Professional Documents
Culture Documents
Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration
Basic Concepts
A MAC address uniquely identifies a network interface card (NIC) of a network
device. A MAC address consists of 48 bits and is displayed as a 12-digit
hexadecimal number. Bits 0 to 23 are assigned by the IETF and other institutions
to identify vendors, and bits 24 to 47 are the unique ID assigned by vendors to
identify their NICs.
Static MAC address entry ● Static MAC address A static MAC address
entries are manually entry can be configured
configured. Static MAC to allow an authorized
address entries are not user to access network
aged. resources and prevent
● The static MAC other users from using
address entries persist the bound MAC address
across system restart to initiate attacks.
once saved in the
system.
● Interfaces other than
that statically bound
to the MAC address in
the entry discard
packets that originate
from this MAC address.
● A static MAC address
entry can have only
one outbound
interface.
● Statically binding an
interface to a MAC
address does not affect
the learning of
dynamic MAC address
entries on the
interface.
Elements
A MAC address table contains entries that are identified by a MAC address and a
VLAN ID or VSI name. Each entry specifies the outbound interface through which
packets with the specified destination MAC address and VLAN ID or VSI are
forwarded. If a destination host joins multiple VLANs or VSI names, the host's
MAC address corresponds to multiple VLAN IDs or VSI names. Table 2-2 provides
an example of this scenario. In this case, packets with the destination MAC
address 00e0-fc22-0034 and VLAN 10 are forwarded through the outbound
interface GE0/0/1.
00e0-fc22-0034 10 GE0/0/1
00e0-fc22-0034 20 GE0/0/2
00e0-fc22-0035 30 Eth-Trunk20
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 2-1,
when packets sent from PC1 to PC3 reach the switch, the switch searches its MAC
address table for the destination MAC address MAC3 and VLAN 10 in the packets
to obtain outbound interface Port3. The switch then forwards packets to PC3
through Port3.
In Figure 2-2, HostA sends a data frame to SwitchA. When receiving the data
frame, SwitchA obtains the source MAC address (HostA's MAC address) and VLAN
ID of the frame.
● If the MAC address entry is not present in the MAC address table, SwitchA
adds an entry with the new MAC address, PortA, and VLAN ID to the MAC
address table.
● If the MAC address entry is present in the MAC address table, SwitchA resets
the aging timer of the MAC address entry and updates the entry.
NOTE
MAC address entry learning and update are triggered on a device only when the
switch receives data frames.
As shown in Figure 2-3, the aging time of MAC address entries is set to T. At t1,
packets with source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an
interface, which has joined VLAN 1. If no entry with MAC address 0e0-fc00-0001
and VLAN 1 exists in the MAC address table, the MAC address is learned as a
dynamic MAC address entry in the MAC address table, and the hit flag of the
entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC
address entry with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device
sets the hit flag to 0 but does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the
device between t2 and t3, the hit flag of the matching MAC address entry
remains as 0.
3. At t3, the device finds that the hit flag of the matching MAC address entry is
0. The device considers that the aging time of the MAC address entry has
expired and deletes the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on
the device.
You can set the aging time of MAC address entries to control the life cycle of
dynamic MAC address entries in a MAC address table.
NOTE
If the interface frequently alternates between Up and Down, MAC address entries may be
not aged within twice the aging time. In this case, you are advised to check the link quality
or run the port link-flap protection enable command to configure link flapping
protection.
packets with spurious source MAC addresses. Such an attack will also consume
bandwidth resources because the switch broadcasts the packets that do not match
MAC address entries.
To address the preceding issue, the switch provides the following MAC address
learning control methods:
Figure 2-4 shows how MAC address flapping occurs. In the MAC address entry
with MAC address 00e0-fc22-0034 and VLAN 2, the outbound interface is changed
from GE0/0/1 to GE0/0/2. MAC address flapping can cause an increase in the CPU
usage on the switch.
Generally, MAC address flapping does not occur unless a network loop occurs. If
frequent MAC address flapping occurs on your network, alarms and MAC address
flapping records provide insight for locating faults and eliminating loops.
NOTE
MAC address flapping detection allows a switch to detect changes in traffic transmission
paths based on learned MAC addresses. However, the switch cannot obtain the entire
network topology. It is recommended that this function be used on an interface connected
to a user network where loops may occur.
NOTE
Only the S5720I-SI, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S, S5731-H,
S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI, S6730-H, S6730S-H,
S6730-S, and S6730S-S support this function.
Hosts on an Ethernet LAN send and receive Ethernet data frames based on MAC
addresses. To map IP addresses to MAC addresses, the Address Resolution Protocol
(ARP) is used. When two hosts on different network segments communicate with
each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries.
Generally, the outbound interfaces in the matching MAC address entries and ARP
entries are consistent. In Figure 2-7, the outbound interface in both the MAC
address entry and ARP entry is GE0/0/1 at T1. The interface is then changed. At
T2, after a packet is received from the peer device, the outbound interface in the
MAC address entry is immediately changed to GE0/0/2. However, the outbound
interface in the ARP entry remains as GE0/0/1. At T3, the aging time of the ARP
entry expires, and the outbound interface in the ARP entry is changed to GE0/0/2
through ARP aging probe. Between T2 and T3, the outbound interface in the ARP
entry is unavailable, interrupting communication between devices on different
network segments.
NOTE
The MAC address-triggered ARP entry update function is often used in scenarios where
switches in a Virtual Router Redundancy Protocol (VRRP) group connect to servers (see
2.3.3 Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP
Switchover Performance), or Layer 3 traffic switching scenarios where STP and Smart Link
are used.
Enable MAC address flapping detection to check whether a loop occurs in the
following scenarios:
MAC address flapping detection is easier to configure than many other loop
detection technologies. Table 2-4 compares the loop detection technologies.
MAC address ● Checks all interfaces and After detecting a loop, the
flapping VLANs on a device. switch only reports alarms; it
detection ● Requires only one cannot eliminate the loop.
command and is
enabled by default.
VRRP groups multiple routing devices into a virtual router, which functions as the
virtual gateway for users. Its virtual IP address is used as the default gateway
address to implement communication with an external network. If a gateway fails,
VRRP selects another gateway to transmit service traffic, ensuring reliable
communication.
In Figure 2-10, HostA is dual-homed to SwitchA and SwitchB through the switch.
A VRRP group is configured on SwitchA and SwitchB to implement link
redundancy. If the link between SwitchA and the switch fails, MAC address entries
and ARP entries on the switch are updated to ensure that traffic is switched to the
link between the switch and SwitchB.
A VRRP group may connect to a server but not a switch, as shown in Figure 2-11.
Generally, a server selects only one network interface to send packets. When the
server detects a network failure or traffic transmission failure, it sends packets
through another network interface.
● SwitchA functions as the master device, and the server uses Port2 to send
packets. SwitchA learns the ARP entry and MAC address entry matching the
server on Port2, and SwitchB learns the server MAC address on Port1.
● When the server detects that Port2 is faulty, the server sends packets through
Port1. SwitchA then learns the server MAC address on Port1. If the server does
not send an ARP Request packet to SwitchA, SwitchA still maintains the ARP
entry on Port2. In this case, packets sent from SwitchA to the server are still
forwarded through Port2 until the ARP entry is aged out.
To address the preceding issue, configure MAC address-triggered ARP entry update
on the switches. This function enables the switches to update the corresponding
ARP entry when the outbound interface in a MAC address entry changes.
Aging of dynamic Set the aging time of dynamic 2.7.3 Setting the
MAC address MAC address entries according to Aging Time of
entries needs to be your needs. Set the aging time to Dynamic MAC
flexibly controlled. a large value or 0 (not to age Address Entries
dynamic MAC address entries) on
a stable network; set a short
aging time in other situations.
The MAC address Configure one or more of the 2.7.6 Enabling MAC
table needs to be following trap functions to Address Trap
monitored. monitor the usage of MAC Functions
address entries:
● Configure an alarm threshold
for MAC address usage. When
the MAC address usage
exceeds the upper threshold,
the switch generates an alarm.
When the MAC address usage
falls below the lower threshold,
the switch reports a clear
alarm.
● Enable the trap function for
MAC address learning or aging.
When a MAC address entry is
learned or aged out, the switch
sends an alarm.
● Enable the trap function for
MAC address hash conflicts. If
the switch cannot learn MAC
address entries while its MAC
address table is not full, the
switch reports an alarm about
a MAC address hash conflict.
The switch needs Configure the switch to discard 2.10 Configuring the
to discard packets packets with an all-0 source or Switch to Discard
with an all-0 destination MAC address and send Packets with an
source or an alarm to the NMS. Such All-0 MAC Address
destination MAC packets may be sent by a faulty
address. host or device.
An interface needs Enable the port bridge function on 2.12 Enabling Port
to forward packets an interface to allow the interface Bridge
whose source and to forward packets whose source
destination MAC and destination MAC addresses
addresses are both are both learned on the interface.
learned on the By default, an interface regards
interface. such a packet as an invalid packet
and discards it. This function
applies to a switch that connects
to devices incapable of Layer 2
forwarding or functions as an
access device in a data center.
Licensing Requirements
The MAC address table is a basic feature of a switch and is not under license
control.
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.
The S5731-L and S5731S-L are remote units and do not support web-based management,
YANG, or commands. They can be configured only through configuration delivery by the
central device. For details, see "Simplified Architecture Configuration (the Solar System
Solution)" in the S300, S500, S2700, S5700, and S6700 V200R021C10 Configuration Guide -
Device Management.
Feature Limitations
● Dynamic MAC address entries can be learned on an interface only after the
interface is added to an existing VLAN.
● Among existing MAC address entries, only MAC addresses of the dynamic
type can be overwritten as MAC addresses of other types.
● Each static MAC address entry can have only one outbound interface.
● When the aging time of dynamic MAC address entries is set to 0, dynamic
MAC address entries do not age. To age MAC address entries, delete the aging
time configuration.
● When MAC address learning is disabled in a VLAN and an interface in the
VLAN on the S5700-EI, S5710-EI, S5700-HI, S5710-HI, and S5720-EI and the
discard action is configured for the interface, the interface does not discard
packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 in VLAN 2 and VLAN 3 has MAC
address learning disabled and the discard action is defined. In this situation,
Port1 discards packets from VLAN 3 but forwards packets from VLAN 2.
● When the interface frequently alternates between Up and Down, MAC
address entries may be not aged within two aging period. At this time, you
are advised to check the link quality or run the port link-flap protection
enable command to configure link flapping protection.
Context
To keep its MAC address table current, a switch learns source MAC addresses of
packets. However, the switch cannot distinguish packets from authorized and
unauthorized users, leading to security risks. For example, if an unauthorized user
spoofs the MAC address of an authorized user and connects to another interface
of the switch, the switch learns an incorrect MAC address entry. As a result,
packets destined for the authorized user are forwarded to the unauthorized user.
To address this issue, create static MAC address entries to bind MAC addresses of
authorized users to specified interfaces.
Static MAC address entries have the following characteristics:
● A static MAC address entry will not be aged out. After being saved, a static
MAC address entry will not be lost after a system restart, and can only be
deleted manually.
● The MAC address in a static MAC address entry must be a unicast MAC
address, and cannot be a multicast or broadcast MAC address.
● A static MAC address entry takes precedence over a dynamic MAC address
entry. The system discards packets with flapping static MAC addresses.
● An existing MAC address entry of the authen, pre-authen, security, or sticky
type cannot be configured as a static MAC address entry.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.
----End
Context
To protect a switch or network against MAC address attacks, configure MAC
addresses of untrusted users as blackhole MAC addresses. After blackhole MAC
address entries are configured, the switch discards packets whose source or
destination MAC addresses match these entries.
Procedure
Step 1 Run system-view
The system view is displayed.
----End
Context
Frequent topology changes result in the switch learning a large number of
dynamic MAC addresses, some of which may no longer be in use. You can
configure how long these entries remain in the MAC address table before the
switch deletes them. A shorter aging time is suitable if the topology changes
frequently, whereas a longer aging time is suitable if the topology remains stable.
Procedure
Step 1 Run system-view
NOTE
If the aging time is set to 0, MAC address entries become fixed and never age out. To clear
these entries, set the aging time to a non-0 value. The system then deletes these entries
after twice the aging time.
----End
The MAC address learning function is enabled by default on the switch. When
receiving a data frame, the switch records the source MAC address of the data
frame and the interface that receives the data frame in a MAC address entry.
When receiving data frames destined for this MAC address, the switch forwards
the data frames through the outbound interface according to the MAC address
entry. The MAC address learning function reduces broadcast packets on a network.
After MAC address learning is disabled on an interface, the switch does not learn
source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These
dynamic MAC address entries are deleted after the aging time expires or can be
manually deleted using commands.
Procedure
● Disable MAC address learning on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
If action is specified, the switch handles packets based on the selected
action. The forward action causes the switch to forward packets
according to the MAC address table (this is the default action). The
discard action causes the switch to forward packets according to the
MAC address table only if an entry matching the source MAC address is
found. If no entry is found, the switch discards the packets.
● Disable MAC address learning in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
● Disable MAC address learning for a specified flow.
a. Configure a traffic classifier.
i. Run system-view
The system view is displayed.
ii. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed,
or the view of an existing traffic classifier is displayed.
The logical operator and between the rules in the traffic classifier
means that:
Only the S6720-EI, S6735-S, and S6720S-EI support traffic classifiers with
advanced ACLs containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-
name }, the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H,
S6730S-H, S6730-S, and S6730S-S do not support remark 8021p [ 8021p-
value | inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id,
and mac-address learning disable.
For the S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, and S500, S5735-S-I, S5735S-S, if a traffic policy is
applied to the outbound direction and the relationship between rules in a
traffic classifier is AND:
● Rules for matching the source IPv6 address and those for matching the
destination IPv6 address cannot be configured in the same traffic
classifier.
● Rules for matching IPv6 information (for example, if-match protocol
ipv6 and if-match ipv6 acl) and those for matching the source MAC
address, destination MAC address, source IPv6 address, or destination
IPv6 address of packets cannot be configured in the same traffic
classifier. (ACL6 rules can be used to match the source or destination
IPv6 address of packets.)
● Rules for matching IPv4 information (IP address and UDP port
number) and those for matching some Layer 2 information (for
example, if-match source-mac, if-match destination-mac, and if-
match l2-protocol { mpls | rarp | protocol-value }) cannot be
configured in the same traffic classifier.
If more than 128 ACL rules defining CAR are configured, a traffic policy
must be applied to an interface, a VLAN, and the system in sequence in the
outbound direction. In the preceding situation, if ACL rules need to be
updated, delete the traffic policy from the interface, VLAN, and system and
re-configure a traffic policy in sequence.
ii. Run classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.
iii. Run quit
Exit from the traffic policy view.
iv. Run quit
Exit from the system view.
d. Apply the traffic policy.
Context
The MAC address limiting function controls the number of MAC address entries
the switch can learn on an interface or in a VLAN. An insecure network is
vulnerable to MAC address attacks. A malicious user may attempt to consume
MAC address table resources and thereby prevent the switch from learning new
entries by sending large numbers of packets with spurious source MAC addresses.
To address this issue, you can limit the number of MAC address entries the switch
can learn on an interface or in a VLAN. You can also configure an action to take
when the limit is reached.
Procedure
● Limit the number of MAC address entries learned on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on
the interface is set.
By default, the number of MAC address entries learned on an interface is
not limited.
d. Run mac-limit action { discard | forward }
The action to take when the number of learned MAC address entries
reaches the limit is configured.
By default, the switch discards packets with new MAC addresses when
the number of learned MAC address entries reaches the limit.
e. Run mac-limit alarm { disable | enable }
The switch is configured to generate or not generate an alarm when the
number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
● Limit the number of MAC address entries learned in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
Context
When trap functions are enabled on the switch, it sends an alarm if the MAC
address usage exceeds the threshold, a MAC address changes, or a MAC address
hash conflict occurs. The switch provides three trap functions for MAC address
entries, enabling you to monitor the usage of MAC address table resources.
Procedure
● Enable the trap function for MAC address usage out of the specified range.
a. Run system-view
The system view is displayed.
b. Run mac-address threshold-alarm upper-limit upper-limit-value lower-
limit lower-limit-value
The upper and lower alarm thresholds for the MAC address usage are set.
By default, the upper and lower alarm thresholds for the MAC address usage
are 80% and 70% respectively. That is, if the MAC address usage is greater
than or equal to 80%, an alarm is generated; If the MAC address usage is less
than 70%, the alarm is cleared.
● Enable the trap function for MAC address changes.
a. Run system-view
The system view is displayed.
b. (Optional) Run mac-address trap notification interval interval-time
The interval at which the switch checks MAC address learning or aging is
set.
By default, the switch checks MAC address learning or aging at an
interval of 10 seconds.
c. Run interface interface-type interface-number
The interface view is displayed.
d. Run mac-address trap notification { aging | learn | all }
The trap function for MAC address learning or aging is enabled on the
interface.
By default, the trap function for MAC address learning or aging is
disabled.
● Enable the trap function for MAC address hash conflicts.
a. Run system-view
The system view is displayed.
b. Run mac-address trap hash-conflict enable
The trap function for MAC address hash conflicts is enabled.
By default, the trap function for MAC address hash conflicts is enabled.
c. (Optional) Run mac-address trap hash-conflict history history-number
The number of MAC address hash conflict alarms reported at an interval
is set.
By default, 10 MAC address hash conflict alarms are reported at an
interval.
d. (Optional) Run mac-address trap hash-conflict interval interval-time
The interval at which MAC address hash conflict alarms are reported is
set.
By default, MAC address hash conflict alarms are reported at an interval
of 60 seconds.
e. (Optional) Run mac-address trap hash-conflict threshold threshold-
value
The lower alarm threshold for MAC address hash conflicts is set.
By default, the lower alarm threshold for MAC address hash conflicts is 0.
NOTE
● The switch uses the hash bucket to store MAC addresses. The switch that uses the hash
bucket performs hash calculation for VLAN IDs and MAC addresses in MAC address
entries to be stored and obtains hash bucket indexes. The MAC addresses with the same
hash bucket index are stored in the same hash bucket. If a hash bucket with the
maximum storage space cannot accommodate learned MAC addresses of the hash
bucket, a hash conflict occurs and MAC addresses cannot be stored. The maximum
number of MAC addresses learned by the switch through the hash bucket may be not
reached.
● The S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735-S-I, S5735S-
S, S6730-H, S6730S-H, S6730-S, and S6730S-S do not support this function.
● MAC addresses are distributed on a network randomly, so the best hash algorithm
cannot be determined. Generally, it is recommended the default MAC hash algorithm be
used unless you have specific requirements.
● An appropriate hash algorithm can reduce hash conflicts, but cannot prevent them.
● After the hash algorithm is changed, restart the switch to make the configuration take
effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure a hash algorithm.
● Run the mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower
| crc32-upper | lsb | enhanced } slot slot-id command on the S6735-S,
S6720-EI and S6720S-EI.
● Run the mac-address hash-mode { xor | crc } slot slot-id command on other
models except the S6735-S, S6720-EI and S6720S-EI.
By default, the hash algorithm is crc32-lower on the S6735-S, S6720-EI and
S6720S-EI and crc on other models.
Step 3 Run mac-address hash-bucket-mode { size4 | size8 | size12 | size16 }
The hash bucket size is configured for the MAC address table.
By default, the hash bucket size of a MAC address table is 4.
NOTE
----End
Context
You can increase the MAC address table size by changing the MAC entry resource
mode.
When the switch transmits heavy traffic, MAC address entries increase accordingly.
If the current MAC address table size cannot meet service requirements, service
running efficiency is reduced. The switch provides an extended register that you
can use to increase the size of the MAC address table, thereby enabling the switch
to learn more MAC addresses.
NOTE
Procedure
Step 1 (Optional) Run display resource-mode configuration
NOTE
After the extended MAC entry resource mode is configured, you must restart the switch to make
the configuration take effect.
----End
Context
To prevent MAC address flapping, set different MAC address learning priorities for
interfaces. When two interfaces learn the same MAC address entries, the MAC
address entries learned by the interface with a higher priority override the MAC
address entries learned by the other interface.
Procedure
For S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-
EI, S6730-H, S6730S-H, S6730-S, and S6730S-S switches, perform the following
operations.
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The interface view is displayed.
3. Run mac-learning priority priority-id
The MAC address learning priority of the interface is set.
By default, the MAC address learning priority of an interface is 0. A larger
priority value indicates a higher MAC address learning priority.
4. Run mac-learning priority flapping-defend action discard
The switch is configured to discard packets when configured to prohibit MAC
address flapping.
By default, the action is forward when configured to prohibit MAC address
flapping.
1. Run system-view
The system view is displayed.
2. Run mac-spoofing-defend enable
Global MAC spoofing defense is enabled.
By default, global MAC spoofing defense is disabled.
3. Run interface interface-type interface-number
The interface view is displayed.
4. Run mac-spoofing-defend enable
MAC spoofing defense is enabled on the interface so that the interface
becomes a trusted interface.
By default, MAC spoofing defense is disabled on an interface.
NOTE
Context
Preventing MAC address flapping between interfaces with the same priority can
improve network security.
After this configuration is complete, the following issue may occur: If a network
device (such as a server) connected to an interface of the switch is powered off
and the same MAC address is learned on another interface, the switch cannot
learn the correct MAC address on the original interface after the network device is
powered on.
NOTE
Only the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6735-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this configuration.
Procedure
Step 1 Run system-view
The device is configured to prevent MAC address flapping between interfaces with
the same priority.
By default, the device allows MAC address flapping between interfaces with the
same priority.
The switch discards packets when configured to prohibit MAC address flapping.
----End
NOTE
● You are advised not to configure an action to take for MAC address flapping on an
uplink interface because it may interrupt uplink traffic.
● When MAC address flapping detection is enabled, the switch can detect loops on a
single point, but cannot obtain the entire network topology. If the network connected to
the device supports loop prevention protocols, use the loop prevention protocols instead
of MAC address flapping detection to eliminate loops.
● If loops may occur on only a few VLANs, it is recommended that you set the loop
prevention action to quit-vlan.
● If loops may occur on a large number of VLANs, it is recommended that you set the
loop prevention action to error-down. This action improves system performance.
Additionally, the remote device can detect the error-down event so that it can quickly
switch traffic to a backup link (if any).
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address flapping detection
MAC address flapping detection is enabled.
By default, MAC address flapping detection is enabled. The device detects MAC
address flapping in all VLANs.
Step 3 (Optional) Run mac-address flapping detection exclude vlan { vlan-id1 [ to
vlan-id2 ] } &<1-10>
One or more VLANs are excluded from MAC address flapping detection.
By default, the switch performs MAC address flapping detection in all VLANs. In
special scenarios, for example, when a switch is connected to a server with two
network adapters in active-active mode, the server's MAC address may be learned
on two interfaces of the switch. Such a MAC address flapping event does not need
to be handled. You can exclude the VLAN where the server resides from MAC
address flapping detection.
Step 4 (Optional) Run mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] }
&<1-10> | all } security-level { high | middle | low }
The security level of MAC address flapping detection is configured in one or more
specified VLANs.
By default, the security level of MAC address flapping detection is middle. That is,
the switch considers that MAC address flapping occurs when a MAC address flaps
10 times.
Step 5 (Optional) Run mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.
By default, the aging time of flapping MAC addresses is 300 seconds. If the aging
time of dynamic MAC addresses is excessive, a long time may elapse before MAC
address flapping events can be detected.
Step 6 (Optional) Configure an action to take and the priority of the action after MAC
address flapping is detected on an interface.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as
GVRP.
– When a MAC address flaps between an interface configured with the error-down
action and an interface configured with the quit-vlan action, the former interface
is shut down and the latter interface is removed from the VLAN. If a loop may
occur between interfaces, you are advised not to configure the same action for the
susceptible interfaces.
3. Run mac-address flapping action priority priority
The priority of the action against MAC address flapping is set.
----End
Context
If the switch receives packets that contain an all-0 source or destination MAC
address, it may indicate that the sending device is faulty. You can configure the
switch to discard these packets and send an alarm to the network management
system (NMS). The alarm contains information that is useful for troubleshooting
the faulty device.
Procedure
Step 1 Run system-view
By default, the switch does not discard packets with an all-0 MAC address.
The switch is configured to send an alarm to the NMS when receiving packets
with an all-0 MAC address.
By default, the switch does not send an alarm when receiving packets with an
all-0 MAC address.
NOTE
The drop illegal-mac alarm command allows the switch to generate one alarm. You must
configure the drop illegal-mac alarm command multiple times if more than one alarm is
required.
----End
Context
Devices on an Ethernet LAN send and receive Ethernet data frames based on MAC
addresses. To map IP addresses to MAC addresses, the Address Resolution Protocol
(ARP) is used. When two devices on different network segments communicate
with each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries. MAC address-triggered ARP entry update
enables a switch to update the outbound interface in an ARP entry immediately
after the outbound interface in the corresponding MAC address entry changes.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address update arp
The MAC address-triggered ARP entry update function is enabled.
By default, the MAC address-triggered ARP entry update function is disabled.
NOTE
● This function takes effect only for dynamic ARP entries. Static ARP entries are not
updated when the corresponding MAC address entries change.
● The MAC address-triggered ARP entry update function does not take effect after ARP
entry fixing is enabled using the arp anti-attack entry-check enable command.
● After the MAC address-triggered ARP entry update function is enabled, the switch
updates an ARP entry only when the outbound interface in the corresponding MAC
address entry changes.
----End
Context
The port bridge function enables an interface to forward packets whose source
and destination MAC addresses are both learned on the interface. By default, an
interface discards packets whose source and destination MAC addresses are both
learned on the interface.
When enabled with the port bridge function, the interface forwards such packets if
their destination MAC addresses are found in the MAC address table.
The port bridge function is used in the following scenarios:
● The switch connects to devices that do not support Layer 2 forwarding. When
users connected to the devices need to communicate, the devices send user
packets to the switch for forwarding. Because source and destination MAC
addresses of the packets are learned on the same interface, the port bridge
function needs to be enabled on the interface so that the interface can
forward such packets.
● The switch is used as an access device in a data center and is connected to
servers. For example, take multiple servers hosting multiple virtual machines
that need to transmit data to each other. By enabling the port bridge function
on the interfaces connected to the servers, you allow the switch to forward
data packets between the virtual machines at a higher speed than if the
servers perform the switching operations.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port bridge enable
The port bridge function is enabled on the interface.
By default, the port bridge function is disabled on an interface.
----End
Context
The re-marking function enables a switch to set the specified fields of packets that
match traffic classification rules. After a re-marking action is configured, the
switch continues to process outgoing packets based on the original priority, but
the downstream device processes the packets based on the re-marked priority. You
can configure an action that re-marks the destination MAC address of packets in a
traffic behavior so that the downstream device can identify packets and provide
differentiated services.
NOTE
Procedure
1. Configure a traffic classifier.
a. Run system-view
The system view is displayed.
b. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
the view of an existing traffic classifier is displayed.
The logical operator and between the rules in the traffic classifier means
that:
▪ If the traffic classifier contains ACL rules, packets match the traffic
classifier only if they match one ACL rule and all the non-ACL rules.
▪ If the traffic classifier does not contain any ACL rules, packets match
the traffic classifier only if they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier if
they match one of the rules in the classifier.
By default, the relationship between rules in a traffic classifier is or.
c. Configure matching rules in the traffic classifier according to the
following table.
NOTE
Only the S6720-EI, S6735-S, and S6720S-EI support traffic classifiers with
advanced ACLs containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name },
the S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6730-H, S6730S-H,
S6730-S, and S6730S-S do not support remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id, and mac-
address learning disable.
For the S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L1, S5735S-L,
S5735S-L-M, S5735-S, and S500, S5735-S-I, S5735S-S, if a traffic policy is applied
to the outbound direction and the relationship between rules in a traffic classifier
is AND:
● Rules for matching the source IPv6 address and those for matching the
destination IPv6 address cannot be configured in the same traffic classifier.
● Rules for matching IPv6 information (for example, if-match protocol ipv6
and if-match ipv6 acl) and those for matching the source MAC address,
destination MAC address, source IPv6 address, or destination IPv6 address of
packets cannot be configured in the same traffic classifier. (ACL6 rules can
be used to match the source or destination IPv6 address of packets.)
● Rules for matching IPv4 information (IP address and UDP port number) and
those for matching some Layer 2 information (for example, if-match
source-mac, if-match destination-mac, and if-match l2-protocol { mpls |
rarp | protocol-value }) cannot be configured in the same traffic classifier.
d. Run quit
Exit from the traffic classifier view.
2. Configure a traffic behavior.
a. Run traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed.
b. Run remark destination-mac mac-address
An action that re-marks destination MAC addresses of packets is
configured. The destination MAC address to be re-marked must be a
unicast MAC address.
c. Run quit
Exit from the traffic behavior view.
d. Run quit
Exit from the system view.
3. Configure a traffic policy.
a. Run traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed. If you do not specify a
matching order for traffic classifiers in the traffic policy, the default
matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy
command to modify the matching order of traffic classifiers in the traffic
policy. To modify the matching order, delete the traffic policy, create a
traffic policy, and then specify the matching order.
When creating a traffic policy, you can specify the matching order of
matching rules in the traffic policy. The matching order can be either the
automatic order (auto) or configuration order (config):
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound
direction. In the preceding situation, if ACL rules need to be updated, delete the
traffic policy from the interface, VLAN, and system and re-configure a traffic
policy in sequence.
b. Run classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.
c. Run quit
Exit from the traffic policy view.
d. Run quit
Exit from the system view.
4. Apply the traffic policy.
– Applying a traffic policy to an interface
i. Run system-view
The system view is displayed.
ii. Run interface interface-type interface-number
The interface view is displayed.
iii. Run traffic-policy policy-name { inbound }
A traffic policy is applied to the interface.
– Applying a traffic policy to a VLAN
i. Run system-view
The system view is displayed.
ii. Run vlan vlan-id
The VLAN view is displayed.
iii. Run traffic-policy policy-name { inbound }
A traffic policy is applied to the VLAN.
– Applying a traffic policy to the system
i. Run system-view
The system view is displayed.
ii. Run traffic-policy policy-name global { inbound | outbound } [ slot
slot-id ]
A traffic policy is applied to the system.
Only one traffic policy can be applied to the system or slot in one
direction. A traffic policy cannot be applied to the same direction in
the system and slot simultaneously.
○ In a stack, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of all the member
switches in the stack. The system then performs traffic policing
for all the incoming and outgoing packets that match traffic
classification rules on all the member switches. A traffic policy
that is applied to a specified slot takes effect on all the
interfaces and VLANs of the member switch with the specified
stack ID. The system then performs traffic policing for all the
incoming and outgoing packets that match traffic classification
rules on this member switch.
○ On a standalone switch, a traffic policy that is applied to the
system takes effect on all the interfaces and VLANs of the local
switch. The system then performs traffic policing for all the
incoming and outgoing packets that match traffic classification
rules on the local switch. Traffic policies applied to the slot and
system have the same functions.
Procedure
Step 1 Run system-view
----End
Procedure
● Globally disabling unknown unicast traffic suppression
a. Run system-view
The system view is displayed.
b. Run mac-address flapping unicast-suppress all disable
Unknown unicast traffic suppression is disabled globally.
By default, unknown unicast traffic suppression is enabled globally.
● Disabling unknown unicast traffic suppression on an interface
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-address flapping unicast-suppress disable
Unknown unicast traffic suppression is disabled on the interface.
By default, unknown unicast traffic suppression is enabled on an
interface.
NOTE
Unknown unicast traffic suppression takes effect on an interface only when the
following conditions are met:
● Global MAC address flapping detection is configured.
● MAC address flapping occurs on the interface.
● Unknown unicast traffic suppression is enabled globally.
● Unknown unicast traffic suppression is enabled on the interface.
----End
Action Command
Display static MAC address entries in a display mac-address static vlan vlan-
specified VLAN. id
Display MAC address entries learned in display mac-address dynamic vlan
a VLAN. vlan-id
Display MAC address entries learned display mac-address dynamic
on an interface. interface-type interface-number
Check whether a specified MAC display mac-address mac-address
address is present.
Action Command
Action Command
Action Command
Procedure
● Run display mac-address hash-conflict record [ slot slot-id ]
The records of MAC address hash conflicts are displayed.
----End
Networking Requirements
In Figure 2-12, the PC with MAC address 00e0-fc02-0002 connects to GE0/0/1 of
the Switch, and the server with MAC address 00e0-fc04-0004 connects to GE0/0/2
of the Switch. The PC and server communicate in VLAN 2.
● To prevent unauthorized users from using the PC's MAC address to initiate
attacks, configure a static MAC address entry for the PC on the Switch.
● To prevent unauthorized users from using the server's MAC address to
intercept data, configure a static MAC address entry for the server on the
Switch.
NOTE
This example applies to scenarios with a small number of users. When there are many
users, use dynamic MAC address entries. For details, see Example for Configuring Port
Security in "Port Security Configuration" in the S300, S500, S2700, S5700, and S6700
V200R021C10 Configuration Guide - Security.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server to the
VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized
users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN
2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] quit
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet0/0/1
port link-type access
Networking Requirements
In Figure 2-13, the Switch receives packets from an unauthorized PC that has the
MAC address 0005-0005-0005 and belongs to VLAN 3. This MAC address entry
can be configured as a blackhole MAC address entry so that the Switch filters out
packets from the unauthorized PC.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 3
[Switch-vlan3] quit
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
Networking Requirements
In Figure 2-14, user network 1 and user network 2 connect to the Switch through
the LSW, and the LSW connects to the Switch through GE0/0/1. User network 1
and user network 2 belong to VLAN 10 and VLAN 20 respectively. On the Switch,
MAC address limiting can be configured on GE0/0/1 to control the number of
access users.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add the downlink interface to the VLANs to implement
Layer 2 forwarding.
2. Configure MAC address limiting on the interface to control the number of
access users.
Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add GigabitEthernet0/0/1 to VLAN 10 and
VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
Networking Requirements
In Figure 2-15, user network 1 is connected to GE0/0/1 of the Switch through
LSW1, and user network 2 is connected to GE0/0/2 of the Switch through LSW2.
GE0/0/1 and GE0/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address limiting in the VLAN to prevent MAC address attacks
and control the number of access users.
Procedure
Step 1 Configure MAC address limiting.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type hybrid
[Switch-GigabitEthernet0/0/2] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 2
[Switch-GigabitEthernet0/0/2] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
interface GigabitEthernet0/0/2
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
return
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address flapping prevention on the server-facing interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 10
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
mac-learning priority 2
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Networking Requirements
In Figure 2-17, a loop occurs on a network because two LSWs are connected in
error using a network cable. The loop causes MAC address flapping in the MAC
address table of the Switch.
To detect loops in a timely manner, configure MAC address flapping detection on
the Switch. This function enables the Switch to detect loops by checking whether a
MAC address flaps between interfaces, facilitating troubleshooting.
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable MAC address flapping detection.
2. Set the aging time of flapping MAC addresses.
3. Configure an action against MAC address flapping on the interfaces to
eliminate loops.
Procedure
Step 1 Enable MAC address flapping detection.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] mac-address flapping detection
Step 3 Configure the action against MAC address flapping to error-down on GE0/0/1 and
GE0/0/2.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/2] quit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
interface GigabitEthernet0/0/1
mac-address flapping action error-down
#
interface GigabitEthernet0/0/2
mac-address flapping action error-down
#
return
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2
forwarding failures.
Procedure
Step 1 Check the configuration on the switch.
Has the VLAN Run the display vlan Run the vlan vlan-id command in
that the vlan-id command in any the system view to create the
interface view. If the system VLAN.
belongs to been displays the message
created? "Error: The VLAN does
not exist", the VLAN is
not created.
Does the Run the display vlan Run one of the following
interface vlan-id command in any commands in the interface view
transparently view to check whether to add the interface to the VLAN.
transmit packets the interface name
from the VLAN? exists. If the name does ● Run the port trunk allow-pass
not exist, the interface vlan command if the interface
does not transparently is a trunk interface.
transmit packets from ● Run the port hybrid tagged
the VLAN. vlan or port hybrid untagged
vlan command if the interface
is a hybrid interface.
● Run the port default vlan
command if the interface is an
access interface.
Is MAC address Run the display this | Run the undo mac-address
learning include learning learning disable command in the
disabled on the command in the interface view or VLAN view to
interface or in interface view and VLAN enable MAC address learning.
the VLAN? view to check whether
the mac-address
learning disable
configuration exists. If
the configuration exists,
MAC address learning is
disabled on the interface
or in the VLAN.
Is MAC address Run the display this | ● Run the mac-limit command
limiting include mac-limit in the interface view or VLAN
configured on command in the view to increase the maximum
the interface interface view and VLAN number of learned MAC
and in the view to check whether address entries.
VLAN? MAC address limiting is
configured. If it is ● Run the undo mac-limit
configured, the command in the interface view
maximum number of or VLAN view to cancel MAC
learned MAC address address limiting.
entries is set.
Is port security Run the display this | ● Run the undo port-security
configured on include port-security enable command in the
the interface? command in the interface view to disable port
interface view to check security.
whether port security is ● Run the port-security max-
configured. mac-num command in the
interface view to increase the
maximum number of secure
dynamic MAC address entries
on the interface.
● If the interface has learned more MAC address entries than the number of
hosts connected to the interface, a MAC address attack may be in progress
from the network attached to the interface. In this case, locate the attack
source according to the following table.
Scenario Solution
If the number of MAC addresses that have learned by the device does not reach
the maximum number of addresses allowed on the device but MAC addresses still
cannot be learned, go to step 4.
Step 4 Check whether a MAC address hash conflict alarm is generated on the device.
L2IFPPI/4/MACHASHCONFLICTALARM: OID [oid] A hash conflict occurs in MAC addresses.
(IfIndex=[INTEGER], MacAddr=[OPAQUE], VLAN=[GAUGE], VsiName=[OCTET1], InterfaceName=[OCTET2]).
----End
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.