MAC Address Table Configuration

CloudEngine 8800&7800&6800&5800 Series Switches
Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration
2 MAC Address Table Configuration
About This Chapter
This chapter describes how to configure the MAC address table. Each station or server has a
unique Medium Access Control (MAC) address. When a device exchanges data with
connected stations or servers, the device records their MAC addresses, access interfaces, and
VLAN IDs for unicast forwarding.
2.1 Introduction to the MAC Address
This section describes the concept of the Media Access Control (MAC) address.
2.2 Principles
2.3 Application Environment
This section describes the applicable environment of MAC address flapping.
2.4 Configuration Task Summary
2.5 Configuration Notes
2.6 Default Configuration
2.7 Configuring a MAC Address Table
You can configure functions and parameters for a MAC address table to implement secure
communication between authorized users. The following configurations are optional and can
be performed in any sequence.
2.8 Configuring MAC Address Anti-flapping
2.9 Configuring MAC Address Flapping Detection
MAC address flapping detection detects all MAC addresses on the device. If MAC address
flapping occurs, the device sends an alarm to the NMS.
2.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
2.11 Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry
2.12 Disabling the Device from Discarding Packets in Which the Destination MAC Address
and the Configured Static MAC Address Conflict
2.13 Enabling MAC Address-triggered ARP Entry Update
Issue 06 (2017-07-10) Huawei Proprietary and Confidential 22

Copyright © Huawei Technologies Co., Ltd.
2.14 Enabling Port Bridge

2.15 Maintaining the MAC Address Table
2.16 Configuration Examples
2.17 Common Configuration Errors
2.18 Reference
This section describes references of MAC address table.
2.1 Introduction to the MAC Address

This section describes the concept of the Media Access Control (MAC) address.
A MAC address defines the location of a network device. A MAC address consists of 48 bits
and is displayed as a 12-digit hexadecimal number. Bits 0 to 23 are assigned by the IETF and
other institutions to identify vendors, and bits 24 to 47 are the unique ID assigned by vendors
to identify their network adapters.
MAC addresses fall into the following types:
l Physical MAC address: uniquely identifies a terminal on an Ethernet network and is the
globally unique hardware address.
l Broadcast MAC address: indicates all terminals on a LAN. The broadcast address is all
1s (FF-FF-FF-FF-FF-FF).
l Multicast MAC address: indicates a group of terminals on a LAN. All the MAC
addresses with the eighth bit as 1 are multicast MAC addresses (for example,
01-00-00-00-00-00), excluding the broadcast MAC address.
2.2 Principles
A MAC address table is a Layer 2 forwarding table that stores MAC addresses learned from
other devices.
2.2.1 Definition and Classification of MAC Address Entries
Definition of a MAC Address Table

A MAC address table records other devices' MAC addresses learned by the switch, interfaces
on which MAC addresses are learned, and VLANs that the interfaces belong to. Before
forwarding a packet, the switch looks up the destination MAC address of the packet the MAC
address table. If a MAC address entry matches the destination MAC address, the switch
forwards the packet from the corresponding outbound interface in the MAC address entry. If
no MAC address entry matches the destination MAC address, the switch broadcasts the
packet to all interfaces in the corresponding VLAN, except the inbound interface receiving
the packet.
Classification of MAC Address Entries

MAC address entries are classified into dynamic, static, and blackhole entries. In addition,
there are MAC address entries that are related to service types, for example, secure MAC,

MUX MAC, authen MAC, and guest MAC. They are maintained by service modules and are
converted from dynamic MAC address entries.
Table 2-1 Characteristics and functions of different MAC address entries

MAC Address Entry Characteristics Function
Type
Dynamic MAC address l Dynamic MAC address l You can check whether
entry entries are obtained by data is forwarded
learning source MAC between two connected
addresses of packets on devices by checking
an interface, and can be dynamic MAC address
aged. entries.
l Dynamic MAC address l You can obtain the
entries are lost after a number of
system restart, LPU hot communicating users
swap, or LPU reset. connected to an
interface by checking
the number of specified
dynamic MAC address
entries.
Static MAC address entry l Static MAC address When static MAC address
entries are manually entries are configured,
configured and delivered authorized users can use
to each LPU. Static MAC network resources and
address entries never age. other users are prevented
l The static MAC address from using the bound MAC
entries saved in the addresses to initiate attacks.
system are not lost after a
system restart, LPU hot
swap, or LPU reset.
l After an interface is
statically bound to a
MAC address, other
interfaces discard packets
from this source MAC
address.
l Each static MAC address
entry can have only one
outbound interface.
l Statically binding an
interface to a MAC
address does not affect the
learning of dynamic MAC
address entries on the
interface.

MAC Address Entry Characteristics Function

Type
Blackhole MAC address l Blackhole MAC address Blackhole MAC address

entry entries are manually entries can filter out
configured and delivered unauthorized users.
to each LPU. Blackhole
MAC address entries
never age.
l The blackhole MAC
address entries saved in
the system are not lost
after a system restart,
LPU hot swap, or LPU
reset.
l After blackhole MAC
address entries are
configured, the device
discards packets from or
destined for the blackhole
MAC addresses.
2.2.2 Elements and Functions of a MAC Address Table

Elements
Each entry in a MAC address table is identified by a MAC address and a VLAN ID or VSI.
When a destination host joins multiple VLANs or VSIs, the host's MAC address corresponds
to multiple VLAN IDs or VSIs in the MAC address table. Table 2-2 lists four MAC address
entries, which specify the outbound interfaces for packets with specified destination MAC
addresses and VLAN IDs or VSI names. For example, the first MAC address entry is used to
forward the packets with destination MAC address 0011-0022-0034 and VLAN 10 through
outbound interface GE3/0/1.
Table 2-2 MAC address entries

MAC Address VLAN ID/VSI Name Outbound Interface
0011-0022-0034 10 GE3/0/1
0011-0022-0034 20 GE2/0/4
0011-0022-0035 30 Eth-Trunk20
0011-0022-0035 huawei GE2/0/5
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 2-1, when packets
sent from PC1 to PC3 reach the switch, the switch searches its MAC address table for the

destination MAC address MAC3 and VLAN 10 in the packets to obtain outbound interface
Port3. The switch then forwards packets to PC3 from Port3.
Figure 2-1 Forwarding based on the MAC address table

MAC Address VLANID Port
MAC1 10 Port1
MAC2 10 Port2 PC2
MAC3 10 Port3
PC1 Switch Port2

Port1
Port3 PC3
MAC3 MAC1 VLAN10 Type Data MAC
3 M
AC1
VLAN
10 T
ype
Data
2.2.3 MAC Address Entry Learning and Aging
MAC Address Entry Learning

Generally, MAC address entries are learned from source MAC addresses of data frame.
Figure 2-2 MAC address entry learning
PortA
HostA Data frame SwitchA
As shown in Figure 2-2, HostA sends a data frame to SwitchA. When receiving the data
frame, SwitchA obtains the source MAC address (HostA's MAC address) and VLAN ID of
the frame.
l If the MAC address entry does not exist in the MAC address table, SwitchA adds an
entry with the new MAC address, PortA, and VLAN ID to the MAC address table.
l If the MAC address entry exists in the MAC address table, SwitchA resets the aging
timer of the MAC address entry and updates the entry.
NOTE
l If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC address entry is
Eth-TrunkA.
l All interfaces of a switch belong to VLAN 1 by default. If the default VLAN is not changed, the
VLAN ID of all MAC address entries is VLAN 1.
l The switch does not learn the BPDU MAC address similar to 0180-c200-xxxx.
MAC address entry learning and update are triggered on a device only when the device
receives data frames.

MAC Address Entry Aging

A device needs to update its MAC address table continuously to adapt to changing network
topologies. Dynamic MAC address entries are not always valid. Each entry has a life cycle
(aging time) and will be deleted when the aging time expires. If an entry is updated within the
aging time, the aging timer of the entry is reset.
Figure 2-3 MAC address entry aging

t1: The entry with MAC
t2-t3: No packet matching
address 00e0-fc00-0001
this MAC address is
and VLAN ID 1 is learned,
received, so hit flag is 0.
and the hit flag is set to 1.
1 2 3 4
0 T T T T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
As shown in Figure 2-3, the aging time of MAC address entries is set to T. At t1, packets with
source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which has joined
VLAN 1. If no entry with MAC address 0e0-fc00-0001 and VLAN 1 exists in the MAC
address table, the MAC address is learned as a dynamic MAC address entry in the MAC
address table, and the hit flag of the entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC address entry
with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device sets the hit flag to 0 but
does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the device
between t2 and t3, the hit flag of the matching MAC address entry is always 0.
3. At t3, the device finds that the hit flag of the matching MAC address entry is 0. The
device considers that the aging time of the MAC address entry has expired and deletes
the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on the device.
You can set the aging time of MAC address entries to control the life cycle of dynamic MAC
address entries in a MAC address table.
2.2.4 MAC Address Learning Control

When hackers send a large number of packets with different source MAC addresses to a
device, useless MAC addresses will consume MAC address entry resources of the device. As
a result, the device cannot learn source MAC addresses of valid packets. The device
broadcasts the packets that do not match MAC address entries, wasting bandwidth resources.

The device provides the following MAC address learning control methods to address the
preceding issue:
l Disabling MAC address learning on a VLAN or an interface

l Limiting the number of learned MAC address entries on a VLAN or an interface
Table 2-3 MAC address learning control
MAC Address Principle Application Scenario

Learning
Control Method
Disabling MAC After MAC address learning is l In most cases, attack packets
address learning disabled on a VLAN or an sent by a hacker enter the
on a VLAN or an interface, the device does not device through the same
interface learn new dynamic MAC address interface. Therefore, you can
entries on the VLAN or interface. use either of the two methods
The dynamic MAC address to prevent attack packets from
entries learned before are aged using up MAC address entry
out when the aging time expires. resources on the device.
They can also be manually l The method of limiting the
deleted using commands. number of learned MAC
Limiting the The device can only learn a address entries on a VLAN or
number of learned specified number of MAC an interface can also be used
MAC address address entries on a VLAN or an to limit the number of access
entries on a VLAN interface. users.
or an interface When the number of learned
MAC address entries reaches the
limit, the device reports an alarm
to notify the network
administrator.
After that, the device cannot
learn new MAC address entries
on the VLAN or interface and
discards the packets with source
MAC addresses out of the MAC
address table.
2.2.5 MAC Address Flapping
What Is MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN and the MAC address entry learned later overrides the earlier one. Figure 2-4 shows
how MAC address flapping occurs. In the MAC address entry with MAC address
0011-0022-0034 and VLAN 2, the outbound interface is changed from GE1/0/1 to GE1/0/2.
MAC address flapping can cause an increase in the CPU usage on the device.

MAC address flapping does not occur frequently on a network unless a network loop occurs.
If MAC address flapping frequently occurs on your network, you can quickly locate the fault
and eliminate the loops according to alarms and MAC address flapping records.
Figure 2-4 MAC address flapping

MAC Address VLAN ID Port
0011-0022-0034 2 GE1/0/1
MAC Address VLAN ID Port

0011-0022-0034 2 GE1/0/2
How to Detect MAC Address Flapping

MAC address flapping detection determines whether MAC address flapping occurs by
checking whether outbound interfaces in MAC address entries change frequently.
After MAC address flapping detection is enabled, the device can report an alarm when MAC
address flapping occurs. The alarm contains the flapping MAC address, VLAN ID, and
outbound interfaces between which the MAC address flaps. A loop may exist between the
outbound interfaces. You can locate the cause of the loop based on the alarm. Alternatively,
the device can perform the action specified in the configuration of MAC address flapping
detection to remove the loop automatically. The action can be quit-vlan (remove the interface
from the VLAN) or error-down (shut down the interface).
Figure 2-5 Networking of MAC address flapping detection
Network
Port1
MAC:11-22-33
SwitchA
Port2 Access port
MAC:11-22-33
Users
SwitchB
SwitchC SwitchD
Broadcast
storm
Incorrect
Data flow
connection
As shown in Figure 2-5, a network cable is correctly connected between SwitchC to

SwitchD, causing a loop between SwitchB, SwitchC, and SwitchD. When Port1 of SwitchA

receives a broadcast packet, SwitchA forwards the packet to SwitchB. The packet is then sent
to Port2 of SwitchA. After MAC address flapping detection is configured on SwitchA,
SwitchA can detect that the source MAC address of the packet flaps from Port1 to Port2. If
the MAC address flaps between Port1 and Port2 frequently, SwitchA reports an alarm about
MAC address flapping to alert the network administrator.
NOTE
MAC address flapping detection allows a device to detect changes in traffic transmission paths based on
learned MAC addresses, but the device cannot obtain the entire network topology. It is recommended
that this function be used on the interface connected to a user network where loops may occur.
How to Prevent MAC Address Flapping

MAC address flapping occurs on a network when the network has a loop or undergoes an
attack.
During network planning, you can use the following methods to prevent MAC address
flapping:
l Increase the MAC address learning priority of an interface: When the same MAC
address is learned on interfaces of different priorities, the MAC address entry on the
interface with the highest priority overrides the MAC address entries on the other
interfaces.
l Prevent MAC address entries from being overridden on interfaces with the same priority:
If the interface connected to a bogus network device has the same priority as the
interface connected to an authorized device, the MAC address entry of the bogus device
learned later does not override the original correct MAC address entry. If the authorized
device is powered off, the MAC address entry of the bogus device is learned. After the
authorized device is powered on again, its MAC address cannot be learned.
As shown in Figure 2-6, Port1 of the switch is connected to a server. To prevent unauthorized
users from connecting to the switch using the server's MAC address, you can set a high MAC
address learning priority for Port1.
Figure 2-6 Networking of MAC address flapping prevention

MAC:11-22-33
MAC:11-22-33
Server
unauthorized
user
Port1
Switch
2.2.6 MAC Address-Triggered ARP Entry Update

On an Ethernet network, a host sends and receives Ethernet data frames based on MAC
addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses.
When two devices on different network segments communicate with each other, they need to
map IP addresses to MAC addresses and outbound interfaces according to ARP entries.
Generally, the outbound interfaces in the matching MAC address entries and ARP entries are
consistent. As shown in Figure 2-7, the outbound interface in both the MAC address entry
and ARP entry is GE1/0/1. The interface is then changed. At T2, after a packet is received
from the peer device, the outbound interface in the MAC address entry is immediately
changed to GE1/0/2. However, the outbound interface in the ARP entry is still GE1/0/1. At
T3, the aging time of the ARP entry expires, and the outbound interface in the ARP entry is
changed to GE1/0/2 through ARP aging probe. Between T2 and T3, the outbound interface in
the ARP entry is unavailable, interrupting communication between devices on different
network segments.
Figure 2-7 MAC address-triggered ARP entry update is not enabled

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE1/0/1 10.2.2.2 11-22-34 2 GE1/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/1
After port switching &
ARP aging probe
T3 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/2
MAC address-triggered ARP entry update enables a device to update the outbound interface
in an ARP entry immediately after the outbound interface in the corresponding MAC address
entry changes. As shown in Figure 2-8, MAC address-triggered ARP entry update is enabled.
At T2, after the outbound interface in the MAC address entry is changed to GE1/0/2, the
outbound interface in the ARP entry is immediately changed to GE1/0/2. This function
prevents communication interruption between T2 and T3 due to the incorrect outbound
interface in the ARP entry.
Figure 2-8 MAC address-triggered ARP entry update is enabled

MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

11-22-34 2 GE1/0/1 10.2.2.2 11-22-34 2 GE1/0/1
Before port switching
Port switching
& ARP aging probe
T2 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/2
After port switching &
ARP aging probe
T3 11-22-34 2 GE1/0/2 10.2.2.2 11-22-34 2 GE1/0/2
In data center virtualization scenarios, when the location of a virtual machine (VM) changes,
user traffic on the network may be interrupted if the VM cannot send gratuitous ARP
messages promptly to update ARP entries on the gateway. In this case, the device relearns
ARP entries by exchanging ARP messages only after ARP entries on the gateway age.

When the VM location is changed after MAC-ARP association is enabled and a gateway's
MAC entries are updated upon receipt of Layer 2 user traffic, ARP entries and outbound
interface information are updated as follows to accelerate Layer 3 traffic convergence:
l If ARP entries exist and the outbound interface of MAC entries is inconsistent with that
of ARP entries, ARP entries are updated based on MAC entries, and outbound interface
information is updated.
l If ARP entries do not exist, a broadcast suppression table is searched based on MAC
entries and ARP probe is re-initiated to update ARP entries and outbound interface
information.
2.3 Application Environment

This section describes the applicable environment of MAC address flapping.
MAC Address Anti-flapping

As shown in Figure 2-9, employees of an enterprise need to access the enterprise server. If an
attacker uses the server MAC address as the source MAC address to send packets to another
interface, the server MAC address is learned on the interface. Packets sent to the server are
sent to unauthorized users. In this case, employees cannot access the server, and important
data will be intercepted by the attacker. MAC address anti-flapping can be configured to
prevent unauthorized users from using the server MAC address to access the switch.
Figure 2-9 Networking diagram of MAC address anti-flapping

MAC:11-22-33
MAC:11-22-33
Server
unauthorized
user
Port1
Switch
MAC Address Flapping Detection

As shown in Figure 2-10, a loop occurs on a user network because network cables between
two LSWs are incorrectly connected. The loop causes MAC address flapping and MAC
address table flapping.
You can enable MAC address flapping detection on the Switch to detect MAC address
flapping and discover loops.

Figure 2-10 Networking diagram of MAC address flapping detection
Network
Switch
LSW1 LSW2
Incorrect connection
2.4 Configuration Task Summary

Table 2-4 Configuration task summary for a MAC address table
Scenario Description Task
MAC addresses and Configure static MAC address entries 2.7.1 Configuring a
interfaces need to be to bind MAC addresses and interfaces, Static MAC Address
bound statically. improving security of authorized users. Entry
Attack packets from Configure blackhole MAC address 2.7.2 Configuring a

unauthorized users entries to filter out packets from Blackhole MAC
need to be filtered unauthorized users, thereby protecting Address Entry
out. the system against attacks.
Aging of dynamic Set the aging time according to your 2.7.3 Setting the Aging
MAC address entries needs. Set the aging time to a large Time of Dynamic
needs to be flexibly value or 0 (not to age dynamic MAC MAC Address Entries
controlled. address entries) on a stable network;
set a short aging time in other
situations.

MAC address Attacks initiated by unauthorized users 2.7.4 Disabling MAC

learning needs to be may exhaust MAC address entries. To Address Learning
controlled. prevent this problem, disable MAC (non-CE6870EI)
address learning or limit the number of 2.7.5 Disabling MAC
learned MAC address entries. Address Learning
(CE6870EI)
2.7.6 Configuring the
MAC Address
Limiting Function
MAC address MAC address flapping occurs on a 2.8 Configuring MAC

flapping needs to be network when the network has a loop Address Anti-flapping
prevented. or undergoes an attack. You can use the
following methods to prevent MAC
address flapping:
l Configure the MAC address
learning priorities for interfaces.
When the same MAC address is
learned by interfaces of different
priorities, the MAC address entry
on the interface with the highest
priority overrides the MAC address
entries on other interfaces.
l Prevent MAC address entries from
being overridden on interfaces with
the same priority.

MAC address MAC address flapping occurs when a 2.9 Configuring MAC
flapping needs to be MAC address is learned by two Address Flapping
detected. interfaces in the same VLAN and the Detection
MAC address entry learned later
overrides the earlier one.
MAC address flapping detection
enables a switch to check whether any
MAC address flaps between interfaces
and determine whether a loop occurs.
When MAC address flapping occurs,
the switch sends an alarm to the NMS.
The network maintenance personnel
can locate the loop based on the alarm
information and historical records for
MAC address flapping. This greatly
improves network maintainability. If
the network connected to the switch
does not support loop prevention
protocols, configure the switch to shut
down the interfaces where MAC
address flapping occurs to reduce the
impact of MAC address flapping on
the network.
The switch needs to A faulty host or device may send 2.10 Configuring the
discard packets with packets with an all-0 source or Switch to Discard
an all-0 source or destination MAC address to a switch. Packets with an All-0
destination MAC Configure the switch to discard such MAC Address
address. packets and send an alarm to the NMS
so that the network administrator can
locate the faulty host or device based
on the alarm information.
The switch needs to After a DHCP user goes offline, the 2.11 Configuring the
discard packets in MAC address entry of the user ages Switch to Discard
which destination out. If there are packets destined for Packets That Do Not
MAC addresses do this user, the system cannot find the Match Any MAC
not match the MAC MAC address entry. The system then Address Entry
address table. broadcasts the packets to all interfaces
in the VLAN. In this case, all users
receive the packets, which brings
security risks. After the switch is
configured to discard packets that do
not match any MAC address entry, the
switch discards such packets. This
function mitigates the burden on the
switch and enhances security.

The outbound Configure the MAC address-triggered 2.13 Enabling MAC

interfaces in ARP ARP entry update function. When the Address-triggered
entries need to be outbound interface in a MAC address ARP Entry Update
updated quickly. entry changes, the device updates the
outbound interface in the
corresponding ARP entry before ARP
probing. This function shortens service
interruption time.
An interface needs to By default, an interface does not 2.14 Enabling Port

forward packets of forward packets whose source and Bridge
which the source and destination MAC addresses are both
destination MAC learned by this interface. When the
addresses are both interface receives such a packet, it
learned on the discards the packet as an invalid
interface. packet. After the port bridge function is
enabled on the interface, the interface
forwards such packets. This function
applies to a switch that connects to
devices incapable of Layer 2
forwarding or functions as an access
device in a data center.
2.5 Configuration Notes

Involved Network Elements
Other network elements are not required.
License Support
The MAC address table is a basic feature of a switch and is not under license control.
Version Support
Table 2-5 Products and minimum version supporting the MAC address table
Series Product Minimum Version Required
CE8800 CE8860 CE8860EI V100R006C00
CE8850EI CE8850EI V200R002C50
CE7800 CE7850 CE7850EI V100R003C00
CE7855EI V200R001C00
CE6800 CE6810 CE6810EI V100R003C00

Series Product Minimum Version Required
CE6810-48S4Q-LI/ V100R003C10
CE6810-48S-LI
CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI
CE6850 CE6850EI V100R001C00
CE6850-48S6Q-HI V100R005C00
CE6850-48T6Q-HI/ V100R005C10
CE6850U-HI/
CE6851HI
CE6855HI V200R001C00
CE6860 CE6860EI V200R002C50
CE6870 CE6870-24S6CQ-EI/ V200R001C00

CE6870-48S6CQ-EI
CE6870-48T6CQ-EI V200R002C50
CE6880 CE6880EI V200R002C50
CE5800 CE5810 CE5810EI V100R002C00
CE5850 CE5850EI V100R001C00
CE5850HI V100R003C00
CE5855 CE5855EI V100R005C10

Feature Dependencies and Limitations
Table 2-6 Description of features

Feature Description
MAC address l Dynamic MAC address entries can be learned on an interface only
entry after the interface is added to an existing VLAN.
l Each static MAC address entry can have only one outbound interface.
l If there is a MAC address that is generated based on DHCP snooping
binding entries, the MAC address cannot be configured as a static
MAC address.
l The blackhole MAC address can be used as the source or destination
MAC address. For the CE6870EI, the device forwards Layer 3
packets with the source MAC address as the blackhole MAC address.
l Deleting MAC address entries may cause the reset of the aging time
of MAC address entries.
l After EVN is configured, the aging time of MAC address entries is
30 minutes and cannot be modified.
l By default, MAC addresses of VBDIF and VLANIF interfaces are
dynamically allocated from the MAC address range of the system.
You can also run the mac-address command to configure a static
MAC address. When the device is connected to the load balancer or
firewall or the if-match source-mac command is used on the device,
Layer 3 traffic may fail to be forwarded. To address this issue, delete
the configured MAC address of the interface.
l For the CE6870EI and CE6880EI, VBDIF interfaces, VLANIF
interfaces, and VRR share eight virtual MAC addresses.

Feature Description
MAC address l MAC address learning limiting rules are invalid for existing online
learning users and valid for only new online users.
l If the VLANIF interface is not configured, the device can learn the
local system MAC address.
l Disabling MAC address learning and limiting the number of learned
MAC addresses are valid for a Layer 2 main interface and its sub-
interfaces for the CE6870EI.
l The hardware learns MAC address entries at line speed for the
CE6870EI. When many MAC address entries are learned in a short
period of time, the number of MAC address entries in the hardware
table is larger than the number of MAC address entries in the
software table. When many MAC address entries are aged in a short
period of time, the number of MAC address entries in the software
table is larger than the number of MAC address entries in the
hardware table. MAC address entries in the software and hardware
tables keep consistent through synchronization.
l Port security and MAC address limiting cannot be configured on an
interface.
l In the SVF, disabling MAC address learning cannot be configured in
the traffic behavior view.
l After MAC address limiting is configured on an interface, the
VXLAN packets received by an interface on a switch model
excluding theCE6870EI and CE6880EI are not affected by this
function.

Feature Description
MAC address l To prevent uplink traffic interruption, you are not advised to
flapping configure the action performed when MAC address flapping is
detection detected on upstream interfaces.
l In earlier versions of V100R006C00, MAC address flapping
detection is inapplicable to TRILL, VPLS, VXLAN, and EVN
networks. In V100R006C00 and later versions, MAC address
flapping detection is inapplicable to only the VPLS network.
l The MAC address flapping detection function can only detect a single
ring. When there are multiple rings, the MAC address flapping
detection function detects only the first ring. That is, if two or more
rings exist in a VLAN, the system reports only alarms about
interfaces in the first ring, regardless of whether the port status in the
first ring is Up or Down.
l The MAC address flapping detection function can only detect the first
ring in a VLAN within the configurable aging time (5 minutes by
default). For example, MAC address flapping between PortA and
PortB. After PortA or Port B goes Down and MAC address flapping
between PortC and PortD within the same aging time, the flapping
interfaces in the alarm are still PortA and PortB.
l By default, MAC address triggered ARP entry update is enabled. If
MAC address flapping occurs for more than 10 times, MAC address
triggered ARP entry update is disabled. After MAC address flapping
is eliminated, MAC address triggered ARP entry update is enabled
automatically.
l For V200R002C50 and later versions, on models excluding the
CE6880EI, when MAC address flapping occurs on an interface, the
system suppresses packets. In this case, the forwarding rate of the
outbound interface is 1% of the bandwidth of the inbound interface.
Packets are not suppressed in the following two situations:
– The interface is configured with storm control and storm
suppression.
– Multicast is enabled globally.

Feature Description
Other features l On the CE8860EI, CE8850EI, CE7850EI, CE7855EI, CE6860EI,

CE6850HI, and CE6855HI, when the big-MAC or large ARP table
mode is used and different MAC addresses and rates are used, the
hash conflict of the MAC address table is serious and the hash
conflict result is different each time. When a hash conflict occurs, the
device may fail to learn many MAC addresses and some traffic can
only be broadcast.
l In an SVF composed of box switches in V100R005C10 or later
versions, when the mac-address miss action discard command is
used, a leaf switch in distributed forwarding mode sends the packets
with no matching MAC address entries to the parent switch, and the
parent switch directly discards the packets with no matching MAC
address entries. A leaf switch in centralized forwarding mode sends
the packets with no matching MAC address entries to the parent
switch. The parent switch directly discards the packets with no
matching MAC address entries.
l The CE6870EI cannot be configured to discard packets with the
MAC address of all 0s.
l The CE6880EI does not support the following functions:
– Discarding packets with the MAC address of all 0s
– MAC address flapping prevention
– Port bridge
– MAC hash mode
2.6 Default Configuration

Table 2-7 Default values of a MAC address entry
Parameter Default Value
Aging time of a dynamic MAC address 300 seconds

entry
Whether MAC address learning is enabled Enable
MAC address learning priority of an 0

interface
Port security Disabled
Limit on the number of MAC addresses 1

learned by an interface
Action to be taken when the number of Restrict

learned MAC addresses reaches the limit
MAC address flapping detection Enable

Parameter Default Value
Aging time of flapping MAC addresses 300 seconds
Discarding packets with all-0 invalid MAC Disabled

addresses
Port bridge Disabled
2.7 Configuring a MAC Address Table

You can configure functions and parameters for a MAC address table to implement secure
communication between authorized users. The following configurations are optional and can
be performed in any sequence.
2.7.1 Configuring a Static MAC Address Entry
Context
MAC addresses and interfaces are bound statically in static MAC address entries.
A device cannot distinguish packets from authorized and unauthorized users when it learns
source MAC addresses of packets to maintain the MAC address table. This causes network
risks. If an unauthorized user uses the MAC address of an authorized user as the source MAC
address of attack packets and connects to another interface of the device, the device learns an
incorrect MAC address entry. As a result, packets destined for the authorized user are
forwarded to the unauthorized user. To improve security, you can create static MAC address
entries to bind MAC addresses of authorized users to specified interfaces. This prevents
unauthorized users from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
l A static MAC address entry will not be aged out. After being saved, a static MAC
address entry will not be lost after a system restart, and can only be deleted manually.
l The VLAN bound to a static MAC address entry must have been created and assigned to
the interface bound to the entry.
l The MAC address in a static MAC address entry must be a unicast MAC address, and
cannot be a multicast or broadcast MAC address.
l A static MAC address entry takes precedence over a dynamic MAC address entry. The
system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run:
system-view
The system view is displayed.

Step 2 Run:
mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.

Step 3 Run:
commit
The configuration is committed.
----End
Checking the Configuration

Run the display mac-address static command to check configured static MAC address
entries.
2.7.2 Configuring a Blackhole MAC Address Entry

Blackhole MAC address entries can be used to filter out invalid MAC addresses.
Context
To prevent a hacker from using a MAC address to attack a user device or network, configure
the MAC address of an untrusted user as the blackhole MAC address. The switch directly
discards the received packets where the source or destination MAC address is the blackhole
MAC address and the VLAN ID of the packets corresponds to the blackhole MAC address.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address blackhole mac-address vlan vlan-id
A blackhole MAC address entry is configured.

Step 3 Run:
commit
----End

Run the display mac-address blackhole [ vlan vlan-id ] command to check configured
blackhole MAC address entries.
2.7.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
To prevent explosive increase of MAC address entries, set the aging time for dynamic MAC
address entries.
Because the network topology changes frequently, the switch will learn more and more MAC
addresses. Therefore, the aging time needs to be set properly for dynamic MAC address

entries so that the switch can delete unneeded MAC address entries to prevent a sharp
increase of MAC address entries. A shorter aging time makes the switch more sensitive to
network changes and is applicable to networks where network topology changes frequently. A
longer aging time makes the switch more insensitive to network changes and is only
applicable to stable networks.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.

The aging time is 0 or an integer that ranges from 60 to 1000000, in seconds. The default
value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.
NOTE
When the aging time is 0, MAC address entries can be fixed. To clear the fixed MAC address entries, set
the aging time to a non-0 value. The system then deletes fixed MAC address entries after twice the aging
time.
Step 3 Run:
commit
----End

Run the display mac-address aging-time command to view the aging time of dynamic MAC
address entries.
2.7.4 Disabling MAC Address Learning (non-CE6870EI)

Background
The MAC address learning function is enabled by default on the switch. When receiving a
data frame, the switch records the source MAC address of the data frame and the interface
that receives the data frame in a MAC address entry. When receiving data frames destined for
this MAC address, the switch forwards the data frames through the outbound interface
according to the MAC address entry. The MAC address learning function reduces broadcast
packets on a network. After MAC address learning is disabled on an interface, the switch does
not learn source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These dynamic
MAC address entries are deleted after the aging time expires or can be manually deleted using
commands.
Procedure
l Disable MAC address learning on an interface.

a. Run:
system-view

b. Run:
interface interface-type interface-number
The interface view is displayed.

c. Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.

By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address learning is
disabled. That is, the switch forwards packets according to the MAC address table.
When the action is set to discard, the switch looks up the source MAC address of
the packet in the MAC address table. If the source MAC address is found in the
MAC address table, the switch forwards the packet according to the matching MAC
address entry. If the source MAC address is not found, the switch discards the
packet.
d. Run:
commit

l Disable MAC address learning in a VLAN.
a. Run:
system-view

b. Run:
vlan vlan-id
The VLAN view is displayed.

c. Run:
mac-address learning disable
MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in a VLAN.
d. Run:
commit

l Disabling MAC address learning in the traffic behavior view.
This function is not supported in the SVF.
a. Configure a traffic classifier.
i. Run:
system-view

ii. Run:
traffic classifier classifier-name [ type { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.

and is the logical operator between the rules in the traffic classifier, which
means that:
○ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long
as they match one or more rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Run:
if-match
Matching rules are defined for the traffic classifier.

For details about matching rules in a traffic classifier, see "Configuring a
Traffic Classifier" in "MQC Configuration" of the CloudEngine
8800&7800&6800&5800 Series Switches Configuration Guide - QoS
Configuration Guide.
iv. Run:
commit

v. Run:
quit
Exit from the traffic behavior view.

b. Configure a traffic behavior.
i. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or the
view of an existing traffic behavior is displayed.
ii. Run:
MAC address learning is disabled in a traffic behavior.

iii. (Optional) Run:
statistics enable
The traffic statistics function is enabled.

iv. Run:
commit

v. Run:
quit

vi. Run:
quit
Exit from the system view.

c. Configure a traffic policy.
i. Run:

system-view

ii. Run:
traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
iii. Run:
classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
A traffic behavior is bound to a traffic classifier in a traffic policy.

iv. Run:
commit

v. Run:
quit
Exit from the traffic policy view.

vi. Run:
quit

d. Apply the traffic policy.
NOTE
l A traffic policy containing mac-address learning disable (traffic behavior view) can
only be applied in the inbound direction.
l For details about the configuration notes of applying traffic policies in different views,
see Configuration Notes.
n Applying a traffic policy to an interface
1) Run:
system-view

2) Run:

3) Run:
traffic-policy policy-name inbound
A traffic policy is applied to the interface in the inbound direction.

4) Run:
commit

n Applying a traffic policy to a VLAN
1) Run:
system-view

2) Run:
vlan vlan-id


3) Run:
A traffic policy is applied to the VLAN in the inbound direction.

After a traffic policy is applied, the system performs traffic policing for
the packets that belong to a VLAN and match traffic classification rules
in the inbound direction.
4) Run:
commit

n Applying a traffic policy to the system
1) Run:
system-view

2) Run:
traffic-policy policy-name global [ slot slot-id ] inbound
A traffic policy is applied to the system in the inbound direction.

3) Run:
commit

l Run the display traffic classifier [ classifier-name ] command to check the traffic
classifier configuration.
l Run the display traffic behavior [ behavior-name ] command to check the traffic
behavior configuration on the device.
l Run the display traffic policy [ policy-name [ classifier classifier-name ] ] command to
check the traffic policy configuration.
l Run the display traffic-policy applied-record [ policy-name ] [ global [ slot slot-id ] |
interface interface-type interface-number | vlan vlan-id | vpn-instance vpn-instance-
name | qos group group-id | bridge-domain bd-id ] [ inbound | outbound ] command
to check the application record of a specified traffic policy.
2.7.5 Disabling MAC Address Learning (CE6870EI)

Background
The MAC address learning function is enabled by default on the switch. When receiving a
data frame, the switch records the source MAC address of the data frame and the interface
that receives the data frame in a MAC address entry. When receiving data frames destined for
this MAC address, the switch forwards the data frames through the outbound interface
according to the MAC address entry. The MAC address learning function reduces broadcast
packets on a network. After MAC address learning is disabled on an interface, the switch does
not learn source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These dynamic
MAC address entries are deleted after the aging time expires or can be manually deleted using
commands.

Procedure
l Disable MAC address learning on an interface.
a. Run:
system-view

b. Run:

c. Run:
mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.

By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address learning is
disabled. That is, the switch forwards packets according to the MAC address table.
When the action is set to discard, the switch looks up the source MAC address of
the packet in the MAC address table. If the source MAC address is found in the
MAC address table, the switch forwards the packet according to the matching MAC
address entry. If the source MAC address is not found, the switch discards the
packet.
d. Run:
commit

l Disable MAC address learning in a VLAN.
a. Run:
system-view

b. Run:
vlan vlan-id

c. Run:
MAC address learning is disabled in the VLAN.

By default, MAC address learning is enabled in a VLAN.
d. Run:
commit

l Disabling MAC address learning in the traffic behavior view
a. Configure a traffic classifier.
i. Run:
system-view

ii. Run:
traffic classifier classifier-name [ type { and | or } ]

A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which
means that:
○ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long
as they match one or more rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Run:
if-match
Matching rules are defined for the traffic classifier.

For details about matching rules in a traffic classifier, see "Configuring a
Traffic Classifier" in "MQC Configuration" of the CloudEngine
8800&7800&6800&5800 Series Switches Configuration Guide - QoS
Configuration Guide.
iv. Run:
commit

v. Run:
quit
Exit from the traffic classifier view.

b. Configure a traffic behavior.
i. Run:
traffic behavior behavior-name
A traffic behavior is created and the traffic behavior view is displayed, or the
view of an existing traffic behavior is displayed.
ii. Run:
MAC address learning is disabled in a traffic behavior.

iii. (Optional) Run:
statistics enable
The traffic statistics function is enabled.

iv. Run:
commit

v. Run:
quit

vi. Run:
quit

c. Configure a traffic policy.

i. Run:
system-view

ii. Run:
traffic policy policy-name
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
iii. Run:
classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
A traffic behavior is bound to a traffic classifier in a traffic policy.

iv. Run:
commit

v. Run:
quit
Exit from the traffic policy view.

vi. Run:
quit

d. Apply the traffic policy.
NOTE
l A traffic policy containing mac-address learning disable (traffic behavior view) can
only be applied in the inbound direction.
l For details about the configuration notes of applying traffic policies in different views,
see Configuration Notes.
n Applying a traffic policy to an interface
1) Run:
system-view

2) Run:

3) Run:
A traffic policy is applied to the interface in the inbound direction.

4) Run:
commit

n Applying a traffic policy to a VLAN
1) Run:
system-view

2) Run:
vlan vlan-id

3) Run:
A traffic policy is applied to the VLAN in the inbound direction.

After a traffic policy is applied, the system performs traffic policing for
the packets that belong to a VLAN and match traffic classification rules
in the inbound direction.
4) Run:
commit

n Applying a traffic policy to the system
1) Run:
system-view

2) Run:
traffic-policy policy-name global [ slot slot-id ] inbound
A traffic policy is applied to the system in the inbound direction.

3) Run:
commit

n Applying a traffic policy to a BD
1) Run:
system-view

2) Run:
bridge-domain bd-id
The BD view is displayed.

3) Run:
A traffic policy is applied to the BD.

4) Run:
commit

l Run the display traffic classifier [ classifier-name ] command to check the traffic
classifier configuration.
l Run the display traffic behavior [ behavior-name ] command to check the traffic
behavior configuration on the device.
l Run the display traffic policy [ policy-name [ classifier classifier-name ] ] command to
check the traffic policy configuration.

l Run the display traffic-policy applied-record [ policy-name ] [ global [ slot slot-id ] |

interface interface-type interface-number | vlan vlan-id | vpn-instance vpn-instance-
name | qos group group-id | bridge-domain bd-id ] [ inbound | outbound ] command
to check the application record of a specified traffic policy.
2.7.6 Configuring the MAC Address Limiting Function
Context
The MAC address limiting function controls the number of access users to prevent MAC
addresses from hackers.
An insecure network is vulnerable to MAC address attacks. When hackers send a large
number of forged packets with different source MAC addresses to the switch, the MAC
address table of the switch will be filled with useless MAC address entries. As a result, the
switch cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the switch. When the number of
learned MAC address entries reaches the limit, the switch does not learn new MAC address
entries. You can also configure an action to take when the number of MAC address entries
reaches the limit. This prevents MAC address attacks and improves network security.
Procedure
l Limit the number of MAC address entries learned on an interface.
a. Run:
system-view

b. Run:

c. Run:
mac-address limit maximum max-num
The maximum number of MAC address entries that can be learned on the interface
is set.
By default, the number of MAC address entries learned on an interface is not

limited.
d. Run:
mac-address limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
e. Run:
commit

l Limit the number of MAC address entries learned in a VLAN.

a. Run:
system-view

b. Run:
vlan vlan-id

c. Run:
mac-address limit maximum max-num
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
d. Run:
mac-address limit action { discard | forward }
The action to be taken on packets with unknown source MAC addresses is

configured when the number of learned MAC address entries reaches the limit.
By default, the device forwards packets with unknown source MAC addresses after
the number of learned MAC address entries reaches the limit.
e. Run:
mac-address limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
f. Run:
commit
----End

Run the display mac-address limit command to check limiting on MAC address learning.
2.7.7 Configuring a MAC Hash Algorithm
Context
A device usually uses a hash algorithm to learn MAC address entries to improve MAC
address forwarding performance. When multiple MAC addresses map the same key value, a
MAC address hash conflict may occur. When a MAC address hash conflict occurs, the device
may fail to learn many MAC addresses and can only broadcast traffic destined for these MAC
addresses. The heavy broadcast traffic increases the load on the device. In this case, use an
appropriate hash algorithm to mitigate the hash conflict.

NOTE
l Only the CE5810EI, CE5850HI, CE6800 series(exclude CE6870EI), CE7800 series, and CE8800
series support the configuration of a Hash Algorithm.
l MAC addresses are distributed on a network randomly, so the best hash algorithm cannot be
determined. Generally, the default hash algorithm is the best one, so do not change the hash
algorithm unless you have special requirements.
l An appropriate hash algorithm can reduce hash conflicts, but cannot prevent them.
l After the hash algorithm is changed, restart the device to make the configuration take effect.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper
| lsb }
A hash algorithm is configured.
The default hash algorithm is crc32-lower.
Step 3 Run:
commit
----End

l Run the display mac-address hash-mode command to check the running and
configured hash algorithms.
2.8 Configuring MAC Address Anti-flapping
2.8.1 Configuring a MAC Address Learning Priority for an

Interface
Context
To prevent MAC address flapping, configure different MAC address learning priorities for
interfaces. When interfaces learn the same MAC address, the MAC address entry learned by
the interface with the highest priority overrides the MAC address entries learned by the other
interfaces.
NOTE
CE6870EI does not support this function.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
mac-address learning priority priority-id
The MAC address learning priority of the interface is set.
By default, the MAC address learning priority of an interface is 0. A larger priority value
indicates a higher MAC address learning priority.
Step 4 Run:
commit
----End
2.8.2 Preventing MAC Address Flapping Between Interfaces with

the Same Priority
Context
You can configure the device to prevent MAC address flapping between interfaces with the
same priority to improve network security.
The CE8800&7800&6800&5800 series switches are configured to prevent MAC address

flapping between interfaces with the same priority. After a device (such as the server)
connected to CE8800&7800&6800&5800 series switches power off, another interface on
CE8800&7800&6800&5800 series switches learn the same MAC address as the device. The
device cannot learn the correct MAC address after it powers on.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo mac-address learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with the same
priority.

By default, the device allows MAC address flapping between interfaces with the same
priority.
Step 3 Run:
commit
----End
2.8.3 Checking the Configuration
Procedure
l Run the display current-configuration command to view the MAC address learning
priorities of interfaces.
----End
2.9 Configuring MAC Address Flapping Detection

MAC address flapping detection detects all MAC addresses on the device. If MAC address
flapping occurs, the device sends an alarm to the NMS.
Context
By default, the system performs MAC address flapping detection in all VLANs. In a data
center virtualization scenario (virtual terminal migration), MAC address flapping may occur.
This is a normal situation where MAC address flapping detection is not required. You can
configure the whitelist of VLANs in MAC address flapping detection to prevent MAC
address flapping detection from being performed in a specified VLAN.
Increasing the aging time of flapping MAC addresses will cause MAC address flapping again
and increase the Error-Down time. To ensure that the system performs MAC address flapping
detection in a timely manner, adjust the aging time of flapping MAC addresses correctly.
When a loop on a network causes MAC address flapping and the network does not support
loop prevention protocols, to eliminate the loop, configure an action to take after MAC
address flapping occurs on the corresponding interface.

NOTE
l To prevent uplink traffic interruption, you are not advised to configure the action performed when
MAC address flapping is detected on upstream interfaces.
l MAC address flapping detection can only detect loops on interfaces, but cannot obtain the entire
network topology. If the user network connected to the switch supports loop prevention protocols,
use the loop prevention protocols instead of MAC address flapping detection.
l The MAC address flapping detection function can only detect a single ring. When there are multiple
rings, the MAC address flapping detection function detects only the first ring. That is, if two or more
rings exist in a VLAN, the system reports only alarms about interfaces in the first ring, regardless of
whether the port status in the first ring is Up or Down.
l The MAC address flapping detection function can only detect the first ring in a VLAN within the
configurable aging time (5 minutes by default). For example, MAC address flapping between PortA
and PortB. After PortA or Port B goes Down and MAC address flapping between PortC and PortD
within the same aging time, the flapping interfaces in the alarm are still PortA and PortB.
l By default, MAC address triggered ARP entry update is enabled. If MAC address flapping occurs
for more than 10 times, MAC address triggered ARP entry update is disabled. After MAC address
flapping is eliminated, MAC address triggered ARP entry update is enabled automatically.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address flapping detection [ security-level { low | middle | high } ]
Global MAC address flapping detection is configured.

By default, global MAC address flapping detection is enabled. The detection security level is
middle, that is after MAC addresses change for 10 times, the system considers that MAC
address flapping occurs.
Step 3 (Optional) Run:
mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
The whitelist of VLANs in MAC address flapping detection is configured.

By default, the whitelist of VLANs in MAC address flapping detection is not configured.
mac-address flapping detection exclude mac-address mac-address-mask
The whitelist of MAC in MAC address flapping detection is configured.

By default, no MAC address is added to the MAC flapping detection whitelist.
mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.

By default, the aging time of flapping MAC addresses is 5 minutes.
Step 6 (Optional) Configure the interval for reporting traps periodically when MAC address flapping
is detected.
1. Run:

mac-address flapping periodical trap enable
The device is enabled to report a trap periodically when detecting MAC address
flapping.
By default, the device is disabled from reporting a trap periodically when detecting MAC
address flapping.
2. Run:
mac-address flapping periodical trap interval interval
The interval for reporting traps periodically is configured when MAC address flapping is
detected.
By default, the device reports traps periodically at an interval of 2 minutes when

detecting MAC address flapping.
Step 7 (Optional) Configure the action performed on the interface when MAC address flapping is
detected on the interface.
1. Run:

2. Run:
mac-address flapping trigger error-down
The interface is configured to enter the Error-Down state after MAC address flapping
occurs.
By default, an interface is not configured to enter the Error-Down state after MAC
address flapping occurs.
Step 8 Run:
commit
----End

Run the display mac-address flapping command to check the MAC address flapping
detection configuration.
Follow-up Procedure
When the action is set to error-down, if MAC address flapping occurs, the interface enters
the Error-Down state and the device sends an alarm to the NMS. The device records the status
of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down
state cannot receive or send packets and the interface indicator is off. You can run the display
error-down recovery command to check information about all interfaces in Error-Down state
on the device.
When the interface is in Error-Down state, check the cause. You can use the following modes
to restore the interface status:
l Manual (after the interface enter the Error-Down state)

When there are few interfaces in Error-Down state, you can run the shutdown and undo
shutdown commands in the interface view or run the restart command to restore the
interface.
l Auto (before the interface enter the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in heavy
workload and the configuration of some interfaces may be ignored. To prevent this
problem, run the error-down auto-recovery cause mac-address-flapping interval
interval-value command in the system view to enable an interface in error-down state to
go Up and set a recovery delay. You can run the display error-down recovery command
to view automatic recovery information about the interface.
NOTE
This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the
interface that enters the Error-Down state after the error-down auto-recovery cause mac-address-
flapping interval interval-value command is used.
2.10 Configuring the Switch to Discard Packets with an

All-0 MAC Address
Context
A faulty network device may send packets with an all-0 source or destination MAC address to
the switch. You can configure the switch to discard such packets.
You can configure the switch to discard packets with an all-0 source or destination MAC
address.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
drop illegal-mac enable
The switch is enabled to discard packets with an all-0 MAC address.
By default, the switch does not discard packets with an all-0 MAC address.
Step 3 Run:
commit
----End


Run the display current-configuration command to check whether the switch is enabled to
discard packets with an all-0 MAC address.
2.11 Configuring the Switch to Discard Packets That Do

Not Match Any MAC Address Entry
Context
After the switch is configured to discard packets that do not match any MAC address entries,
such packets are discarded, which reduces the load on the switch and enhances system
security.
After a DHCP user goes offline, the MAC address entry of the user ages out. If there are
packets destined for this user, the switch cannot find the MAC address entry and therefore
broadcasts the packets to all interfaces in the VLAN. In this case, all users receive the packets,
which brings security risks. To reduce the load on the switch and enhance security, configure
the switch to discard packets that do not match any MAC address entries.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
mac-address miss action discard
The switch is configured to discard packets that do not match any MAC address entries.
By default, the switch broadcasts the packets that do not match any MAC address entries in a
VLAN.
Step 4 Run:
commit
----End

Run the display current-configuration command to check whether the switch is configured
to discard packets that do not match any MAC address entries.

2.12 Disabling the Device from Discarding Packets in

Which the Destination MAC Address and the Configured
Static MAC Address Conflict
Context
For the packets in which the destination MAC address and the configured static MAC address
conflict, the device can be configured to or not to discard packets.
NOTE
Only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE7850EI, CE7855EI, and CE8860EI support
the function.
By default, the device discards packets in which the destination MAC address and the
configured static MAC address conflict. This function reduces the device burden and ensures
security. In a scenario where the Open Virtual Switch DataBase (OVSDB) needs to be
enabled, to ensure that OVSDB functions properly, the device must be disabled from
discarding packets in which the destination MAC address and the configured static MAC
address conflict.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo mac-address drop static-conflict enable
The device is disabled from discarding packets in which the destination MAC address and the
configured static MAC address conflict.
By default, the device is enabled to discard packets in which the destination MAC address and
the configured static MAC address conflict.
NOTE
l If OVSDB needs to be enabled on the device, to ensure that OVSDB functions properly, you must run
the undo mac-address drop static-conflict enable command to disable the device from discarding
packets in which the destination MAC address and the configured static MAC address conflict.
l If OVSDB is not enabled on the device or stopped but the undo mac-address drop static-conflict
enable command is used, you must run the mac-address drop static-conflict enable command to
enable the device to discard packets in which the destination MAC address and the configured static
MAC address conflict. Otherwise, the device may not work properly.
Step 3 Run:
commit
----End


Run the display current-configuration command to check whether the device is enabled to
discard packets in which the destination MAC address and the configured static MAC address
conflict. If there is the undo mac-address drop static-conflict enable command
configuration, the device is not enabled to discard packets in which the destination MAC
address and the configured static MAC address conflict. If there is no undo mac-address
drop static-conflict enable command configuration, the device is enabled to discard packets
in which the destination MAC address and the configured static MAC address conflict.
2.13 Enabling MAC Address-triggered ARP Entry Update
Context
The MAC address-triggered ARP entry update enables the switch to update the corresponding
ARP entry when the outbound interface in a MAC address entry changes.
On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding. The ARP
entries that define the mapping between IP addresses and MAC addresses guide
communication between devices on different network segments.
The outbound interface in a MAC address entry is updated by packets, whereas the outbound
interface in an ARP entry is updated after the aging time is reached. In this case, the outbound
interfaces in the MAC address entry and ARP entry may be different. In Figure 2-11,
SwitchA and SwitchB function as gateways of the server and have VRRP enabled to enhance
reliability. VRRP packets are transmitted on the directly connected link between the two
switches. When the server sends packets, only one network interface is selected to forward
packets. When a network fault or traffic exception is detected, another network interface is
used.
Figure 2-11 Networking for configuring MAC address-triggered ARP entry update when a
VRRP active/backup switchover is performed
SwitchA(VRRP Master) SwitchB(VRRP Backup)
Port2 Port2
Port1 Port1
Port1 Port2
Server

l SwitchA functions as the master device, and the server uses Port2 to send packets.
SwitchA learns the ARP entry and MAC address entry on Port2, and SwitchB learns the
server MAC address on Port1.
l When the server detects that Port2 is faulty, the server uses Port1 to forward service
packets. SwitchA then learns the server MAC address on Port1. If the server does not
send an ARP Request packet to SwitchA, SwitchA still maintains the ARP entry on
Port2. In this case, packets sent from SwitchA to the server are still forwarded through
Port2 until the ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update. This function
enables the device to update the corresponding ARP entry when the outbound interface in a
MAC address entry changes.
In data center virtualization scenarios, when the location of a virtual machine (VM) changes,
user traffic on the network may be interrupted if the VM cannot send gratuitous ARP
messages promptly to update ARP entries on the gateway. In this case, the device relearns
ARP entries by exchanging ARP messages only after ARP entries on the gateway age.
When the VM location is changed after MAC-ARP association is enabled and a gateway's
MAC entries are updated upon receipt of Layer 2 user traffic, ARP entries and outbound
interface information are updated as follows to accelerate Layer 3 traffic convergence:
l If ARP entries exist and the outbound interface of MAC entries is inconsistent with that
of ARP entries, ARP entries are updated based on MAC entries, and outbound interface
information is updated.
l If ARP entries do not exist, a broadcast suppression table is searched based on MAC
entries and ARP probe is re-initiated to update ARP entries and outbound interface
information.
Procedure
Step 1 Run:
system-view

Step 2 Run:
mac-address update arp enable
MAC address-triggered ARP entry update is enabled.

By default, the MAC address-triggered ARP entry update function is enabled.
NOTE
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when
the corresponding MAC address entries change.
l The mac-address update arp enable command does not take effect after ARP entry fixing is
enabled by using the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
command.
l After the mac-address update arp enable command is run, the switch updates an ARP entry only
when the outbound interface in the corresponding MAC address entry changes.
l By default, MAC address triggered ARP entry update is enabled. If MAC address flapping occurs
for more than 10 times, MAC address triggered ARP entry update is disabled. After MAC address
flapping is eliminated, MAC address triggered ARP entry update is enabled automatically.
Step 3 Run:
commit

----End

Run the display current-configuration command to check whether the MAC address-
triggered ARP entry update function is enabled. If there are configurations of the undo mac-
address update arp enable command, MAC address-triggered ARP entry update is not
configured. If there is no configuration of the undo mac-address update arp enable
command, MAC address-triggered ARP entry update is configured.
2.14 Enabling Port Bridge
Context
The port bridge function enables an interface to forward packets in which the source and
destination MAC addresses are the same.
By default, an interface does not forward packets whose source and destination MAC
addresses are both learned by this interface. When the interface receives such a packet, it
discards the packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards such a packet
if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
The device is used as an access device in a data center and is connected to servers. Each
server is configured with multiple virtual machines. The virtual machines need to transmit
data to each other. If data between virtual machines is transmitted on the server, the data
transmission rate and server performance may be affected. To improve the data transmission
rate and server performance, enable the port bridge function on the interfaces connected to the
servers so that the device forwards data packets between the virtual machines.
Procedure
Step 1 Run:
system-view

Step 2 Run:

Step 3 Run:
port bridge enable
The port bridge function is enabled.

By default, the port bridge function is disabled on an interface.
Step 4 Run:

commit
----End

Run the display current-configuration command to check whether the port bridge function
is enabled.
2.15 Maintaining the MAC Address Table
2.15.1 Displaying MAC Address Entries
Table 2-8 Commands used to display MAC address entries

Action Command
Display all MAC address entries. display mac-address
Display static MAC address entries. display mac-address static
Display MAC address entries learned in a display mac-address dynamic vlan vlan-id
VLAN.
Display MAC address entries learned on an display mac-address dynamic interface

interface. interface-type interface-number
Display a specified MAC address. display mac-address mac-address
Display the aging time of dynamic MAC display mac-address aging-time

address entries.
Display statistics on MAC address entries. l Display the total statistics: display mac-
address total-number
l Display the statistics of various types of
MAC address entries: display mac-
address summary
Display the system MAC address. display system mac-address
Display the bridge MAC address. display bridge mac-address
Display the MAC address of an interface. display interface interface-type interface-

number
Hardware address indicates the MAC
address of the interface.
Display the MAC address of a VLANIF display interface vlanif vlan-id

interface. Hardware address indicates the MAC
address of the VLANIF interface.

2.15.2 Deleting MAC Address Entries

Table 2-9 Commands used to delete MAC address entries
Action Command
Delete dynamically learned MAC address reset mac-address

entries.
Delete all static and blackhole MAC address undo mac-address all
entries.
Delete static and blackhole MAC address undo mac-address vlan vlan-id
entries in a VLAN.
Delete static and blackhole MAC address undo mac-address interface-type interface-
entries on an interface. number
2.15.3 Clearing MAC Address Flapping Records
Context
NOTICE
Cleared MAC address flapping records cannot be restored.
Procedure
l Run the reset mac-address flapping record [ all ] command in the user view to clear
MAC address flapping records.
----End
2.15.4 Enabling the Trap Function for MAC Address Change

Context
To learn MAC address change in a timely manner, enable the trap function for MAC address
learning or aging.
Procedure
Step 1 Run:
system-view

mac-address notification interval interval-time

The interval at which the device checks MAC address learning or aging is set.
By default, the device checks MAC address learning or aging at intervals of 10s.
Step 3 Run:

Step 4 Run:
mac-address notification { aging | learning | all }
The trap function for MAC address learning or aging is enabled.

By default, the trap function for MAC address learning or aging is disabled.
----End
2.16 Configuration Examples

This section only provides configuration examples for single features. For details about multi-
feature configuration cases, feature-specific configuration cases, interconnection cases,
protocol or hardware replacement cases, and industry application cases, see the Typical
Configuration Cases.
2.16.1 Example for Configuring the MAC Address Table
Networking Requirements
As shown in Figure 2-12, the MAC address of the user host PC1 is 0002-0002-0002 and that
of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through
the LSW. The LSW is connected to 10GE1/0/1 of the Switch, which belongs to VLAN 2. The
MAC address of the server is 0004-0004-0004. The server is connected to 10GE1/0/2 of the
Switch. 10GE1/0/2 belongs to VLAN 2.
l To prevent hackers from using MAC addresses to attack the network, configure two
static MAC address entries for each user host on the Switch.
l To prevent hackers from stealing user information by forging the MAC address of the
server, configure a static MAC address entry on the Switch for the server.
NOTE
This example applies to the scenario where there are few users. When there are many users, perform
dynamic binding according to Example for Configuring Port Security.

Figure 2-12 Configuring the MAC address table
Network Server
MAC address: 4-4-4
Switch
10GE1/0/2
10GE1/0/1
LSW
PC1 PC2
MAC address: 2-2-2 MAC address: 3-3-3
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent MAC address attacks.
3. Configure the aging time of dynamic MAC address entries to update the entries.
Procedure
Step 1 Configure static MAC address entries.
# Create VLAN 2 and add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.

<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan 2
[*Switch-vlan2] quit
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port link-type trunk
[*Switch-10GE1/0/1] port trunk allow-pass vlan 2
[*Switch-10GE1/0/1] quit
[*Switch] commit
# Configure a static MAC address entry.

[~Switch] mac-address static 2-2-2 10GE 1/0/1 vlan 2
[*Switch] mac-address static 3-3-3 10GE 1/0/1 vlan 2
[*Switch] mac-address static 4-4-4 10GE 1/0/2 vlan 2
[*Switch] commit

Step 2 Set the aging time of a dynamic MAC address entry.

[~Switch] mac-address aging-time 500
[*Switch] commit
Step 3 Verify the configuration.

# Run the display mac-address static command in any view to check whether the static
MAC address entries are successfully added to the MAC address table.
[~Switch] display mac-address static vlan 2
Flags: * - Backup
# - forwarding logical interface, operations cannot be performed based
on the interface.
BD : bridge-domain Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/-/- 10GE1/0/1 static
0003-0003-0003 2/-/- 10GE1/0/1 static
0004-0004-0004 2/-/- 10GE1/0/2 static
-------------------------------------------------------------------------------
Total items: 3
# Run the display mac-address aging-time command in any view to check whether the aging
time of dynamic entries is set successfully.
[~Switch] display mac-address aging-time
Aging time: 500 second(s)
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
mac-address aging-time 500
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface 10GE1/0/2
#
mac-address static 0002-0002-0002 10GE1/0/1 vlan 2
#
return
2.16.2 Example for Configuring MAC Address Learning in a

VLAN
As shown in Figure 2-13, user network 1 is connected to Switch on the 10GE1/0/1 through an
LSW. User network 2 is connected to Switch on the 10GE1/0/2 through another LSW. Both

10GE1/0/1 and 10GE1/0/2 belong to VLAN 2. To prevent MAC address attacks and limit the
number of access users on the device, limit MAC address learning on all the interfaces in
VLAN 2.
Figure 2-13 Networking diagram for MAC address limiting in a VLAN
Network
Switch
10GE1/0/1 10GE1/0/2
LSW LSW
User User
VLAN 2
network 1 network 2
2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC address
attacks and limit the number of access users.
Procedure
Step 1 Limit MAC address learning.
# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
[*HUAWEI] commit
[~Switch] vlan 2
[*Switch] commit
# Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC addresses reaches the limit, the
device and sends an alarm.

[~Switch] vlan 2
[~Switch-vlan2] mac-address limit maximum 100 alarm enable
[*Switch] commit

# Run the display mac-address limit command in any view to check whether the MAC
address limiting rule is successfully configured.
[~Switch] display mac-address limit
MAC Address Limit is enabled
Total MAC Address limit rule count : 1
Port VLAN/VSI/SI Slot Maximum Action Alarm

-------------------------------------------------------------------
-- 2 -- 100 forward enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-address limit maximum 100
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
2.16.3 Example for Configuring MAC Address Anti-flapping

Employees of an enterprise need to access the enterprise server. If an attacker uses the server
MAC address as the source MAC address to send packets to another interface, the server
MAC address is learned on the interface. Packets sent to the server are sent to unauthorized
users. In this case, employees cannot access the server, and important data will be intercepted
by the attacker.
As shown in Figure 2-14, MAC address anti-flapping can be configured to protect the server
from attacks.

Figure 2-14 Networking diagram of MAC address anti-flapping

Server
MAC:11-22-33
10GE1/0/1 VLAN 10
Switch
10GE1/0/2 PC4
MAC:11-22-33
LSW
PC1 PC2 PC3

VLAN10
2. Configure MAC address anti-flapping on the server-side interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 10.
[*HUAWEI] commit
[~Switch] vlan 10
[*Switch-10GE1/0/1] port default vlan 10
[*Switch-10GE1/0/1] commit
Step 2 # Set the MAC address learning priority of 10GE1/0/1 to 2.

[~Switch-10GE1/0/1] mac-address learning priority 2
[*Switch-10GE1/0/1] commit
[~Switch-10GE1/0/1] quit

# Run the display current-configuration command in any view to check whether the MAC
address learning priority of the interface is set correctly.
[~Switch] display current-configuration interface 10ge 1/0/1
#

interface 10GE1/0/1
port default vlan 10
mac-address learning priority 2
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
interface 10GE1/0/1
port default vlan 10
mac-address learning priority 2
#
interface 10GE1/0/2
#
return
2.16.4 Example for Configuring MAC Address Flapping Detection
As shown in Figure 2-15, a loop occurs on a user network because network cables between
two LSWs are incorrectly connected. The loop causes MAC address flapping and bridge table
flapping.
You can enable MAC address flapping detection on the Switch to detect MAC address
flapping and discover loops.
Figure 2-15 Networking diagram of MAC address flapping detection
Network
Switch
10GE1/0/1 10GE1/0/2
LSW1 LSW2
Incorrect
connection

1. Enable MAC address flapping detection.

2. Set the aging time of flapping MAC addresses.
3. Configure the action performed on the interface when MAC address flapping is detected
on the interface to prevent loops.
Procedure
Step 1 Enable MAC address flapping detection.
[*HUAWEI] commit
[~Switch] mac-address flapping detection
[*Switch] commit
Step 2 Set the aging time of flapping MAC addresses.

[~Switch] mac-address flapping aging-time 500
[*Switch] commit
Step 3 Shut down 10GE1/0/1 and 10GE1/0/2 when MAC address flapping is detected.
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] mac-address flapping trigger error-down
[*Switch-10GE1/0/2] mac-address flapping trigger error-down
[*Switch] commit
Step 4 Configure automatic recovery and set the automatic recovery time for the shutdown interface.
[~Switch] error-down auto-recovery cause mac-address-flapping interval 500
[*Switch] commit
After the configuration is complete, when the MAC address on 10GE1/0/1 flaps to
10GE1/0/2, 10GE1/0/2 is shut down. Run the display mac-address flapping command to
view the flapping records.
[~Switch] display mac-address flapping
MAC Address Flapping Configurations :
-------------------------------------------------------------------------------
Flapping detection : Enable
Aging time(s) : 500
Quit-VLAN Recover time(m) : --
Exclude VLAN-list : --
Security level : Middle
-------------------------------------------------------------------------------
S : start time E : end time (D) : error down
-------------------------------------------------------------------------------
Time VLAN MAC-Address Original-Port Move-Ports MoveNum
/BD
-------------------------------------------------------------------------------
S:2011-12-11 11:00:08 1 0000-0000-0007 10GE1/0/1 10GE1/0/2(D) 83
E:2011-12-11 11:33:13 /-
-------------------------------------------------------------------------------
Total items on slot 1: 1
----End

Configuration Files
#
sysname Switch
#
mac-address flapping aging-time 500
#
error-down auto-recovery cause mac-address-flapping interval 500
#
interface 10GE1/0/1
#
interface 10GE1/0/2
#
return
2.17 Common Configuration Errors
2.17.1 Correct MAC Address Entry Cannot Be Learned on the

Device
Fault Description
MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.
Procedure
Step 1 Check that the configurations on the interface are correct.
Run the display mac-address command in any view to check whether the binding
relationships between the MAC address, VLAN, and interface are correct.
<HUAWEI> display mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0025-9e80-2494 1/- 10GE1/0/1 dynamic
-------------------------------------------------------------------------------
Total items: 1
If not, re-configure the binding relationships between the MAC address, VLAN, and
interface.
If yes, go to step 2.
Step 2 Check whether a loop on the network causes MAC address flapping.
l Remove the loop from the network.
If no loop exists, go to step 3.
Step 3 Check that MAC address learning is enabled.
Check whether MAC address learning is enabled in the interface view and the VLAN view.
[~HUAWEI-10GE1/0/1] display this
#

interface 10GE1/0/1
#
return
[~HUAWEI-vlan10] display this
#
vlan 10
#
return
If the command output contains mac-address learning disable, MAC address learning is
disabled on the interface or VLAN.
l If MAC address learning is disabled, run the undo mac-address learning disable
[ action { discard | forward } ] command in the interface view or undo mac-address
learning disable in the VLAN view to enable MAC address learning.
l If MAC address learning is enabled on the interface or vlan, go to step 4.
Step 4 Check whether any blackhole MAC address entry or MAC address limiting is configured.
If a blackhole MAC address entry or MAC address limiting is configured, the interface
discards packets.
l Blackhole MAC address entry
Run the display mac-address blackhole command to check whether any blackhole
MAC address entry is configured.
[~HUAWEI] display mac-address blackhole
------------------------------------------------------------------------------
-
MAC Address VLAN/VSI Learned-From Type
------------------------------------------------------------------------------
-
0001-0001-0001 3333/- - blackhole
------------------------------------------------------------------------------
-
Total items: 1
If a blackhole MAC address entry is displayed, run the undo mac-address blackhole
command to delete it.
l MAC address limiting on the interface or VLAN
– Run the display this command in the interface view or VLAN view. If the
command output contains mac-address limit maximum, the number of learned
MAC addresses is limited. Run either of the following commands:
n Run the undo mac-address limit command in the interface view or VLAN
view to cancel MAC address limiting.
n Run the mac-address limit command in the interface view or VLAN view to
increase the maximum number of learned MAC address entries.
– Run the display this command in the interface view. If the command output
contains port-security maximum or port-security enable, the number of secure
dynamic MAC addresses is limited on the interface. Run either of the following
commands:
NOTE
By default, the limit on the number of secure dynamic MAC addresses is 1 after port
security is enabled.
n Run the undo port-security enable command in the interface view to disable
port security.

n Run the port-security maximum command in the interface view to increase

the maximum number of secure dynamic MAC address entries on the
interface.
If the fault persists, go to step 5.
Step 5 Check whether the number of learned MAC address entries has reached the maximum value
supported by the switch.
Run the display mac-address summary command to check the number of MAC address
entries in the MAC address table.
l If the number of learned MAC address entries has reached the maximum value supported
by the switch, no MAC address entry can be created. Run the display mac-address
command to view all MAC address entries.
– If the number of MAC address entries learned on an interface is much larger than
the number of devices on the network connected to the interface, a user on the
network may maliciously update the MAC address table. Check the device
connected to the interface:
n If the interface is connected to a device, run the display mac-address
command on the device to view its MAC address table. Locate the interface
connected to the malicious user host based on the displayed MAC address
entries. If the interface that you find is connected to another device, repeat this
step until you find the user of the malicious user.
n If the interface is connected to a computer, perform either of the following
operations after obtaining permission from the administrator:
○ Disconnect the computer. When the attack stops, connect the computer to
the network again.
○ Run the port-security enable command on the interface to enable port
security or run the mac-address limit command to set the maximum
number of MAC addresses that the interface can learn to 1.
n If the interface is connected to a hub, perform either of the following
operations:
○ Configure port mirroring or other tools to observe packets received by the
interface. Analyze the packet types to locate the attacking computer.
Disconnect the computer after obtaining permission from the
administrator. When the attack stops, connect the computer to the hub
again.
○ Disconnect computers connected to the hub one by one after obtaining
permission from the administrator. If the fault is rectified after a computer
is disconnected, the computer is the attacker. After it stops the attack,
connect it to the hub again.
– If the number of MAC addresses on the interface is equal to or smaller than the
number of devices connected to the interface, the number of devices connected to
the switch has exceeded the maximum supported by the switch. Adjust network
deployment.
----End
2.18 Reference
This section describes references of MAC address table.

The following table lists the references of this document.
Document Description Remarks
IEEE 802.1D Standard for Information technology-- -

Telecommunications and information
exchange between systems--IEEE
standard for local and metropolitan area
networks--Common specifications--
Media access control (MAC) Bridges
IEEE 802.1Q IEEE standard for Local and -

Metropolitan Area Networks: Virtual
Bridged Local Area Networks


MAC Address Table Configuration

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

MAC Address Table Configuration

Transféré par

Droits d'auteur :

Formats disponibles

CloudEngine 8800&7800&6800&5800 Series Switches

Configuration Guide - Ethernet Switching 2 MAC Address Table Configuration

2 MAC Address Table Configuration

About This Chapter

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 22

2.14 Enabling Port Bridge

2.1 Introduction to the MAC Address

2.2.1 Definition and Classification of MAC Address Entries

Definition of a MAC Address Table

Classification of MAC Address Entries

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 23

Table 2-1 Characteristics and functions of different MAC address entries

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 24

MAC Address Entry Characteristics Function

Blackhole MAC address l Blackhole MAC address Blackhole MAC address

2.2.2 Elements and Functions of a MAC Address Table

Table 2-2 MAC address entries

0011-0022-0035 huawei GE2/0/5

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 25

Figure 2-1 Forwarding based on the MAC address table

PC1 Switch Port2

2.2.3 MAC Address Entry Learning and Aging

MAC Address Entry Learning

Figure 2-2 MAC address entry learning

HostA Data frame SwitchA

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 26

MAC Address Entry Aging

Figure 2-3 MAC address entry aging

2.2.4 MAC Address Learning Control

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 27

l Disabling MAC address learning on a VLAN or an interface

Table 2-3 MAC address learning control

MAC Address Principle Application Scenario

2.2.5 MAC Address Flapping

What Is MAC Address Flapping

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 28

Figure 2-4 MAC address flapping

MAC Address VLAN ID Port

How to Detect MAC Address Flapping

Figure 2-5 Networking of MAC address flapping detection

As shown in Figure 2-5, a network cable is correctly connected between SwitchC to

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 29

How to Prevent MAC Address Flapping

Figure 2-6 Networking of MAC address flapping prevention

2.2.6 MAC Address-Triggered ARP Entry Update

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 30

Figure 2-7 MAC address-triggered ARP entry update is not enabled

T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

Figure 2-8 MAC address-triggered ARP entry update is enabled

T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 31

2.3 Application Environment

MAC Address Anti-flapping

Figure 2-9 Networking diagram of MAC address anti-flapping

MAC Address Flapping Detection

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 32

Figure 2-10 Networking diagram of MAC address flapping detection

2.4 Configuration Task Summary

Attack packets from Configure blackhole MAC address 2.7.2 Configuring a

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 33

Scenario Description Task

MAC address Attacks initiated by unauthorized users 2.7.4 Disabling MAC

MAC address MAC address flapping occurs on a 2.8 Configuring MAC

Issue 06 (2017-07-10) Huawei Proprietary and Confidential 34