a traffic classifier.
a. Run system-view
b. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the view of an existing traffic classifier is displayed.
The logical operator and between the rules in the traffic classifier means
that:
▪ If the traffic classifier contains ACL rules, packets match the traffic
classifier only if they match one ACL rule and all the non-ACL rules.
▪ If the traffic classifier does not contain any ACL rules, packets match
the traffic classifier only if they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier if
they match one of the rules in the classifier.
By default, the relationship between rules in a traffic classifier is or.
c. Configure matching rules in the traffic classifier according to the
following table.
NOTE
Only the S6720-EI, S6735-S, and S6720S-EI support traffic classifiers with
advanced ACLs containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name },
the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S do not support remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id, and mac-
address learning disable.
For the S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, and S500, S5735-S-I, S5735S-S, if a traffic policy is applied
to the outbound direction and the relationship between rules in a traffic classifier
is AND:
● Rules for matching the source IPv6 address and those for matching the
destination IPv6 address cannot be configured in the same traffic classifier.
● Rules for matching IPv6 information (for example, if-match protocol ipv6
and if-match ipv6 acl) and those for matching the source MAC address,
destination MAC address, source IPv6 address, or destination IPv6 address of
packets cannot be configured in the same traffic classifier. (ACL6 rules can
be used to match the source or destination IPv6 address of packets.)
● Rules for matching IPv4 information (IP address and UDP port number) and
those for matching some Layer 2 information (for example, if-match
source-mac, if-match destination-mac, and if-match l2-protocol { mpls |
rarp | protocol-value }) cannot be configured in the same traffic classifier.

Switches

Rule
Outer VLAN if-match vlan-id start- Only the S5735S-H, S5736-S,

ID or inner vlan-id [ to end-vlan-id ] S5731-H, S5731-S, S5731S-H,
and outer [ cvlan-id cvlan-id ] S5731S-S, S5732-H, S2730S-
VLAN IDs S, S5735-L-I, S5735-L1,S300,
of QinQ S5735-L, S5735S-L, S5735S-
packets L1, S5735S-L-M, S5735-S,
S500, S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S,
and S6730S-S support the
cvlan-id cvlan-id parameter.
Inner and if-match cvlan-id start- Only the S5735S-H, S5736-S,

outer VLAN vlan-id [ to end-vlan-id ] S5731-H, S5731-S, S5731S-H,
IDs in QinQ [ vlan-id vlan-id ] S5731S-S, S5732-H, S2730S-
packets S, S5735-L-I, S5735-L1,S300,
S5735-L, S5735S-L, S5735S-
L1, S5735S-L-M, S5735-S,
S500, S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S,
and S6730S-S support this
matching rule.
802.1p if-match 8021p 8021p- If you specify multiple values

priority in value &<1-8> for 8021p-value in one
VLAN command, a packet matching
packets any of the values matches
the traffic classifier,
regardless of whether the
relationship between rules in
the traffic classifier is AND or
OR.
Inner if-match cvlan-8021p Only the S5735S-H, S5736-S,

802.1p 8021p-value &<1-8> S5731-H, S5731-S, S5731S-H,
priority in S5731S-S, S5732-H, S2730S-
QinQ S, S5735-L-I, S5735-L1, S300,
packets S5735-L, S5735S-L1, S5735S-
L, S5735S-L-M, S500, S5735-
S, S5735-S-I, S5735S-S,
S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S,
matching rule.

Switches

Rule
Discarded if-match discard Only the S5731-H, S5731-S,

packet S5731S-H, S5731S-S, S5732-
H, S6735-S, S6720-EI,
S6720S-EI, S6730-H, S6730S-
H, S6730-S, and S6730S-S
A traffic classifier containing
this matching rule can only
be bound to traffic behaviors
containing the traffic
statistics collection and flow
mirroring actions.
Double tags if-match double-tag Only the S5731-H, S5731-S,

in QinQ S5731S-H, S5731S-S, S5732-
packets H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L,
S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, S500,
S5735-S-I, S5735S-S, S6735-
S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S,
matching rule.
EXP priority if-match mpls-exp exp- Only the S5731-H, S5731S-H,

in MPLS value &<1-8> S5732-H, S6720-EI, S6720S-
packets EI, S6730S-H, and S6730-H
If you specify multiple values
for exp-value in one
command, a packet matching
any of the values matches
the traffic classifier,
regardless of whether the
relationship between rules in
the traffic classifier is AND or
OR.
Destination if-match destination- -

MAC mac mac-address [ mac-
Source if-match source-mac -
MAC mac-address [ mac-

Switches

Rule
Protocol if-match l2-protocol -

type in the { arp | ip | mpls | rarp |
Ethernet protocol-value }
frame
header
All packets if-match any After the if-match any

command is run, only the
matching rule configured
using this command takes
effect, and the other
matching rules in the same
traffic classifier will become
ineffective.
DSCP if-match dscp dscp- ● If you specify multiple

priority in value &<1-8> values for dscp-value in
IP packets one command, a packet
matching any of the
values matches the traffic
between rules in the
traffic classifier is AND or
OR.
● The if-match dscp and if-
match ip-precedence
commands cannot be
rules is AND.
IP if-match ip-precedence ● If you specify multiple

precedence ip-precedence-value values for ip-precedence-
in IP &<1-8> value in one command, a
packets packet matching any of
the values matches the
traffic classifier, regardless
of whether the
relationship between rules
in the traffic classifier is
AND or OR.
● The if-match dscp and if-
match ip-precedence
commands cannot be
rules is AND.

Switches

Rule
Layer 3 if-match protocol { ip | -

protocol ipv6 }
type
SYN flag in if-match tcp syn-flag -

the TCP { syn-flag-value | ack |
packet fin | psh | rst | syn |
urg }
Inbound if-match inbound- A traffic policy containing

interface interface interface-type this matching rule cannot be
interface-number applied to the outbound
direction or in the interface
view.
Outbound if-match outbound- The S2720-EI, S5720-LI,

interface interface interface-type S5720S-LI, S5720I-SI, S5735S-
interface-number H, and S5736-S do not
this matching rule cannot be
applied to the inbound
direction on the S5731-H,
S5731-S, S5731S-H, S5731S-
S, S5732-H, S2730S-S, S5735-
L-I, S5735-L1, S300, S5735-L,
S5735S-L1, S5735S-L,
S5735S-L-M, S500, S5735-S,
S5735S-S, S5735-S-I, S6730-
H, S6730S-H, S6730-S, and
S6730S-S.
applied in the interface view.

Switches

Rule
ACL rule if-match acl { acl- ● Before specifying an ACL

number | acl-name } in a matching rule,
configure the ACL.
● If an ACL in a traffic
classifier defines multiple
rules and a packet
matches any of the rules,
the packet matches the
ACL, regardless of whether
● If the vpn-instance
parameter is specified in
an ACL rule, a traffic
policy that defines a traffic
classifier with this ACL
rule does not take effect.

Switches

Rule
ACL6 rule if-match ipv6 acl { acl- Before specifying an ACL6 in

number | acl-name } a matching rule, configure
the ACL6.
If the vpn-instance
parameter is specified in an
ACL6 rule, a traffic policy
that defines a traffic classifier
with this ACL6 rule does not
take effect.
On the S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L,
S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, and
S500, S5735-S-I, S5735S-S, if
a traffic policy is applied to
the outbound direction, and
an ACL6 rule for matching
the source IPv6 address of
packets and an ACL6 rule for
matching the destination
IPv6 address of packets are
respectively configured in
two traffic classifiers:
corresponding to the two
traffic classifiers do not
conflict, the two traffic
classifiers and their
corresponding traffic
behaviors take effect.
corresponding to the two
traffic classifiers conflict,
the traffic behavior and
traffic classifier defining
the ACL6 rule for
matching the source IPv6
address of packets take
effect.

Switches

Rule
Flow ID if-match flow-id flow-id Only the S5731-H, S5731-S,

S5731S-S, S5731S-H, S5732-
H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L,
S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, S500,
S5735-S-I, S5735S-S, S6735-
S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S,
and S6730S-S support
matching of flow IDs.
A traffic classifier containing
if-match flow-id and a
traffic behavior containing
remark flow-id must be
bound to different traffic
policies.
A traffic policy containing if-
match flow-id can be only
applied to an interface, a
VLAN, a VLANIF interface, or
the system in the inbound
direction.
Inner if-match vxlan Only the S5731-H, S5731-S,

information [ transit ] vni vni-id S5731S-H, S5731S-S, S5732-
of VXLAN H, S6735-S, S6720-EI,
packets S6720S-EI, S6730-H, S6730S-
H, S6730-S, and S6730S-S
applied to the outbound
direction.
If a traffic classifier contains
this matching rule, it
supports only traffic
behaviors of traffic policing,
packet filtering, and traffic
statistics collection.

Switches

Rule
Application if-match application Only the S5731-H, S5731S-H,

name name appname S5731-S, S5731S-S, S5732-H,
S6730-H, S6730S-H, S6730-S,
matching rule.
this matching rule can be
applied only to the inbound
direction.
d. Run quit
Exit from the traffic classifier view.
2. Configure a traffic behavior.
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.
b. Run remark destination-mac mac-address
An action that re-marks destination MAC addresses of packets is
configured. The destination MAC address to be re-marked must be a
unicast MAC address.
c. Run quit
Exit from the traffic behavior view.
d. Run quit
3. Configure a traffic policy.
a. Run traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed. If you do not specify a
matching order for traffic classifiers in the traffic policy, the default
matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy
command to modify the matching order of traffic classifiers in the traffic
policy. To modify the matching order, delete the traffic policy, create a
traffic policy, and then specify the matching order.
When creating a traffic policy, you can specify the matching order of
matching rules in the traffic policy. The matching order can be either the
automatic order (auto) or configuration order (config):
▪ If the automatic order is used, traffic classifiers are matched based

on the priorities of their types. If the traffic policy is applied to the
inbound direction on the S6720-EI, S6735-S, and S6720S-EI, traffic
classifiers based on the following information are matched in
descending order of priority: Layer 2 and IPv4 Layer 3 information >
advanced ACL6 > basic ACL6 > IPv4 Layer 3 information > Layer 2
information > user-defined ACL information. In other cases, traffic
classifiers based on the following information are matched in

Switches
descending order of priority: Layer 2 and IPv4 Layer 3 information >

advanced ACL6 information > basic ACL6 information > Layer 2
information > IPv4 Layer 3 information > user-defined ACL
information. If data traffic matches multiple traffic classifiers and the
bound traffic behaviors conflict with each other, the traffic behavior
corresponding to the highest priority rule takes effect.
▪ If the configuration order is used, traffic classifiers are matched

based on the sequence in which they are bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound
direction. In the preceding situation, if ACL rules need to be updated, delete the
traffic policy from the interface, VLAN, and system and re-configure a traffic
policy in sequence.
b. Run classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.
c. Run quit
Exit from the traffic policy view.
d. Run quit
4. Apply the traffic policy.
– Applying a traffic policy to an interface
i. Run system-view
ii. Run interface interface-type interface-number
iii. Run traffic-policy policy-name { inbound }
A traffic policy is applied to the interface.
– Applying a traffic policy to a VLAN
i. Run system-view
ii. Run vlan vlan-id
iii. Run traffic-policy policy-name { inbound }
A traffic policy is applied to the VLAN.
– Applying a traffic policy to the system
i. Run system-view
ii. Run traffic-policy policy-name global { inbound | outbound } [ slot
slot-id ]
A traffic policy is applied to the system.

Switches
Only one traffic policy can be applied to the system or slot in one
direction. A traffic policy cannot be applied to the same direction in
the system and slot simultaneously.
○ In a stack, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of all the member
switches in the stack. The system then performs traffic policing
for all the incoming and outgoing packets that match traffic
classification rules on all the member switches. A traffic policy
that is applied to a specified slot takes effect on all the
interfaces and VLANs of the member switch with the specified
stack ID. The system then performs traffic policing for all the
rules on this member switch.
○ On a standalone switch, a traffic policy that is applied to the
system takes effect on all the interfaces and VLANs of the local
switch. The system then performs traffic policing for all the
rules on the local switch. Traffic policies applied to the slot and
system have the same functions.

● Run the display traffic classifier user-defined [ classifier-name ] command
to check the traffic classifier configuration on the switch.
● Run the display traffic behavior user-defined [ behavior-name ] command
to check the traffic behavior configuration on the switch.
● Run the display traffic policy user-defined [ policy-name [ classifier
classifier-name ] ] command to check the user-defined traffic policy
configuration.
● Run the display traffic-applied [ interface [ interface-type interface-
number ] | vlan [ vlan-id ] ] { inbound } [ verbose ] command to check
traffic actions and ACL rules associated with the system, a VLAN, or an
interface.
● Run the display traffic policy { interface [ interface-type interface-number ]
| vlan [ vlan-id ] | global } [ inbound ] command to check the traffic policy
configuration on the switch.
● Run the display traffic-policy applied-record [ policy-name ] command to
check the record of the specified traffic policy.
2.14 Disabling Real-Time MAC Address Synchronization

Suppression
Context
By default, real-time MAC address synchronization suppression is enabled on a
device. With this function enabled, if a large number of real-time MAC address
synchronization packets are generated due to persistent MAC address flapping,
real-time MAC address synchronization suppression will be triggered. This will
result in problems such as delay in obtaining DHCP addresses in terminal roaming

Switches
scenarios. To address such problems, disable real-time MAC address

synchronization suppression triggered by MAC address flapping.
Procedure
Step 2 Run mac-address flapping mac-syn-suppress disable
The real-time MAC address synchronization suppression triggered by MAC address

flapping is disabled.
By default, MAC address synchronization suppression triggered by MAC address

flapping is enabled.
----End
2.15 Disabling Unknown Unicast Traffic Suppression

Context
By default, if MAC address flapping detection is enabled on a device and MAC
address flapping is detected, traffic suppression is triggered on the corresponding
interface. As a result, excess traffic is discarded, resulting in packet loss.
To prevent this, disable unknown unicast traffic suppression.
Procedure
● Globally disabling unknown unicast traffic suppression
a. Run system-view
b. Run mac-address flapping unicast-suppress all disable
Unknown unicast traffic suppression is disabled globally.
By default, unknown unicast traffic suppression is enabled globally.
● Disabling unknown unicast traffic suppression on an interface
a. Run system-view
c. Run mac-address flapping unicast-suppress disable
Unknown unicast traffic suppression is disabled on the interface.
By default, unknown unicast traffic suppression is enabled on an
interface.

Switches
NOTE
Unknown unicast traffic suppression takes effect on an interface only when the
following conditions are met:
● Global MAC address flapping detection is configured.
● MAC address flapping occurs on the interface.
● Unknown unicast traffic suppression is enabled globally.
● Unknown unicast traffic suppression is enabled on the interface.
----End
2.16 Maintaining MAC Address Tables
2.16.1 Displaying MAC Address Entries
Table 2-8 Commands used to display MAC address entries
Action Command
Display all MAC address entries. display mac-address
Display static MAC address entries. display mac-address static
Display static MAC address entries in a display mac-address static vlan vlan-
specified VLAN. id
Display MAC address entries learned in display mac-address dynamic vlan
a VLAN. vlan-id
Display MAC address entries learned display mac-address dynamic
on an interface. interface-type interface-number
Check whether a specified MAC display mac-address mac-address
address is present.
Display the aging time of dynamic display mac-address aging-time

Display statistics on MAC address ● Display the total statistics: display

entries. mac-address total-number
● Display the statistics of various
types of MAC address entries:
display mac-address summary
Display the system MAC address. display bridge mac-address
Display the MAC address of an display interface interface-type

interface. interface-number
In the command output, Hardware
address indicates the MAC address of
the interface.

Switches
Action Command
Display the MAC address of a VLANIF display interface vlanif vlan-id

interface. In the command output, Hardware
address indicates the MAC address of
the VLANIF interface.
2.16.2 Deleting MAC Address Entries

Table 2-9 Commands used to delete MAC address entries
Action Command
Delete all MAC address entries. undo mac-address
Delete MAC address entries in a VLAN. undo mac-address vlan vlan-id
Delete MAC address entries on an undo mac-address interface-type

interface. interface-number
Delete all the dynamic MAC address undo mac-address dynamic
entries.
Delete all the static MAC address undo mac-address static

entries.
2.16.3 Displaying MAC Address Flapping Information

Table 2-10 Commands used to display MAC address flapping records
Action Command
Display alarms about MAC address display trapbuffer

flapping. The following alarm is related to MAC
address flapping:
● OID 1.3.6.1.4.1.2011.5.25.160.3.7
Display detailed MAC address flapping display mac-address flapping record

records.
2.16.4 Viewing Records of MAC Address Hash Conflicts

Context
When MAC address hash conflicts occur on the network, you need to view the
conflict records for fault location.

Switches
Procedure
● Run display mac-address hash-conflict record [ slot slot-id ]
The records of MAC address hash conflicts are displayed.
----End
2.17 Configuration Examples for MAC Address Tables
2.17.1 Example for Configuring Static MAC Address Entries
Networking Requirements
In Figure 2-12, the PC with MAC address 00e0-fc02-0002 connects to GE0/0/1 of
the Switch, and the server with MAC address 00e0-fc04-0004 connects to GE0/0/2
of the Switch. The PC and server communicate in VLAN 2.
● To prevent unauthorized users from using the PC's MAC address to initiate
attacks, configure a static MAC address entry for the PC on the Switch.
● To prevent unauthorized users from using the server's MAC address to
intercept data, configure a static MAC address entry for the server on the
Switch.
NOTE
This example applies to scenarios with a small number of users. When there are many
users, use dynamic MAC address entries. For details, see Example for Configuring Port
Security in "Port Security Configuration" in the S300, S500, S2700, S5700, and S6700
V200R021C10 Configuration Guide - Security.
Figure 2-12 Configuring static MAC address entries

Switches
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server to the
VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized
users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN
2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
# Configure static MAC address entries.

[Switch] mac-address static 2-2-2 GigabitEthernet 0/0/1 vlan 2
[Switch] mac-address static 4-4-4 GigabitEthernet 0/0/2 vlan 2
Step 2 Verify the configuration.

# Run the display mac-address static vlan 2 command in any view to check
whether the static MAC address entries are successfully added to the MAC address
table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
00e0-fc02-0002 2/-/- GE0/0/1 static
00e0-fc04-0004 2/-/- GE0/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet0/0/1
port link-type access

Switches
port default vlan 2

#
port link-type access
port default vlan 2
#
mac-address static 00e0-fc02-0002 GigabitEthernet0/0/1 vlan 2
mac-address static 00e0-fc04-0004 GigabitEthernet0/0/2 vlan 2
#
return
2.17.2 Example for Configuring Blackhole MAC Address

Entries
In Figure 2-13, the Switch receives packets from an unauthorized PC that has the
MAC address 0005-0005-0005 and belongs to VLAN 3. This MAC address entry
can be configured as a blackhole MAC address entry so that the Switch filters out
packets from the unauthorized PC.
Figure 2-13 Configuring a blackhole MAC address entry
1. Create a VLAN to implement Layer 2 forwarding.

2. Configure a blackhole MAC address entry to filter out packets from the
unauthorized PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.

Switches
[Switch] vlan 3
[Switch-vlan3] quit
# Configure a blackhole MAC address entry.

[Switch] mac-address blackhole 0005-0005-0005 vlan 3

# Run the display mac-address blackhole command in any view to check
whether the blackhole MAC address entry is successfully added to the MAC
address table.
[Switch] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0005-0005-0005 3/-/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
2.17.3 Example for Configuring MAC Address Limiting on an

Interface
In Figure 2-14, user network 1 and user network 2 connect to the Switch through
the LSW, and the LSW connects to the Switch through GE0/0/1. User network 1
and user network 2 belong to VLAN 10 and VLAN 20 respectively. On the Switch,
MAC address limiting can be configured on GE0/0/1 to control the number of
access users.

Switches
Figure 2-14 Configuring MAC address limiting on an interface
1. Create VLANs and add the downlink interface to the VLANs to implement
Layer 2 forwarding.
2. Configure MAC address limiting on the interface to control the number of
access users.
Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add GigabitEthernet0/0/1 to VLAN 10 and
VLAN 20.
[Switch] vlan batch 10 20
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20
# Configure a MAC address limiting rule on GigabitEthernet0/0/1: A maximum of

100 MAC addresses can be learned on the interface. When the number of learned
MAC address entries reaches the limit, the Switch forwards packets with new
source MAC addresses and generates an alarm, but does not add the new MAC
address entries to the MAC address table.
[Switch-GigabitEthernet0/0/1] mac-limit maximum 100 alarm enable
[Switch-GigabitEthernet0/0/1] return

Switches

# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
GE0/0/1 - - 100 - discard enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
2.17.4 Example for Configuring MAC Address Limiting in a

VLAN
In Figure 2-15, user network 1 is connected to GE0/0/1 of the Switch through
LSW1, and user network 2 is connected to GE0/0/2 of the Switch through LSW2.
GE0/0/1 and GE0/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.

Switches
Figure 2-15 Configuring MAC address limiting in a VLAN
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address limiting in the VLAN to prevent MAC address attacks
and control the number of access users.
Procedure
Step 1 Configure MAC address limiting.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.
[Switch] vlan 2
[Switch-vlan2] quit
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2
# Configure the following MAC address limiting rule in VLAN 2: A maximum of

100 MAC addresses can be learned. When the number of learned MAC address
entries reaches the limit, the Switch discards the packets with new source MAC
addresses and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 alarm enable
[Switch-vlan2] return

Switches

# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
#
return
2.17.5 Example for Configuring MAC Address Flapping

Prevention
In Figure 2-16, employees of an enterprise need to visit the server connected to a
switch interface. If an unauthorized user uses the server's MAC address as the
source MAC address to send packets to another interface, the server's MAC
address is learned on the interface. Subsequently, packets sent from employees to
the server are forwarded to the unauthorized user. As a result, employees cannot
access the server, and data may be intercepted by the unauthorized user.
MAC address flapping prevention can be configured to protect the server against
attacks from unauthorized users.

Switches
Figure 2-16 Configuring MAC address flapping prevention
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address flapping prevention on the server-facing interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10.
[Switch] vlan 10
[Switch-vlan10] quit
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
Step 2 Set the MAC address learning priority of GigabitEthernet0/0/1 to 2.

[Switch-GigabitEthernet0/0/1] mac-learning priority 2

# Run the display current-configuration command in any view to check whether
the MAC address learning priority is set correctly.

Switches
[Switch] display current-configuration interface gigabitethernet 0/0/1

#
mac-learning priority 2
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mac-learning priority 2
#
port link-type trunk
port trunk allow-pass vlan 10
#
return
2.17.6 Example for Configuring MAC Address Flapping

Detection
In Figure 2-17, a loop occurs on a network because two LSWs are connected in
error using a network cable. The loop causes MAC address flapping in the MAC
address table of the Switch.
To detect loops in a timely manner, configure MAC address flapping detection on
the Switch. This function enables the Switch to detect loops by checking whether a
MAC address flaps between interfaces, facilitating troubleshooting.

Switches
Figure 2-17 Configuring MAC address flapping detection
1. Enable MAC address flapping detection.
2. Set the aging time of flapping MAC addresses.
3. Configure an action against MAC address flapping on the interfaces to
eliminate loops.
Procedure
Step 1 Enable MAC address flapping detection.
[Switch] mac-address flapping detection
Step 2 Set the aging time of flapping MAC addresses.

[Switch] mac-address flapping aging-time 500
Step 3 Configure the action against MAC address flapping to error-down on GE0/0/1 and
GE0/0/2.
[Switch-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/2] mac-address flapping action error-down
Step 4 Enable error-down interfaces to go up automatically and set the automatic

recovery delay.
[Switch] error-down auto-recovery cause mac-address-flapping interval 500

When the MAC address learned on the GE0/0/1 moves to GE0/0/2, GE0/0/2 is shut
down automatically. Run the display mac-address flapping record command to
view MAC address flapping records.

Switches
[Switch] display mac-address flapping record

S : start time
E : end time
(Q) : quit vlan
(D) : error down
----------------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum
----------------------------------------------------------------------------------------
S:2012-04-01 17:22:36 1 000e0-fc12-3456 GE0/0/1 GE0/0/2(D) 83
E:2012-04-01 17:22:44
----------------------------------------------------------------------------------------
Total items on slot 0: 1
----End
Configuration Files
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
mac-address flapping action error-down
#
mac-address flapping action error-down
#
return
2.18 Troubleshooting MAC Address Tables
2.18.1 MAC Address Entries Fail to Be Learned on an Interface
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2
forwarding failures.
Procedure
Step 1 Check the configuration on the switch.

Switches
Check Item Check Method Follow-up Operation
Has the VLAN Run the display vlan Run the vlan vlan-id command in
that the vlan-id command in any the system view to create the
interface view. If the system VLAN.
belongs to been displays the message
created? "Error: The VLAN does
not exist", the VLAN is
not created.
Does the Run the display vlan Run one of the following
interface vlan-id command in any commands in the interface view
transparently view to check whether to add the interface to the VLAN.
transmit packets the interface name
from the VLAN? exists. If the name does ● Run the port trunk allow-pass
not exist, the interface vlan command if the interface
does not transparently is a trunk interface.
transmit packets from ● Run the port hybrid tagged
the VLAN. vlan or port hybrid untagged
vlan command if the interface
is a hybrid interface.
● Run the port default vlan
command if the interface is an
access interface.
Is a blackhole Run the display mac- If a blackhole MAC address entry

MAC address address blackhole is displayed, run the undo mac-
entry command in any view to address blackhole command to
configured? check whether a delete it.
blackhole MAC address
entry is configured.
Is MAC address Run the display this | Run the undo mac-address
learning include learning learning disable command in the
disabled on the command in the interface view or VLAN view to
interface or in interface view and VLAN enable MAC address learning.
the VLAN? view to check whether
the mac-address
learning disable
configuration exists. If
the configuration exists,
MAC address learning is
disabled on the interface
or in the VLAN.

Switches
Check Item Check Method Follow-up Operation
Is MAC address Run the display this | ● Run the mac-limit command
limiting include mac-limit in the interface view or VLAN
configured on command in the view to increase the maximum
the interface interface view and VLAN number of learned MAC
and in the view to check whether address entries.
VLAN? MAC address limiting is
configured. If it is ● Run the undo mac-limit
configured, the command in the interface view
maximum number of or VLAN view to cancel MAC
learned MAC address address limiting.
entries is set.
Is port security Run the display this | ● Run the undo port-security
configured on include port-security enable command in the
the interface? command in the interface view to disable port
interface view to check security.
whether port security is ● Run the port-security max-
configured. mac-num command in the
interface view to increase the
maximum number of secure
dynamic MAC address entries
on the interface.
If the fault persists, go to step 2.

Step 2 Check whether a loop causes MAC address flapping.
1. Generally, MAC address flapping is caused by loops. Run the mac-address
flapping detection command in the system view to configure MAC address
flapping detection.
2. The system checks all MAC addresses in the VLAN to detect MAC address
flapping. Run the display mac-address flapping record command to check
MAC address flapping records to determine whether a loop occurs.
3. If MAC address flapping occurs, use the following methods to remove MAC
address flapping:
– Eliminate the loop.
– Run the mac-learning priority command in the interface view to
configure the MAC address learning priority for the interface so that a
MAC address is learned by the correct interface.
If the fault persists, go to step 3.
Step 3 Check whether the number of learned MAC address entries has reached the
maximum value. If the maximum value has been reached, the switch cannot learn
new MAC address entries.
● If the number of MAC address entries on the interface is less than or equal to
the number of hosts connected to the interface, the switch is connected to
more hosts than it supports. In this case, adjust the network deployment.

Switches
● If the interface has learned more MAC address entries than the number of
hosts connected to the interface, a MAC address attack may be in progress
from the network attached to the interface. In this case, locate the attack
source according to the following table.
Scenario Solution
The interface connects to another Run the display mac-address

network device. command on the connected device
to view MAC address entries. Locate
the interface connected to the
malicious user host based on the
displayed MAC address entries. If the
interface that you find is connected
to another device, repeat this step
until you find the malicious host.
The interface connects to a host. – If possible, disconnect the host.

When the attack stops, connect
the host to the network again.
– Run the port-security enable
command on the interface to
enable port security or the mac-
limit command to set the
maximum number of MAC
address entries to 1.
The interface connects to a hub. – Configure port mirroring or use a

packet analysis tool to analyze
packets received by the interface.
Analyze the packet types to
locate the attacking host. If
possible, disconnect the host.
When the attack stops, connect
the host to the hub again.
– If possible, disconnect hosts
connected to the hub one by one.
If the fault is rectified after a host
is disconnected, the host is the
attacker. After the host stops the
attack, connect it to the hub
again.
If the number of MAC addresses that have learned by the device does not reach
the maximum number of addresses allowed on the device but MAC addresses still
cannot be learned, go to step 4.
Step 4 Check whether a MAC address hash conflict alarm is generated on the device.
L2IFPPI/4/MACHASHCONFLICTALARM: OID [oid] A hash conflict occurs in MAC addresses.
(IfIndex=[INTEGER], MacAddr=[OPAQUE], VLAN=[GAUGE], VsiName=[OCTET1], InterfaceName=[OCTET2]).

Switches
For details about how to handle this alarm, see

L2IFPPI_1.3.6.1.4.1.2011.5.25.315.3.6 hwMacTrapHashConflictAlarm.
----End
2.19 FAQ About MAC Address Tables
2.19.1 How Do I Enable and Disable MAC Address Flapping

Detection?
Version Enable MAC Address Disable MAC Address

Flapping Detection Flapping Detection
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.
V200R001 and Run the mac-address Run the undo mac-address

later versions flapping detection in the flapping detection in the
support global system view. system view.
MAC address
flapping detection
in all VLANs. By
default, global
MAC address
flapping detection
is enabled.
2.19.2 How Do I Check MAC Address Flapping Information?

Version Command
Versions earlier display trapbuffer

than V200R001
V200R001 and display trapbuffer or display mac-address flapping

later versions record
2.19.3 How Do I Configure VLAN-based Blackhole MAC

Address Entries?

Switches
To configure VLAN-based blackhole MAC address entries, perform the following

operations:
# Add a blackhole MAC address entry to the MAC address table. For example, in
the blackhole MAC address entry, the MAC address is xxxx-xxxx-xxx4 and the
VLAN ID is VLAN 10.
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] mac-address blackhole xxxx-xxxx-xxx4 vlan 10
For the S2720-EI, S5720I-SI, S5720-LI, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-

L, S5735S-L, S5735S-L1, S5735S-L-M, S5720S-LI, S5735-S, S500, S5735S-S, S5735-
S-I, S5735S-H, or S5736-S switch, if both traffic policy-based redirection action and
VLAN-based blackhole MAC address are configured, the switch will not discard the
packet if its source or destination MAC address is a blackhole MAC address and
the packet matches the redirection policy. In this scenario, you are advised to
configure a global blackhole MAC address or configure an ACL-based simplified
traffic policy to discard specific packets.
# Add the global blackhole MAC address xxxx-xxxx-xxx4 to the MAC address table.
[HUAWEI] mac-address blackhole xxxx-xxxx-xxx4
# Configure an ACL-based simplified traffic policy to discard packets with MAC

address xxxx-xxxx-xxx4 and VLAN 10.
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] acl number 4000
[HUAWEI-acl-L2-4000] rule 5 deny source-mac xxxx-xxxx-xxx4 vlan-id 10
[HUAWEI-acl-L2-4000] rule 10 deny destination-mac xxxx-xxxx-xxx4 vlan-id 10
[HUAWEI-acl-L2-4000] quit
[HUAWEI] traffic-filter inbound acl 4000

01-02 MAC Address Table Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-02 MAC Address Table Configuration

Uploaded by

Copyright:

Available Formats

S300, S500, S2700, S5700 and S6700 Series Ethernet

2 MAC Address Table Configuration

2.1 Overview of MAC Addresses

2.1 Overview of MAC Addresses

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 21

MAC addresses fall into the following types:

● Physical MAC address: uniquely identifies a terminal on an Ethernet network

Supported MAC Addresses

2.2 Understanding MAC Address Tables

2.2.1 Definition and Classification of MAC Address Entries

Definition of a MAC Address Table

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 22

Classification of MAC Address Entries

Table 2-1 Characteristics and functions of different MAC address entries

Dynamic MAC address ● Dynamic MAC address ● You can check

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 23

MAC Address Entry Characteristics Function

Blackhole MAC address ● Blackhole MAC A blackhole MAC

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 24

2.2.2 Elements and Functions of a MAC Address Table

Table 2-2 MAC address entries

MAC Address VLAN ID/VSI Name Outbound Interface

00e0-fc22-0035 huawei GE0/0/3

Figure 2-1 Forwarding based on the MAC address table

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 25

2.2.3 MAC Address Entry Learning and Aging

MAC Address Entry Learning

Figure 2-2 MAC address entry learning

● If PortA is a member interface of an Eth-Trunk, the outbound interface in the MAC

MAC Address Entry Aging

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 26

Figure 2-3 MAC address entry aging

2.2.4 MAC Address Learning Control

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 27

● Disabling MAC address learning on a VLAN or an interface

Table 2-3 MAC address learning control

MAC Address Description Application Scenario

Disabling MAC After MAC address learning ● Generally, a malicious user

2.2.5 MAC Address Flapping

What Is MAC Address Flapping

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 28

Figure 2-4 MAC address flapping

How to Detect MAC Address Flapping

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 29

Figure 2-5 Networking of MAC address flapping detection

In Figure 2-5, a network cable is incorrectly connected between SwitchC and

How to Prevent MAC Address Flapping

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 30

In Figure 2-6, Port1 of the switch is connected to a server. To prevent

Figure 2-6 Networking of MAC address flapping prevention

2.2.6 MAC Address-Triggered ARP Entry Update

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 31

Figure 2-7 MAC address-triggered ARP entry update is not enabled

MAC address-triggered ARP entry update enables a switch to update the

Figure 2-8 MAC address-triggered ARP entry update is enabled

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 32

2.3 Application Scenarios for MAC Address Tables

2.3.1 Configuring MAC Address Flapping Prevention to Block

Figure 2-9 Networking of MAC address flapping prevention

Issue 02 (2022-08-10) Copyright © Huawei Technologies Co., Ltd. 33

2.3.2 Configuring MAC Address Flapping Detection to Quickly

● A MAC address entry alternates between appearing and disappearing.

Table 2-4 Comparison of loop detection technologies

Feature Advantage Disadvantage