No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MAC Address Table Configuration Commands

MAC Address Table Configuration Commands

NOTE:

The AR502G-L-D-H and AR502GR-L-D-H do not support the MAC address table.

The AR510 series do not support MAC address table.

display loop-detect eth-loop

Function

The display loop-detect eth-loop command displays the result of MAC address flapping detection.

NOTE:

AR500, AR510do not support the configuration.

Format

display loop-detect eth-loop [ vlan vlan-id ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays the result of MAC address flapping detection in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After configuring MAC address flapping detection, you can use the display loop-detect eth-loop command to verify the configuration.

The display loop-detect eth-loop command displays the blocked interfaces, blocked MAC addresses, and VLANs that the blocked interfaces and MAC addresses belong to.

Precautions

If vlan vlan-id is not specified, the result of MAC address flapping detection in all VLANs is displayed.

Example

# Display the result of MAC address flapping detection in all VLANs.

 <Huawei> display loop-detect eth-loop
VLAN            Block-time      RetryTimes      Block-action    
--------------- --------------- --------------- --------------- 
100             0               0               alarm-only      

Total items:1

Blocked ports:

Total items:0

PortName                 Vlan      Status          Expire(s)       Leave times     
------------------------ --------  -------------   -------------   -------------   

Blocked Mac Address:

Total items:0

Mac Address              Vlan      Status          Expire(s)       Leave times     
------------------------ --------  -------------   -------------   -------------  
Table 5-1  Description of the display loop-detect eth-loop command output

Item

Description

VLAN

ID of a VLAN where MAC address flapping detection is configured.

Block-time

Blocking time of an interface or a MAC address.

RetryTimes

Number of detection attempts before an interface or a MAC address is permanently blocked.

Total items

Total number of VLANs where MAC address flapping detection is configured.

Block-action

Action performed when MAC address flapping occurs.
  • alarm-only: only sends a trap.
  • block-mac: blocks the flapping MAC address.
  • block-port: blocks the interface where MAC address flapping occurs.

Blocked ports

Interfaces that are blocked.

PortName

Name of a blocked interface.

Total items

Number of blocked interfaces.

Blocked Mac Address

MAC addresses that are blocked.

Mac Address

Blocked MAC address.

Total items

Number of blocked MAC addresses.

Status

Status of a blocked interface or MAC address.

Expire(s)

How soon will a blocked interface or MAC address be unblocked, in seconds.

Leave times

Number of MAC address flapping events allowed after an interface or a MAC address is unblocked. When this number is exceeded, the interface or MAC address will be permanently blocked.

Related Topics

display bridge mac-address

Function

The display bridge mac-address command displays the bridge MAC address of a device.

Format

display bridge mac-address

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you need to view the bridge MAC address of a device, run the display bridge mac-address command.

Example

# Display the bridge MAC address of a device.

<Huawei> display bridge mac-address
System bridge MAC address: 00e0-f74b-6d00
Table 5-2  Description of the display bridge mac-address command output

Item

Description

System bridge MAC address

Indicates the bridge MAC address of a device.

display mac-address

Function

The display mac-address command displays the MAC address table of the industrial switch router. A MAC address entry contains the destination MAC address, VLAN ID, outbound interface, and entry type.

Format

display mac-address mac-address [ vlan vlan-id | verbose ]

display mac-address [ vlan vlan-id | interface-type interface-number ] *

Parameters

Parameter

Description

Value

mac-address

Specifies the destination MAC address in an entry.

The value is in H-H-H format. H is a hexadecimal number of 4 digits, for example, 00e0 and fc01. If you enter less than four digits, 0s are prefixed to the input digits. For example, if you enter e0, the system changes e0 to 00e0. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

vlan vlan-id

Displays MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays the MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the industrial switch router stores MAC addresses of other devices. When forwarding an Ethernet frame, the industrial switch router searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The display mac-address command displays all MAC address entries, such as dynamic MAC address entries, static MAC address entries, and blackhole MAC address entries. A MAC address entry contains the destination MAC address, VLAN ID, outbound interface, and entry type.

Follow-up Procedure

If any MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address static command to add a correct one.

Precautions

If you run the display mac-address command without parameters, all MAC address entries are displayed.

When the industrial switch router has a large number of MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all MAC address entries.

<Huawei> display mac-address
------------------------------------------------------------------------------- 
MAC Address       VLAN/Bridge             Learned-From               Type       
------------------------------------------------------------------------------- 
0000-0000-0033       100/-                Eth2/0/1                   dynamic    
0000-0000-0001       200/-                Eth2/0/2                   static    
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 2                                                       
 

# Display detailed information about all MAC address entries in VLAN 100.

<Huawei> display mac-address vlan 100
-------------------------------------------------------------------------------
MAC Address       VLAN/Bridge             Learned-From               Type      
-------------------------------------------------------------------------------
0000-0000-0033       100/-                Eth2/0/1                   dynamic    

-------------------------------------------------------------------------------
Total items displayed = 1 
 
Table 5-3  Description of the display mac-address command output

Item

Description

MAC Address

Destination MAC address in a MAC address entry.

VLAN/Bridge

  • VLAN: VLAN associated with the interface
  • Bridge: bridge that the interface belongs to

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.
  • static: indicates a static MAC address entry, which is manually configured and will not be aged out.
  • blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out.
  • dynamic: indicates a MAC address entry learned by the industrial switch router, which will be aged out when the aging time expires.
  • security: indicates a MAC address entry that an interface learns after port security is enabled.
  • sticky: indicates a MAC address entry that an interface learns after the sticky MAC function is enabled.

Total items displayed

Specifies the total number of MAC address entries that can be displayed.

display mac-address aging-time

Function

The display mac-address aging-time command displays the aging time of dynamic MAC address entries in the MAC address table.

Format

display mac-address aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command displays the aging time of dynamic MAC address entries on the industrial switch router. You can check whether the aging time is suitable for network requirements and device performance.

Follow-up Procedure

If the aging time is unsuitable for requirements or device performance, run the mac-address aging-time command to set the aging time properly.

Precautions

If the aging time is 0, dynamic MAC addresses will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.

If the aging time of MAC address entries in a VSI is set, the aging time configured in the VSI takes effect.

If the aging time of MAC address entries in a VSI is not set, the global aging time of MAC address entries takes effect.

Example

# Display the aging time of dynamic MAC address entries.

<Huawei> display mac-address aging-time
  Aging time: 300 second(s)
Table 5-4  Description of the display mac-address aging-time command output

Item

Description

Aging time

Aging time of dynamic MAC address entries, in seconds. To set the aging time, run the mac-address aging-time command.

display mac-address blackhole

Function

The display mac-address blackhole command displays blackhole MAC address entries.

Format

display mac-address blackhole [ vlan vlan-id ]

Parameters

Parameter Description Value
vlan vlan-id Displays blackhole MAC address entries in a specified VLAN. The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the industrial switch router stores MAC addresses of other devices. When forwarding an Ethernet frame, the industrial switch router searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The MAC address table contains the following MAC address entries:
  • Blackhole MAC address entries that are used to discard packets with the specified MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
  • Static MAC entries that are manually configured and will not be aged out.
  • Dynamic MAC address entries that are learned by the industrial switch router and will be aged out when the aging time expires.

To check whether blackhole MAC address entries are configured correctly, run this command. These entries ensure communication between authorized users.

Follow-up Procedure

If any blackhole MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address blackhole command to add a correct one.

Precautions

If you run the display mac-address blackhole command without parameters, all blackhole MAC address entries are displayed.

If the MAC address table does not contain any blackhole MAC address, no information is displayed.

Example

# Display all blackhole MAC address entries.

<Huawei> display mac-address blackhole
------------------------------------------------------------------------------- 
MAC Address          VLAN/Bridge                  Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-                        -                  blackhole 
0000-0000-0001       101/-                        -                  blackhole 


-------------------------------------------------------------------------------
Total items displayed = 2
Table 5-5  Description of the display mac-address blackhole command output

Item

Description

MAC Address

Destination MAC address in a blackhole MAC address entry.

VLAN/Bridge

ID of the VLAN or Bridge that a MAC address belongs to.

Learned-From

When the type of a MAC address entry is blackhole, "-" is displayed.

Type

Type of a MAC address entry.

display mac-address dynamic

Function

The display mac-address dynamic command displays dynamic MAC address entries.

Format

display mac-address dynamic [ vlan vlan-id | interface-type interface-number | verbose ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays dynamic MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays dynamic MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

verbose

Displays detailed information about dynamic MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table needs to be updated constantly because the network topology always changes. You can use this command to view learned MAC addresses in real time.

Follow-up Procedure

If the displayed dynamic MAC address entries are invalid, run the undo mac-address command to delete dynamic MAC address entries.

Precautions

If you run the display mac-address dynamic command without parameters, all dynamic MAC address entries are displayed.

If the MAC address table does not contain any dynamic MAC address entry, no information is displayed.

When the industrial switch router has a large number of dynamic MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all dynamic MAC address entries.

<Huawei> display mac-address dynamic
------------------------------------------------------------------------------- 
MAC Address          VLAN/Bridge                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-                       Eth2/0/1             dynamic 
0000-0000-0001       -/HUAWEI                    Eth2/0/1             dynamic 
-------------------------------------------------------------------------------
Total items displayed = 2 
Table 5-6  Description of the display mac-address dynamic command output

Item

Description

MAC Address

Destination MAC address in a dynamic MAC address entry.

VLAN/Bridge

ID of the VLAN that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

display mac-address security

Function

The display mac-address security command displays secure dynamic MAC address entries.

Format

display mac-address security [ vlan vlan-id | interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays secure dynamic MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays secure dynamic MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface by using the port-security enable command, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. The learned secure dynamic MAC address entries are deleted after the device restarts.

After configuring the port security function, you can run the display mac-address security command to check whether the learned secure dynamic MAC address entries are correct.

Follow-up Procedure

If the displayed secure dynamic MAC address entries are invalid, run the undo mac-address command to delete secure dynamic MUX MAC address entries.

Precautions

If you run the display mac-address security command without parameters, all secure dynamic MAC address entries are displayed.

If the MAC address table does not contain any secure dynamic MAC address entry, no information is displayed.

When the device has a large number of secure dynamic MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all secure dynamic MAC address entries.

<Huawei> display mac-address security
------------------------------------------------------------------------------- 
MAC Address          VLAN/Bridge                 Learned-From          Type       
-------------------------------------------------------------------------------
0022-0022-0033          100/-                    Eth2/0/1             security 
0000-0000-0001          200/-                    Eth2/0/2             security 

-------------------------------------------------------------------------------
Total items displayed = 2 
Table 5-7  Description of the display mac-address security command output

Item

Description

MAC Address

Destination MAC address in a secure dynamic MAC address entry.

VLAN/Bridge

ID of the VLAN that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

display mac-address static

Function

The display mac-address static command displays static MAC address entries.

Format

display mac-address static [ vlan vlan-id | interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays static MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays the static MAC address entries on a specified interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the industrial switch router stores MAC addresses of other devices. When forwarding an Ethernet frame, the industrial switch router searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The MAC address table contains the following MAC address entries:
  • Static MAC entries that are manually configured and will not be aged out.
  • Blackhole MAC address entries that are used to discard packets with the specified source MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
  • Dynamic MAC address entries that are learned by the industrial switch router and will be aged out when the aging time expires.

To improve network security, configure static MAC address entries to ensure that packets destined for specified MAC addresses are forwarded by the specified interfaces. This prevents attack packets with bogus MAC addresses and guarantees communication between the industrial switch router and the upstream device or server. After configuring static MAC address entries, you can run the display mac-address static command to verify the configuration.

Follow-up Procedure

If any static MAC address entry is incorrect, run the undo mac-address command to delete it.

Precautions

If you run the display mac-address static command without parameters, all static MAC address entries are displayed.

If the MAC address table does not contain any static MAC address entry, no information is displayed.

Example

# Display all static MAC address entries.

<Huawei> display mac-address static
------------------------------------------------------------------------------- 
MAC Address          VLAN/Bridge                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-                       Eth2/0/0             static 
0000-0000-0001       101/-                       Eth2/0/2             static 

-------------------------------------------------------------------------------
Total items displayed = 2 
Table 5-8  Description of the display mac-address static command output

Item

Description

MAC Address

Destination MAC address in a static MAC address entry.

VLAN/Bridge

ID of the VLAN that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

display mac-address sticky

Function

The display mac-address sticky command displays sticky VLAN MAC address entries.

Format

display mac-address sticky [ vlan vlan-id | interface-type interface-number ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays sticky MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays sticky MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the industrial switch router stores MAC addresses of other devices. When forwarding an Ethernet frame, the industrial switch router searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

After port security is enabled on an interface by using the port-security enable command, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. The learned secure dynamic MAC address entries are deleted after the industrial switch router restarts. If the sticky MAC function is also enabled on the interface by using the port-security mac-address sticky command, secure dynamic MAC address entries change to sticky MAC address entries. Sticky MAC address entries are not deleted after the industrial switch router restarts.

To check the sticky MAC configuration or the learned sticky MAC address entries, run the display mac-address sticky command.

Follow-up Procedure

If the displayed sticky MAC address entries are invalid, run the undo mac-address command to delete sticky MAC address entries.

Precautions

If you run the display mac-address sticky command without parameters, all sticky MAC address entries are displayed.

If the MAC address table does not contain any sticky MAC address, no information is displayed.

When the industrial switch router has a large number of sticky MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all sticky MAC address entries.

<Huawei> display mac-address sticky
------------------------------------------------------------------------------- 
MAC Address          VLAN/Bridge                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033          100/-                    Eth2/0/1             sticky 
0000-0000-0001          200/-                    Eth2/0/2             sticky 

-------------------------------------------------------------------------------
Total items displayed = 2 
Table 5-9  Description of the display mac-address sticky command output

Item

Description

MAC Address

MAC address in a sticky MAC address entry.

VLAN/Bridge

ID of the VLAN that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

display mac-address summary

Function

The display mac-address summary command displays statistics on MAC address entries.

Format

display mac-address summary

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the device stores MAC addresses of other devices. When forwarding an Ethernet frame, the industrial switch router searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

When the industrial switch router has many MAC address entries of different types, you can use the display mac-address summary command to view the summary of MAC address entries in the system. In the command output, Local and Remote identify the MAC address entries learned by the local board and MAC address entries synchronized from other boards.

Example

# View statistics on all MAC address entries in the system.

<Huawei> display mac-address summary
Mac Item of Lan Switch
---------------------------------------------------------------------
Slot Total Blackhole Static DynLoc DynRmt Secure Sticky Block Authen
---------------------------------------------------------------------
0        1         1      0      0      0      0      0     0      0
---------------------------------------------------------------------
sum:     1         1      0      0      0      0      0     0      0

Mac Item of Transparent Bridge
---------------------------------
Total  Blackhole  Static  Dynamic
---------------------------------
1              0       1        0
Table 5-10  Description of the display mac-address summary command output

Item

Description

Mac Item of Lan Switch

Statistics about MAC address entries at the LAN side.

Mac Item of Transparent Bridge

Statistics about MAC address entries on the transparent bridge.

Slot

Slot ID of a board.

Total

Total number of MAC address entries.

Blackhole

Number of blackhole MAC address entries.

Static

Number of static MAC address entries.

Dynamic

Number of dynamic MAC address entries.

DynLoc

Number of MAC address entries learned by the local board.

DynRmt

Number of MAC address entries synchronized from other boards.

Secure

Number of secure dynamic MAC address entries.

Sticky

Number of sticky MAC address entries.

Block

Number of blocked MAC addresses.

Authen

Number of MAC addresses that have been authenticated.

sum

Total number of MAC address entries on all boards.

display mac-address total-number

Function

The display mac-address total-number command displays the number of MAC address entries of a specified type.

Format

display mac-address total-number [ slot slot-id ]

display mac-address total-number [ vlan vlan-id | interface-type interface-number ]

display mac-address total-number blackhole

display mac-address total-number dynamic [ vlan vlan-id | interface-type interface-number ]

display mac-address total-number static [ vlan vlan-id | interface-type interface-number ]

Parameters

Parameter

Description

Value

slot slot-id

Displays the number of MAC address entries on a specified board.

The value is an integer and must be the slot ID of a running board.

dynamic

Displays the number of dynamic MAC address entries.

-

blackhole

Displays the number of blackhole MAC address entries.

-

static

Displays the number of static MAC address entries.

-

vlan vlan-id

Displays the number of MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays the number of MAC address entries learned by a specified interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the industrial switch router stores MAC addresses of other devices. When forwarding an Ethernet frame, the industrial switch router searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

When the industrial switch router has many MAC address entries of different types, you can use the display mac-address total-number command to view statistics on MAC address entries of a specified type.

Precautions

If no parameter is specified, the total number of MAC address entries in the system is displayed.

If interface-type interface-number is not specified, the total number of MAC addresses learned by all interfaces is displayed.

If vlan vlan-id is not specified, the total number of MAC addresses in all VLANs is displayed.

Example

# Display the number of dynamic MAC address entries.

<Huawei> display mac-address total-number dynamic
Info: total number of mac-address is : 20 
Table 5-11  Description of the display mac-address total-number command output

Item

Description

Info: total number of mac-address

Total number of MAC address entries in the system.

display mac-limit

Function

The display mac-limit command displays the rules that limit the number of learned MAC addresses.

Format

display mac-limit [ interface-type interface-number | vlan vlan-id ]

Parameters

Parameter

Description

Value

interface-type interface-number

Displays the MAC address limiting rule on a specified interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the number of the interface.

-

vlan vlan-id

Displays the MAC address limiting rules in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To check whether MAC address limiting rules are configured correctly, run the display mac-limit command. If a rule is incorrect, run the mac-limit command to modify the rule or run the undo mac-limit all command to delete it.

Precautions

If no parameter is specified, MAC address learning limit rules of all interfaces and VLANs are displayed.

vlan is not supported by AR530.

Example

# Display all the MAC address limiting rules.

<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT                     VLAN      Maximum      Action      Alarm
-----------------------------------------------------------------------
Eth2/0/2                 -         100          discard     enable

-----------------------------------------------------------------------
Table 5-12  Description of the display mac-limit command output

Item

Description

PORT

Name of an interface.

VLAN

ID of a VLAN.

Maximum

Maximum number of MAC addresses that can be learned. To set the maximum number of MAC addresses, run the mac-limit command.

Action

Action performed on packets when the number of learned MAC addresses exceeds the maximum number.
  • discard: discards packets with new source MAC addresses.
  • forward: forwards packets with new source MAC addresses.

Alarm

Whether an alarm is generated when the number of learned MAC addresses exceeds the maximum.
  • enable: indicates that an alarm is generated.
  • disable: indicates that an alarm is not generated.
Related Topics

drop illegal-mac alarm

Function

The drop illegal-mac alarm command configures the industrial switch router to send a trap to the network management system (NMS) when receiving a packet with an all-0 MAC address.

By default, the industrial switch router does not send a trap to the NMS when receiving a packet with an all-0 MAC address.

Format

drop illegal-mac alarm

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. The drop illegal-mac alarm command configures the industrial switch router to send a trap to the NMS when receiving a packet with an all-0 MAC address. You can locate the faulty network adapter according to the trap message.

Precautions

If the alarm function is disabled on the industrial switch router, the NMS cannot receive any trap message.

After you run the drop illegal-mac alarm command, the industrial switch router sends a trap only once after receiving packets with an all 0 MAC address. To configure the industrial switch router to send traps continuously, run the drop illegal-mac alarm command repeatedly.

Example

# Configure the industrial switch router to send a trap to the NMS when receiving a packet with an all-0 MAC address.

<Huawei> system-view
[Huawei] drop illegal-mac alarm

loop-detect eth-loop

Function

The loop-detect eth-loop command enables MAC address flapping detection in a VLAN.

The undo loop-detect eth-loop command disables MAC address flapping detection in a VLAN.

By default, MAC address flapping detection is disabled in a VLAN.

NOTE:

This command is not supported on the 4GE-2S, 4ES2G-S, 4ES2GP-S, and 9ES2 cards.

AR500, AR510do not support the command.

Format

loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times | alarm-only }

undo loop-detect eth-loop

Parameters

Parameter

Description

Value

block-mac

Blocks traffic from the flapping MAC address.

If this parameter is not specified, the system blocks the interface where MAC address flapping occurs.

When block-mac is specified, the block-time and retry-times parameters refer to the blocking time and number of retries for the blocked MAC address.

-

block-time block-time

Specifies the period during which an interface or a MAC address is blocked.

The value is an integer that ranges from 10 to 65535, in seconds.

retry-times retry-times

Specifies the number of detection attempts before an interface or a MAC address is permanently blocked.

The value is an integer that ranges from 1 to 5.

alarm-only

Indicates that the system only sends a trap message to the NMS but does not block an interface when detecting MAC address flapping on the interface.

-

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN. The MAC address entry learned later replaces the earlier one. The loop-detect eth-loop command is used to check whether MAC address flapping occurs in a VLAN. When MAC address flapping occurs, the industrial switch router performs the configured action.

You can use this command to enable MAC address flapping detection in the following scenarios:

  • Loops in a VLAN cause MAC address flapping.
  • Unauthorized users simulate MAC addresses of valid network devices to attack the industrial switch router. This may cause MAC address flapping.

You can configure the industrial switch router to block the MAC address or interface or only send a trap when MAC address flapping occurs. This function reduces impact on the industrial switch router when MAC address flapping occurs.

If the industrial switch router is configured to block the MAC address or interface, it performs the following action:

When detecting MAC address flapping in a VLAN, the industrial switch router blocks the interface or MAC address for block-time seconds, and then checks for MAC address flapping again. If no MAC address flapping occurs within 20 seconds, the industrial switch router unblocks the interface or MAC address and starts a new round of detection. If MAC address flapping is detected again within 20 seconds, the industrial switch router repeats the MAC address flapping detection process for a certain number of times (specified by retry-times). If the MAC address flapping persists, the interface or MAC address is permanently blocked.

Precautions

After you run the command in a VLAN view, MAC address flapping is prevented only on the interfaces in this VLAN.

After an interface is permanently blocked, it no longer forwards packets or learns MAC addresses. To unblock the interface, run the reset loop-detect eth-loop command.

If you run the loop-detect eth-loop command multiple times in the same VLAN view, only the latest configuration takes effect.

Example

# Enable MAC address flapping detection in VLAN 10 and configure the system to block the interface where MAC address flapping occurs. Set the interface blocking time to 10s and the number of detection attempts before the interface is permanently blocked to 3.

<Huawei> system-view
[Huawei] vlan 10
[Huawei-vlan10] loop-detect eth-loop block-time 10 retry-times 3

loop-detect eth-loop alarm-only

Function

The loop-detect eth-loop alarm-only command enables global MAC address flapping detection.

The undo loop-detect eth-loop alarm-only command disables global MAC address flapping detection.

By default, global MAC address flapping detection is enabled.

Format

loop-detect eth-loop alarm-only

undo loop-detect eth-loop alarm-only

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address flapping occurs when a loop occurs on a network or when unauthorized users send packets with bogus MAC addresses to attack the AR.

To prevent MAC address flapping, run the loop-detect eth-loop alarm-only command to enable global MAC address flapping detection. When the AR detects MAC address flapping, it sends a trap to the network management system (NMS). You can locate faults according to the trap messages.

Precautions

If the alarm function is disabled on the AR, the NMS cannot receive any trap message.

Example

# Disable global MAC address flapping detection on the AR.

<Huawei> system-view
[Huawei] undo loop-detect eth-loop alarm-only

mac-address

Function

The mac-address command adds a static MAC address entry or a blackhole MAC address entry.

The undo mac-address command deletes MAC address entries of a specified type.

Format

mac-address static mac-address interface-type interface-number vlan vlan-id

mac-address blackhole mac-address vlan vlan-id

undo mac-address blackhole { mac-address vlan vlan-id | vlan vlan-id }

undo mac-address [ interface-type interface-number | vlan vlan-id ] *

undo mac-address [ mac-address ] [ vlan vlan-id ]

undo mac-address { all | dynamic | static | security | sticky } [ interface-type interface-number | vlan vlan-id ] *

undo mac-address { interface-type interface-number | vlan vlan-id } *

NOTE:

The AR510 series do not support blackhole MAC address entry.

Parameters

Parameter

Description

Value

blackhole

Indicates blackhole MAC address entries.

-

static

Indicates static MAC address entries, that is, MAC address entries configured manually.

-

mac-address

Specifies the source or destination MAC address in a MAC address entry.

The value is in H-H-H format. H is a hexadecimal number of 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

interface-type interface-number

Specifies the outbound interface in a MAC address entry.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

vlan vlan-id

Specifies the ID of the VLAN that the outbound interface belongs to.

The value is an integer that ranges from 1 to 4094.

all

Deletes all MAC address entries.

-

dynamic

Deletes dynamic MAC address entries, that is, the MAC address entries learned by an interface.

-

security

Deletes secure dynamic MAC address entries, that is, MAC addresses that an interface learns after port security is enabled.

-

sticky

Deletes sticky dynamic MAC address entries, that is, MAC addresses that an interface learns after the sticky MAC function is enabled.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address entries are classified into the following types:
  • Dynamic MAC address entries that are learned by an interface after MAC address learning is enabled.

  • Static MAC address entries that are manually configured. They take precedence over dynamic MAC address entries.

  • Blackhole MAC address entries that are manually configured. A data frame is discarded if the source or destination MAC address matches a blackhole MAC address entry.

  • Secure dynamic MAC address entries that are learned by an interface after port security is enabled.

  • Sticky MAC address entries that are learned by an interface after the sticky MAC function is enabled.

Functions of static and blackhole MAC address entries are:

  • Static MAC address entries prevent bogus packets with trusted device MAC addresses sent from attackers and guarantee communication between the industrial switch router and the upstream device or server.
  • Blackhole MAC address entries prevent untrusted devices from attacking the industrial switch router.

The undo mac-address command is used in the following scenarios:

  • The upstream device or server has changed or the untrusted device has been removed, and the corresponding static MAC address entry or blackhole MAC address entry needs to be deleted.
  • When the learned dynamic MAC address entries, secure dynamic MAC address entries, and sticky MAC address entries are not required, delete them and configure the device to learn them again.

Prerequisites

The interface has been added to a VLAN.

Precautions

You can configure multiple static MAC address entries or blackhole MAC address entries by running the mac-address command multiple times.

If you configure a static or blackhole MAC address entry when the MAC table is full, the industrial switch router processes the MAC address entry as follows:

  • If a dynamic MAC address entry with the same MAC address exists in the MAC address table, the industrial switch router replaces the dynamic MAC address entry with the configured entry.
  • If no dynamic MAC address entry with the same MAC address exists in the MAC address table, the MAC address entries cannot be added to the MAC address table.

When using the undo mac-address command, pay attention to the following points:

  • If interface-type interface-number is not specified, MAC address entries of a specified type on all interfaces are deleted.
  • If vlan vlan-id is not specified, MAC address entries of a specified type in all VLANs are deleted.

Example

# Add a static MAC address entry to the MAC address table. The destination MAC address is 0003-0003-0003. The outbound interface is ethernet2/0/0, which belongs to VLAN 4.

<Huawei> system-view
[Huawei] mac-address static 0003-0003-0003 ethernet 2/0/0 vlan 4

# Configure a blackhole MAC address entry to discard the Ethernet frames whose destination MAC address is 0004-0004-0004 and VLAN ID is VLAN 5.

<Huawei> system-view
[Huawei] mac-address blackhole 0004-0004-0004 vlan 5

mac-address aging-time

Function

The mac-address aging-time command sets the aging time of dynamic MAC address entries.

The undo mac-address aging-time command restores the default aging time of dynamic MAC address entries.

By default, the aging time of dynamic MAC address entries is 300 seconds.

Format

mac-address aging-time aging-time

undo mac-address aging-time

Parameters

Parameter

Description

Value

aging-time

Specifies the aging time of dynamic MAC address entries.

The value can be 0 or in the range of 60 to 3825. The value is expressed in seconds. The default value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The network topology changes frequently, and the industrial switch router will learn many MAC addresses. You can run the mac-address aging-time command to set a proper aging time for dynamic MAC address entries so that aged MAC address entries are deleted from the MAC address table. This reduces MAC address entries in the MAC address table.

The system starts an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated within a certain period (twice the aging time), the entry is deleted. If the entry is updated within this period, the aging timer of this entry is reset. If the aging time is short, the industrial switch router is sensitive to network changes.

When setting the aging time of dynamic MAC address entries, follow these rules:

  • Set a longer aging time on a stable network and a shorter aging time on an unstable network.
  • The capacity of the MAC address table on a low end device is small; therefore, set a relatively short aging time on low end devices to save the MAC address table space.

Precautions

Dynamic MAC address entries are lost after system restart. Static MAC address entries and blackhole MAC address entries are not aged or lost.

If the aging time is 0, dynamic MAC addresses will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.

If you run the mac-address aging-time command multiple times, only the latest configuration takes effect.

Example

# Set the aging time of dynamic MAC address entries to 500 seconds.

<Huawei> system-view
[Huawei] mac-address aging-time 500

mac-address learning disable

Function

The mac-address learning disable command disables MAC address learning.

The undo mac-address learning disable command enables MAC address learning.

By default, MAC address learning is enabled.

Format

mac-address learning disable [ action { discard | forward } ]

undo mac-address learning disable

Parameters

Parameter

Description

Value

action

Indicates the action that the interface takes after MAC address learning is disabled.

  • This parameter takes effect only in the interface view and port group view, and the specified interface must be a Layer 2 interface.

  • You can use this parameter to determine whether packets are forwarded when the specified interface does not need to learn MAC addresses.

By default, an interface forwards the packets carrying new MAC addresses after MAC address learning is disabled.

-

discard

Discards the packets whose source MAC addresses do not match the MAC address table.

-

forward

Forwards the packets according to the MAC address table.

-

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view, bridge group view

NOTE:

AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H and AR510 series do not support the VLAN view.

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want an interface to forward only packets with certain MAC addresses, use this command. For example, if an interface is connected to a server, configure a static MAC address entry with the MAC address of the server, and then disable MAC address learning and set the action to discard on the interface. The configuration prevents other servers or terminals from accessing the interface and improves network stability and security.

When a industrial switch router with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the industrial switch router forwards the frames through the corresponding outbound interface according to the MAC address entry. MAC address learning reduces broadcast packets on a network.

You can use the mac-address learning disable command to disable MAC address learning on an interface. The action performed on received packets can be set to discard or forward.

  • When the action is set to forward, the industrial switch router forwards packets according to the MAC address table. If a packet does not match any MAC address entry, the industrial switch router broadcasts the packet.
  • When the action is set to discard, the industrial switch router searches for the source MAC address of the packet in the MAC address table. If the source MAC address is found in the MAC address table, the industrial switch router forwards the packet according to the MAC address entry. If the source MAC address is not found, the industrial switch router discards the packet. The default action is forward.

Precautions

The action cannot be configured in the bridge group view.

After MAC address learning is disabled on an interface, the device does not learn new MAC addresses on the interface, but untrusted terminals can still access the network.

Example

# Disable MAC address learning in VLAN 2.

<Huawei> system-view
[Huawei] vlan 2
[Huawei-vlan2] mac-address learning disable

mac-limit

Function

The mac-limit command configures a rule to limit the number of MAC addresses that can be learned.

The undo mac-limit command deletes the rule.

By default, the number of learned MAC addresses is not limited.

NOTE:

The AR530 do not support limiting the number of MAC addresses learned in a VLAN.

AR503GW-LM7, AR503GW-LcM7, AR509G-L-D-H, AR509GW-L-D-H, do not support limiting the number of MAC addresses learned.

Format

mac-limit { action { discard | forward } | alarm { disable | enable } | maximum max-num } *

undo mac-limit

Parameters

Parameter

Description

Value

action { discard | forward }

Indicates the action performed when the number of learned MAC address entries reaches the limit.
  • discard: discards packets with new source MAC addresses.
  • forward: forwards packets with new source MAC addresses but does not add the new MAC addresses to the MAC address table.
NOTE:
This parameter cannot be specified in the VLAN view.

If no action is specified in the command, the default action discard is used.

alarm { disable | enable }

Indicates whether the system generates an alarm when the number of learned MAC address entries reaches the limit.
  • disable: indicates that no alarm is generated when the number of learned MAC addresses reaches the limit.
  • enable: indicates that an alarm is generated when the number of learned MAC addresses reaches the limit.

If you do not set this parameter in the command, the alarm function is enabled by default.

maximum max-num

Sets the maximum number of MAC addresses that can be learned.

NOTE:
If maximum is not set, you must run the mac-limit command with maximum specified. If you have run the mac-limit command to set the maximum number of MAC addresses that can be learned, you do not need to set maximum max-num when running this command again.

The value is a decimal integer ranging from 0 to 2048. The value 0 indicates that the highest rate of MAC address learning is not limited.

Views

VLAN view, Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-limit command limits the number of access users and prevents attacks to the MAC address tables. You can enable the function to improve network security.

Precautions

The action cannot be set in the VLAN view.

The mac-limit and port-security enable commands cannot be used on the same interface.

Example

# Configure the following MAC address learning rule on Ethernet2/0/0:
  • The maximum number of learned MAC addresses is 30.
  • When the number of learned MAC addresses exceeds the maximum, and an alarm is generated.
<Huawei> system-view
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] mac-limit maximum 30 alarm enable 

port-security aging-time

Function

The port-security aging-time command sets the aging time of secure dynamic MAC addresses on an interface.

The undo port-security aging-time command restores the default configuration.

By default, secure dynamic MAC addresses will not be aged out.

Format

port-security aging-time time

undo port-security aging-time

Parameters

Parameter

Description

Value

time

Specifies the aging time of secure dynamic MAC addresses.

The value is an integer that ranges from 1 to 1440, in minutes.

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the port-security enable command to enable port security on an interface, MAC address entries learned by the interface are saved in the MAC address table as secure dynamic MAC addresses. The learned secure dynamic MAC addresses will not be aged by default. When the number of learned MAC addresses reaches the limit, the interface cannot learn new MAC addresses.

If MAC addresses learned by an interface can be trusted only for a certain period, run the port-security aging-time command to set the aging time of secure dynamic MAC addresses on the interface. Then secure dynamic MAC addresses can be aged out and the interface can learn new MAC addresses.

Prerequisites

Port security is enabled on the interface.

Precautions

If the aging time of secure dynamic MAC addresses on an interface is shorter than the global aging time of dynamic MAC addresses, secure dynamic MAC addresses are aged out when the global aging time expires.

If you run the port-security aging-time command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the aging time of secure dynamic MAC addresses on Eth0/0/1 to 30 minutes.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port-security enable
[Huawei-Ethernet0/0/1] port-security aging-time 30
Related Topics

port-security enable

Function

The port-security enable command enables the port security function on an interface.

The undo port-security enable command disables the port security function on an interface.

By default, port security is disabled on an interface.

  • AR500 series do not support port security.

  • AR510 series do not support port security.

Format

port-security enable

undo port-security enable

Parameters

None

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. By default, secure dynamic MAC addresses will not be aged out. After the device restarts, secure dynamic MAC address entries are lost and need to be relearned.

Port security has the following functions:

  • Prevent unauthorized guests from using their computers to connect to an enterprise network.
  • Prevent employees of a company from moving their computers without permission.

Precautions

The protection action, maximum number of learned secure MAC address entries, and sticky MAC function can be configured only after port security is enabled.

The port-security enable and mac-limit maximum cannot be used on the same interface.

Port security and 802.1x authentication conflict on an interface; therefore, the port-security enable and dot1x enable command cannot be used on the same interface.

If port security is enabled after MAC address learning is disabled using the mac-address learning disable command, the port security function does not take effect. If port security is enabled before MAC address learning is disabled on an interface, the device no longer learns MAC addresses on the interface, but secure MAC addresses that have been learned are reserved.

Example

# Enable port security on Ethernet2/0/1.

<Huawei> system-view
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] port-security enable

port-security mac-address sticky

Function

The port-security mac-address sticky enables the sticky MAC function on an interface.

The undo port-security mac-address sticky disables the sticky MAC function on an interface.

By default, the sticky MAC function is disabled on an interface.

Format

port-security mac-address sticky [ mac-address vlan vlan-id ]

undo port-security mac-address sticky [ mac-address vlan vlan-id ]

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a sticky MAC address entry.

The value is in H-H-H format. H is a hexadecimal number of 1 to 4 digits. A MAC address cannot be FFFF-FFFF-FFFF.

vlan vlan-id

Specifies the ID of a VLAN.

The value is an integer that ranges from 1 to 4094.

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the port-security enable command to enable port security on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries.

After the sticky MAC function is enabled on an interface, the dynamic MAC addresses learned by the interface change to sticky MAC addresses. If the number of sticky MAC addresses does not reach the limit, the MAC addresses learned subsequently change to sticky MAC addresses. When the number of sticky MAC addresses reaches the limit, packets whose source MAC addresses do not match sticky MAC address entries are discarded. In addition, the system determines whether to send a trap message or shut down the interface according to the configured security protection action.

After enabling the sticky MAC function on an interface, you can run the port-security mac-address sticky mac-address vlan vlan-id command to manually configure a sticky MAC address entry.

The sticky MAC function has the following functions:

  • Prevent non-employees from using their own computers to access the company intranet without the permission of the network administrator.

  • Prevent employees from moving network devices or computers of the company without the permission of the network administrator.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

If you run the port-security mac-address sticky [ mac-address vlan vlan-id ] command multiple times, multiple sticky MAC address entries are configured.

Example

# Enable the sticky MAC function on Ethernet0/0/1.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port-security enable
[Huawei-Ethernet0/0/1] port-security mac-address sticky

port-security max-mac-num

Function

The port-security max-mac-num command sets the maximum number of secure MAC addresses that can be learned on an interface.

By default, only one MAC addresses can be learned on an interface.

Format

port-security max-mac-num max-number

Parameters

Parameter

Description

Value

max-number

Specifies the maximum number of secure MAC addresses that can be learned by an interface.

The value is an integer that ranges from 1 to 1024.

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security on an interface, you can run the port-security max-mac-num command to limit the number of MAC addresses that the interface can learn.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

If the sticky MAC function is disabled, max-number limits the number of secure dynamic MAC addresses learned by the interface and secure static MAC addresses configured manually.

If the sticky MAC function is enabled, max-number limits the number of sticky MAC addresses learned by the interface, and sticky MAC addresses and secure static MAC addresses configured manually.

If you run the port-security max-mac-num command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the maximum number of MAC addresses that can be learned by Ethernet0/0/1 to 5.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port-security enable
[Huawei-Ethernet0/0/1] port-security max-mac-num 5

port-security protect-action

Function

The port-security protect-action command configures a protection action for the system to perform when the number of learned MAC addresses reaches the limit.

The undo port-security protect-action command restores the default protection action.

The default action is restrict.

Format

port-security protect-action { protect | restrict | shutdown }

undo port-security protect-action

Parameters

Parameter

Description

Value

protect

Discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.

-

restrict

Discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses reaches the limit.

-

shutdown

Set the interface status to error down and sends a trap message when the number of learned MAC addresses reaches the limit.

-

Views

Ethernet interface view, GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security, you can run the port-security protect-action command to configure the action performed on the interface when the number of learned MAC addresses reaches the limit.

The default action restrict is recommended. If the action is set to shutdown on an interface connected to a downstream device, the interface discards packets from trusted MAC addresses. Select the shutdown action only when the interface is directly connected to a user terminal.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

If the action is set to shutdown, the interface is shut down when the number of learned MAC addresses exceeds the limit.

If you run the port-security protect-action command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the protection action on Ethernet0/0/1 to protect.

<Huawei> system-view
[Huawei] interface ethernet 0/0/1
[Huawei-Ethernet0/0/1] port-security enable
[Huawei-Ethernet0/0/1] port-security protect-action protect

reset loop-detect eth-loop

Function

The reset loop-detect eth-loop command unblocks a blocked interface or MAC address in a specified VLAN.

Format

reset loop-detect eth-loop vlan vlan-id { all | interface interface-type interface-number | mac-address mac-address }

Parameters

Parameter

Description

Value

vlan vlan-id

Specifies the ID of a VLAN.

The value is an integer that ranges from 1 to 4094.

all

Unblocks all the permanently blocked interfaces in the specified VLAN.

If all is specified, the system unblocks all permanently blocked interfaces and MAC addresses in the specified VLAN, and then starts MAC address detection on the interfaces and MAC addresses.

-

interface interface-type interface-number

Specifies an interface in the specified VLAN.
  • interface-type specifies the type of the interface.
  • interface-number specifies the number of the interface.

If interface interface-type interface-number is specified, the system unblocks the specified interface, and then starts MAC address detection on the interface.

-

mac-address mac-address

Specifies a permanently blocked MAC address in the specified VLAN.

If mac-address mac-address is specified, the system unblocks the specified MAC address, and then starts MAC address detection for the MAC address.

The value is in the H-H-H format. H is a hexadecimal number of 1 to 4 digits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the device is configured to block the MAC address or interface, it performs the following action:

When detecting MAC address flapping in a VLAN, the industrial switch router blocks the interface or MAC address for block-time seconds, and then checks for MAC address flapping again. If no MAC address flapping occurs within 20 seconds, the industrial switch router unblocks the interface or MAC address and starts a new round of detection. If MAC address flapping is detected again within 20 seconds, the industrial switch router repeats the MAC address flapping detection process for a certain number of times (specified by retry-times). If the MAC address flapping persists, the interface or MAC address is permanently blocked.

After an interface is permanently blocked, it no longer forwards packets or learns MAC addresses. After MAC address flapping is removed, you can run the reset loop-detect eth-loop command to unblock the interface so that the interface can forward traffic and learn MAC addresses again.

Precautions

Before running the reset loop-detect eth-loop command, you can run the display loop-detect eth-loop command to view the result of MAC address flapping detection. According to the command output, you can find which interface or MAC address to unblock.

Example

# Unblock all permanently blocked interfaces in VLAN 10.

<Huawei> system-view
[Huawei] reset loop-detect eth-loop vlan 10 all

undo mac-address temporary

Function

The undo mac-address temporary command deletes all the temporary MAC address entries in the system.

Format

undo mac-address temporary

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the LPU or interface card is pulled out, the static MAC address entries configured on the interfaces are reserved as temporary MAC address entries. After the LPU or interface card is plugged again, the static MAC address entries are restored.

If the LPU or interface card is not plugged after being pulled out, the temporary MAC address entries become unnecessary and occupy the system resources. In this case, you can run the undo mac-address temporary command to delete all the temporary MAC address entries in the system.

Example

# Delete all the temporary MAC address entries in the system.

<Huawei> system-view
[Huawei] undo mac-address temporary

undo mac-limit all

Function

The undo mac-limit all command deletes all MAC address limiting rules.

Format

undo mac-limit all

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command deletes all the rules configured by the mac-limit command.

Precautions

Before using this command, run the display mac-limit command to check the MAC address limiting rules and confirm your operation.

Example

# Delete all MAC address limiting rules.

<Huawei> system-view
[Huawei] undo mac-limit all
Related Topics
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 52894

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next