No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MAC Address Table Configuration Commands

MAC Address Table Configuration Commands

display bridge mac-address

Function

The display bridge mac-address command displays the bridge MAC address of a device.

Format

display bridge mac-address

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you need to view the bridge MAC address of a device, run the display bridge mac-address command.

Example

# Display the bridge MAC address of a device.

<HUAWEI> display bridge mac-address
System bridge MAC address: 00e0-f74b-6d00
Table 7-1  Description of the display bridge mac-address command output

Item

Description

System bridge MAC address

Indicates the bridge MAC address of a device.

display mac-address

Function

The display mac-address command displays the MAC address table of the switch. A MAC address entry contains the destination MAC address, VLAN ID, outbound interface, and entry type.

Format

display mac-address mac-address [ vlan vlan-id ]

display mac-address [ vlan vlan-id | interface interface-type interface-number ] *

Parameters

Parameter

Description

Value

mac-address

Specifies the destination MAC address in an entry.

The value is in H-H-H format. H is a hexadecimal number of 4 digits, for example, 00e0 and fc01. If you enter fewer than four digits, 0s are prefixed to the input digits. For example, if you enter e0, the system changes e0 to 00e0. The MAC address cannot be FFFF-FFFF-FFFF, or a multicast MAC address.

vlan vlan-id

Displays MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays the MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The display mac-address command displays all MAC address entries, such as dynamic MAC address entries, static MAC address entries, and blackhole MAC address entries. A MAC address entry contains the destination MAC address, VLAN ID, outbound interface, and entry type.

Follow-up Procedure

If any MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address static command to add a correct one.

Precautions

If you run the display mac-address command without parameters, all MAC address entries are displayed.

When the switch has a large number of MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.
Run the following commands to check MAC addresses entries of services:

Example

# Display all MAC address entries.

<HUAWEI> display mac-address
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age
-------------------------------------------------------------------------------
0000-0000-0033 100/-/-       10GE1/0/1           dynamic      4294367295
0000-0000-0001 200/-/-       10GE1/0/2           static                -
-------------------------------------------------------------------------------
Total items: 2
Table 7-2  Description of the display mac-address command output

Item

Description

Backup

Backup way.

MAC Address

Destination MAC address in a MAC address entry.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Interface that learns a MAC address.

When the TRILL service is used, if the MAC address is learned from the TRILL network, the nick name of the remote RB is displayed.

Type

Type of a MAC address entry.
  • static: indicates a static MAC address entry, which is manually configured and will not be aged out.
  • blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out.
  • dynamic: indicates a MAC address entry learned by the switch, which will be aged out when the aging time expires.
  • security: indicates a MAC address entry that an interface learns after port security is enabled.
  • sticky: indicates a MAC address entry that an interface learns after the sticky MAC function is enabled.
  • mux: indicates a MAC address entry learned by a MUX VLAN enabled interface.
  • snooping: indicates a static MAC address entry generated based on the dynamic DHCP snooping binding table.
  • evn: indicates a MAC address entry of EVN or EVPN.
  • authen: indicates a MAC address entry that is generated after a user passes MAC address authentication or 802.1x authentication.
  • tunnel: indicates a MAC address entry that learned through Layer 2 tunnels.

Age

Dynamic MAC learned time in seconds.

display mac-address aging-time

Function

The display mac-address aging-time command displays the aging time of dynamic MAC address entries in the MAC address table.

Format

display mac-address aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command displays the aging time of dynamic MAC address entries on the switch. You can check whether the aging time is suitable for network requirements and device performance.

Follow-up Procedure

If the aging time is unsuitable for requirements or device performance, run the mac-address aging-time command to set the aging time properly.

Precautions

If the aging time is 0, dynamic MAC addresses will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.

Example

# Display the aging time of dynamic MAC address entries.

<HUAWEI> display mac-address aging-time
  Aging time: 300 second(s)
Table 7-3  Description of the display mac-address aging-time command output

Item

Description

Aging time

Aging time of dynamic MAC address entries, in seconds. To set the aging time, run the mac-address aging-time command.

display mac-address blackhole

Function

The display mac-address blackhole command displays blackhole MAC address entries.

Format

display mac-address blackhole [ vlan vlan-id ]

Parameters

Parameter Description Value
vlan vlan-id Displays blackhole MAC address entries in a specified VLAN. The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The MAC address table contains the following MAC address entries:
  • Blackhole MAC address entries that are used to discard packets with the specified MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
  • Static MAC entries that are manually configured and will not be aged out.
  • Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.

To check whether blackhole MAC address entries are configured correctly, run this command. These entries ensure communication between authorized users.

Follow-up Procedure

If any blackhole MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address blackhole command to add a correct one.

Precautions

If you run the display mac-address blackhole command without parameters, all blackhole MAC address entries are displayed.

If the MAC address table does not contain any blackhole MAC address, no information is displayed.

Example

# Display all blackhole MAC address entries.

<HUAWEI> display mac-address blackhole
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------                                                     
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age                                                            
-------------------------------------------------------------------------------                                                     
0001-0001-0001 100/-/-       -                   blackhole           -                                          
0002-0002-0002 200/-/-       -                   blackhole           -                                          
-------------------------------------------------------------------------------                                                     
Total items: 2
Table 7-4  Description of the display mac-address blackhole command output

Item

Description

Backup

Backup way.

MAC Address

Destination MAC address in a blackhole MAC address entry.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

When the type of a MAC address entry is blackhole, "-" is displayed.

Type

Type of a MAC address entry.

Age

Dynamic MAC learned time in seconds.

display mac-address dynamic

Function

The display mac-address dynamic command displays dynamic MAC address entries.

Format

display mac-address dynamic [ slot slot-id ] [ vlan vlan-id | interface interface-type interface-number ] *

Parameters

Parameter

Description

Value

slot slot-id

Displays dynamic MAC address entries of the device with the specified stack ID.

The default value is 1 on an unstacked switch; the value depends on the number of stacked switches.

vlan vlan-id

Displays dynamic MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays dynamic MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table needs to be updated constantly because the network topology always changes. You can use this command to view learned MAC addresses in real time.

Follow-up Procedure

If the displayed dynamic MAC address entries are invalid, run the undo mac-address command to delete dynamic MAC address entries.

Precautions

If you run the display mac-address dynamic command without parameters, all dynamic MAC address entries are displayed.

If the MAC address table does not contain any dynamic MAC address entry, no information is displayed.

When the switch has a large number of dynamic MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all dynamic MAC address entries.

<HUAWEI> display mac-address dynamic
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age
-------------------------------------------------------------------------------                                                     
0022-0022-0033 100/-/-       10GE1/0/1           dynamic       4294367295   
0000-0000-0001 200/-/-       10GE1/0/2           dynamic         63843672       
-------------------------------------------------------------------------------                                                     
Total items: 2 
Table 7-5  Description of the display mac-address dynamic command output

Item

Description

Backup

Backup way.

MAC Address

Destination MAC address in a dynamic MAC address entry.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

Age

Dynamic MAC learned time in seconds.

display mac-address flapping

Function

The display mac-address flapping command displays MAC address flapping records.

Format

display mac-address flapping [ slot slot-id ] [ begin YYYY/MM/DD HH:MM:SS ]

Parameters

Parameter

Description

Value

slot slot-id

Displays MAC address flapping records on a stacked device.

The value is an integer and is determined by the stack ID of the device. If no stacking is configured, the value is 1.

begin YYYY/MM/DD HH:MM:SS

Displays MAC address flapping records generated from the specified time to the current time.

YYYY/MM/DD indicates year/month/date.

HH:MM:SS indicates hour:minute:second.

  • YYYY/MM/DD ranges from 2000/01/01 to 2099/12/31.
  • HH:MM:SS ranges from 00:00:00 to 23:59:59.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display mac-address flapping record command output helps locate the position where MAC address flapping occurs.

Example

# Display all MAC address flapping records.

When no MAC address flapping occurs on the device, the following information is displayed:

<HUAWEI> display mac-address flapping
MAC Address Flapping Configurations :
-------------------------------------------------------------------------------
  Flapping detection          : Enable
  Aging  time(s)              : 300
  Quit-VLAN Recover time(m)   : --
  Exclude VLAN-list           : --
  Security level              : Middle
  Exclude BD-list             : --
------------------------------------------------------------------------------

When MAC address flapping occurs on the device, the following information is displayed:

<HUAWEI> display mac-address flapping
MAC Address Flapping Configurations :
-------------------------------------------------------------------------------
  Flapping detection          : Enable
  Aging  time(s)              : 300
  Quit-VLAN Recover time(m)   : --
  Exclude VLAN-list           : --
  Security level              : Middle
  Exclude BD-list             : --
-------------------------------------------------------------------------------
S  : start time    E  : end time    (D) : error down
-------------------------------------------------------------------------------
Time                  VLAN MAC Address    Original-Port  Move-Ports     MoveNum
                      /BD                                                      
-------------------------------------------------------------------------------
S:2011-12-11 11:00:08 3    0000-08cc-2206 10GE1/0/1      10GE1/0/2      120  
E:2011-12-11 11:33:13 /-


-------------------------------------------------------------------------------
Total items on slot 1: 1
Table 7-6  Description of the display mac-address flapping command output

Item

Description

MAC Address Flapping Configurations

MAC address flapping configuration.

Flapping detection

MAC address flapping detection status:

  • Enable: MAC address flapping detection is enabled.
  • Disable: MAC address flapping detection is disabled.

Aging time(s)

Aging time of flapping MAC addresses.

Quit-VLAN Recover time(m)

Delay time before the interface joins a VLAN again after it is removed from the VLAN.

If this field displays --, the interface cannot be removed from the VLAN where MAC address flapping occurs.

Exclude VLAN-list

VLAN that does not require MAC address flapping detection.

If such a VLAN is specified, the VLAN ID is displayed. If the VLAN is not specified, this field is displayed as --.

Security level

MAC address flapping detection security level.

  • Low: a low security level for MAC address flapping detection
  • Middle: a middle security level for MAC address flapping detection
  • High: a high security level for MAC address flapping detection

Exclude BD-list

VXLAN BD whitelist for MAC address flapping detection.

If the BD whitelist is configured, the BD ID is displayed. If the BD whitelist is not configured, this field is displayed as --.

NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

S: start time

Start time MAC address flapping occurs.

E: end time

End time MAC address flapping occurs.

(D): error down

A port is shut down when the number of times the MAC address has flapped reaches 3 and the Error-Down action is configured on the port.

Time

Start time and end time MAC address flapping occurs.

VLAN/BD

VLAN or VXLAN BD where MAC address flapping occurs.

NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

MAC Address

Flapping MAC address.

Original-Port

Port that learns the MAC address first.

Move-Ports

Port/Ports that learns/learn the MAC address later.

MoveNum

Number of times the MAC address has flapped.

NOTE:

The maximum value is 65535. When the number of times the MAC address has flapped exceeds 65535, the MoveNum field still displays 65535.

display mac-address forward-engine

Function

The display mac-address forward-engine command displays MAC address entries in the chip.

Format

display mac-address mac-address vlan vlan-id slot slot-id forward-engine

NOTE:

Only CE6870EI supports this command.

Parameters

Parameter

Description

Value

mac-address

Specifies the destination MAC address in an entry.

The value is in H-H-H format. H is a hexadecimal number of 4 digits, for example, 00e0 and fc01. If you enter fewer than four digits, 0s are prefixed to the input digits. For example, if you enter e0, the system changes e0 to 00e0. The MAC address cannot be FFFF-FFFF-FFFF, or a multicast MAC address.

vlan vlan-id

Displays MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

slot slot-id

Displays MAC address entries in a specified slot.

The value is an integer and must be the slot ID of a running board.

forward-engine

Displays MAC address entries in a chip.

-

Views

All views

Default Level

3: Management level

Usage Guidelines

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

If packets are forwarded in unicast mode and MAC address entries cannot be queried using the display mac-address or display mac-address dynamic command, you can use this command to check whether there are MAC address entries in the chip.

If there are multiple chips in the LPU of the specified slot, MAC address entries are displayed based on the chip ID.

Example

# Display the MAC address entry with MAC address 749d-8f4c-dadc and VLAN 1 of the LPU in slot 1.

<HUAWEI> display mac-address 749d-8f4c-dadc vlan 1 slot 1 forward-engine
---- Flags: * - Backup
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age
-------------------------------------------------------------------------------
749d-8f4c-dadc 1/-           10GE4/0/12          dynamic               -
-------------------------------------------------------------------------------
Total items on chip 0: 1
Table 7-7  Description of the display mac-address forward-engine command output

Item

Description

Backup

Backup way.

MAC Address

Destination MAC address in a MAC address entry.

VLAN/VSI/BD

ID of the VLAN or name of the VSI or the ID of BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address. On a VPLS network, if a MAC address is learned on a PW-side interface, this field displays the peer IP address of the PW.

Type

Type of a MAC address entry.
  • static: indicates a static MAC address entry, which is manually configured and will not be aged out.
  • blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out.
  • dynamic: indicates a MAC address entry learned by the switch, which will be aged out when the aging time expires.
  • security: indicates a MAC address entry that an interface learns after port security is enabled.
  • sticky: indicates a MAC address entry that an interface learns after the sticky MAC function is enabled.
  • mux: indicates a MAC address entry learned by a MUX VLAN enabled interface.
  • snooping: indicates a static MAC address entry generated based on the dynamic DHCP snooping binding table.
  • evn: indicates a MAC address entry of EVN or EVPN.
  • authen: indicates a MAC address entry that is generated after a user passes MAC address authentication or 802.1x authentication.
  • tunnel: indicates a MAC address entry that learned through Layer 2 tunnels.

Age

Dynamic MAC learned time in seconds.

display mac-address hash-conflict

Function

The display mac-address hash-conflict command displays the MAC address that cannot be added to the chip due to the hash conflict.

NOTE:

The CE6870EI and CE6880EI do not support this command.

Format

display mac-address hash-conflict [ mac-address { vlan vlan-id | bridge-domain bd-id } ] [ slot slot-id ]

Parameters

Parameter Description Value
mac-address

Specifies the MAC address to be queried.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits.

vlan vlan-id

Specifies the ID of a VLAN.

The value is an integer that ranges from 1 to 4094.

bridge-domain bd-id

Specifies the ID of a bridge domain (BD).

NOTE:
This parameter is only supported by the VXLAN-capable device.

The value is an integer that ranges from 1 to 16777215.

slot slot-id

Specifies the slot ID.

The value is an integer or a character string. You can enter the question mark (?) and select the value as prompted.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

When a MAC address cannot be learned by the chip, you can run the command with the MAC address and VLAN ID specified to query conflicting MAC addresses in the hash bucket.

Precautions

If the MAC address and VLAN ID are not specified, this command displays only historical conflicting MAC addresses.

If the MAC address and VLAN ID are specified, this command displays current and historical conflicting MAC addresses.

If the device uses multiple chips, only the chip that first detects conflicts displays historical conflicting records and other chips only displays current conflicting records.

Example

# Display hash conflict information about the MAC address of 0010-1100-3710.
<HUAWEI> display mac-address hash-conflict 0010-1100-3710 vlan 1111
Flags: * - Current MAC address in the hash bucket of the chip
       _ - Internal bridge domain resource
BD   : bridge-domain
-------------------------------------------------------------------------------
Slot: 1         Chip: 0
-------------------------------------------------------------------------------
MAC Address     VLAN/BD        Conflicting MAC Address    Time
-------------------------------------------------------------------------------
0010-1100-3710  1111/-         0010-1100-7bd2*            -
                               0010-1100-6bd7*            -
                               0010-1100-08a7*            -
                               0010-1100-20c9*            -
                               0010-1100-7c0e*            -
                               0010-1100-6c0b*            -
                               0010-1100-0f7b*            -
                               0010-1100-4465*            -
                               0010-1100-1f7e*            -
                               0010-1100-30cc*            -
                               0010-1100-18a2*            -
                               0010-1100-53bc*            -
                               0010-1100-2715*            -
                               0010-1100-43b9*            -
                               0010-1100-7bd2             2017-02-01 14:32:23
                               0010-1100-6bd7             2017-02-01 14:32:23
                               0010-1100-08a7             2017-02-01 14:32:23
                               0010-1100-20c9             2017-02-01 14:32:23
                               0010-1100-7c0e             2017-02-01 14:32:23
                               0010-1100-6c0b             2017-02-01 14:32:23
                               0010-1100-0f7b             2017-02-01 14:32:23
                               0010-1100-4465             2017-02-01 14:32:23
                               0010-1100-1f7e             2017-02-01 14:32:23
                               0010-1100-30cc             2017-02-01 14:32:23
                               0010-1100-18a2             2017-02-01 14:32:23
                               0010-1100-53bc             2017-02-01 14:32:23
                               0010-1100-2715             2017-02-01 14:32:23
                               0010-1100-43b9             2017-02-01 14:32:23
-------------------------------------------------------------------------------
Table 7-8  Description of the display mac-address hash-conflict command output

Item

Description

Slot

Slot ID.

Chip

Chip ID.

MAC Address

-

VLAN/BD

VLAN or VXLAN BD where a MAC address conflict occurs.
NOTE:
BD information is displayed only on the VXLAN-capable device.

Conflicting MAC Address

The conflicting MAC address is detected.

The value that is marked with the asterisk (*) indicates the current conflicting MAC address, and the value that is not marked with the asterisk (*) indicates the historical conflicting MAC address.

Time

Time at which the historical conflict is recorded.

For the historical conflicting MAC address, detailed time is displayed. For the current historical conflicting MAC address, the value is displayed as -.

display mac-address hash-mode

Function

The display mac-address hash-mode command displays the running hash mode and configured hash mode on the device.

NOTE:
Only the CE5810EI, CE5850HI, CE6800 series (excluding CE6870EI and CE6880EI), CE7800 series, and CE8800 series support this command.

Format

display mac-address hash-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After a hash mode is configured, you can run the display mac-address hash-mode command to check the configuration.

Precautions

After the hash algorithm is changed, restart the device for the configuration to take effect.

Example

# Display the running hash mode and configured hash mode on the device.

<HUAWEI> display mac-address hash-mode
 Mac-address hash mode status:                                                  
--------------------------------------------                                    
 Slot       CurMode         CfgMode                                             
--------------------------------------------                                    
 1         crc16-lower     crc32-lower                                         
--------------------------------------------      
Table 7-9  Description of the display mac-address hash-mode command output

Item

Description

Slot

Stack ID.

CurMode

Running hash mode on the device.

CfgMode

Configured hash mode on the device.
Related Topics

display mac-address mux

Function

The display mac-address mux command displays MUX MAC address entries.

Format

display mac-address mux [ vlan vlan-id | interface interface-type interface-number ] *

Parameters

Parameter

Description

Value

vlan vlan-id

Displays MUX MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays MUX MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MUX VLAN function isolates Layer 2 traffic between interfaces in a VLAN. A MUX MAC address entry is learned by a MUX VLAN enabled interface. The learned MUX MAC address entries are deleted after the switch restarts.

After configuring the MUX VLAN function, you can run the display mac-address mux command to check whether the learned MUX MAC address entries are correct.

Follow-up Procedure

If the displayed MUX MAC address entries are invalid, run the undo mac-address command to delete MUX MAC address entries.

Precautions

If you run the display mac-address mux command without parameters, all MUX MAC address entries are displayed.

If the MAC address table does not contain any MUX MAC address entry, no information is displayed.

When the switch has a large number of MUX MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all MUX MAC address entries.

<HUAWEI> display mac-address mux
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------    
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age       
-------------------------------------------------------------------------------
0022-0022-0033 100/-/-       10GE1/0/2           mux              325649
-------------------------------------------------------------------------------
Total items: 1 
Table 7-10  Description of the display mac-address mux command output

Item

Description

Backup

Backup way.

MAC Address

Destination MAC address in a MUX MAC address entry.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

Age

Dynamic MAC learned time in seconds.

display mac-address static

Function

The display mac-address static command displays static MAC address entries.

Format

display mac-address static [ vlan vlan-id | interface interface-type interface-number ] *

Parameters

Parameter

Description

Value

vlan vlan-id

Displays static MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays the static MAC address entries on a specified interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The MAC address table contains the following MAC address entries:
  • Static MAC entries that are manually configured and will not be aged out.
  • Blackhole MAC address entries that are used to discard packets with the specified source MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
  • Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.

To improve network security, configure static MAC address entries to ensure that packets destined for specified MAC addresses are forwarded by the specified interfaces. This prevents attack packets with bogus MAC addresses and guarantees communication between the switch and the upstream device or server. After configuring static MAC address entries, you can run the display mac-address static command to verify the configuration.

Follow-up Procedure

If any static MAC address entry is incorrect, run the undo mac-address command to delete it.

Precautions

If you run the display mac-address static command without parameters, all static MAC address entries are displayed.

If the MAC address table does not contain any static MAC address entry, no information is displayed.

Example

# Display all static MAC address entries.

<HUAWEI> display mac-address static
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------                                                     
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age                                                            
-------------------------------------------------------------------------------                                                     
0001-0001-0001 100/-/-       10GE1/0/1           static              -                                          
-------------------------------------------------------------------------------                                                     
Total items: 1
Table 7-11  Description of the display mac-address static command output

Item

Description

Backup

Backup way.

MAC Address

Destination MAC address in a static MAC address entry.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

Age

Dynamic MAC learned time in seconds.

display mac-address summary

Function

The display mac-address summary command displays statistics on MAC address entries.

Format

display mac-address summary [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays statistics on MAC address entries of the device with the specified stack ID.

The default value is 1 on an unstacked switch; the value depends on the number of stacked switches.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the device stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

When the switch has many MAC address entries of different types, you can use the display mac-address summary command to view the summary of MAC address entries in the system.

Precautions

If slot slot-id is specified, this command displays statistics on MAC address entries on the specified device. If this parameter is not specified, this command displays statistics on MAC address entries on all devices.

Example

# View statistics on all MAC address entries in the system.

<HUAWEI> display mac-address summary
Summary information of slot 1:
Capacity of this slot : 131072
-----------------------------------                                              
Static     :               0  
Blackhole  :               1  
Dyn-Local  :               0  
Dyn-Remote :               0  
Dyn-Trunk  :               0  
OAM        :               0  
Sticky     :               0  
Security   :               0  
Authen     :               0  
Guest      :               0  
Mux        :               0  
Tunnel     :               0
Snooping   :               0
Evn        :               0
In-used    :               1  
-----------------------------------
Table 7-12  Description of the display mac-address summary command output

Item

Description

Capacity of this slot

Capacity of the MAC address table. The actual value varies according to device models.

Static

Number of static MAC address entries.

Blackhole

Number of blackhole MAC address entries

Dyn-Local

Number of MAC address entries learned by the local device.

Dyn-Remote

Number of MAC address entries synchronized from other device.

Dyn-Trunk

Total number of MAC address entries learned by all Eth-Trunk interfaces.

OAM

Number of MAC address entries related to the OAM function.

The device does not support OAM MAC addresses.

Sticky

Number of sticky MAC address entries.

Security

Number of secure dynamic MAC address entries.

Authen

Number of MAC address entries corresponding to authentication users.

The device does not support authentication of MAC addresses.

Guest

Number of MAC address entries learned by interfaces in the guest VLAN.

The device does not support MAC addresses learned by an interface in a guest VLAN.

Mux

Number of MAC address entries learned by interfaces enabled with the MUX VLAN function.

Tunnel

Number of MAC address entries learned by Layer 2 tunnel.

Snooping

Number of Snooping MAC address entries.

Evn

Number of Evn MAC address entries.

In-used

Total number of existing MAC address entries.

display mac-address total-number

Function

The display mac-address total-number command displays the number of MAC address entries of a specified type.

Format

display mac-address total-number [ slot slot-id ]

display mac-address total-number [ vlan vlan-id | interface interface-type interface-number ] *

display mac-address total-number { mux | security | sticky } [ vlan vlan-id | interface interface-type interface-number ] *

display mac-address total-number blackhole [ vlan vlan-id ]

display mac-address total-number dynamic [ vlan vlan-id | interface interface-type interface-number ] *

display mac-address total-number dynamic slot slot-id

display mac-address total-number static [ vlan vlan-id | interface interface-type interface-number ] *

display mac-address total-number snooping [ vlan vlan-id | interface interface-type interface-number ] *

display mac-address total-number trill [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays the number of MAC address entries of the device with a specified stack ID.

The default value is 1 on an unstacked switch; the value depends on the number of stacked switches.

mux

Displays the number of MUX MAC address entries.

-

dynamic

Displays the number of dynamic MAC address entries.

-

security

Displays the number of secure dynamic MAC address entries.

-

sticky

Displays the number of sticky MAC address entries.

-

blackhole

Displays the number of blackhole MAC address entries.

-

static

Displays the number of static MAC address entries.

-

snooping

Displays the number of snooping MAC address entries.

-

vlan vlan-id

Displays the number of MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays the number of MAC address entries learned by a specified interface.

-

trill

Displays the number of Trill MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

When the switch has many MAC address entries of different types, you can use the display mac-address total-number command to view statistics on MAC address entries of a specified type.

Precautions

If no parameter is specified, the total number of MAC address entries in the system is displayed.

If interface-type interface-number is not specified, the total number of MAC addresses learned by all interfaces is displayed.

If vlan vlan-id is not specified, the total number of MAC addresses in all VLANs is displayed.

Example

# Display the number of dynamic MAC address entries.

<HUAWEI> display mac-address total-number dynamic
Total number of mac-address : 20
Table 7-13  Description of the display mac-address total-number command output

Item

Description

Total number of mac-address

Total number of MAC address entries in the system.

display mac-address tunnel

Function

The display mac-address tunnel command displays information about MAC address entries learned through Layer 2 tunnels.

Format

display mac-address tunnel

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display information about MAC address entries learned through Layer 2 tunnels.

<HUAWEI> display mac-address tunnel
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age
-------------------------------------------------------------------------------
0000-0000-0033 100/-/-       10GE1/0/1           tunnel       4294367295
0000-0000-0001 200/-/-       10GE1/0/2           tunnel                -
-------------------------------------------------------------------------------
Total items: 2 
Table 7-14  Description of the display mac-address tunnel command output

Item

Description

MAC Address

MAC address.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Interface on which a MAC address is learned.

Type

Type of a MAC address entry.
  • tunnel: MAC address entries learned through Layer 2 tunnels

Age

Dynamic MAC learned time in seconds.

display mac-address limit

Function

The display mac-address limit command displays the rules that limit the number of learned MAC addresses.

Format

display mac-address limit [ interface-type interface-number | vlan vlan-id ]

Parameters

Parameter

Description

Value

interface-type interface-number

Displays the MAC address limiting rule on a specified interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the number of the interface.

-

vlan vlan-id

Displays the MAC address limiting rules in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To check whether MAC address limiting rules are configured correctly, run the display mac-address limit command. If a rule is incorrect, run the mac-address limit command to modify the rule or run the undo mac-address limit all command to delete it.

Precautions

If no parameter is specified, MAC address learning limit rules of all interfaces and VLANs are displayed.

Example

# Display all the MAC address limiting rules.

<HUAWEI> display mac-address limit
MAC Address Limit is enabled
Total MAC Address limit rule count : 1
                                                                
Port                 VLAN/VSI/SI/BD      Slot Maximum Action  Alarm
-------------------------------------------------------------------
10GE1/0/1            2                   --   100     forward enable
Table 7-15  Description of the display mac-limit command output

Item

Description

MAC Address Limit is enabled

Indicates that MAC address learning limit is enabled.

Total MAC Address limit rule count

Indicates the total number of MAC address learning limit rules.

Port

Interface name.

VLAN/VSI/SI/BD

Indicates the VLAN ID, VSI name, Service Instance (SI) name or BD name to which the interface belongs.
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Maximum

Maximum number of MAC addresses that can be learned. To set the maximum number of MAC addresses, run the mac-address limit command.

Action

Action performed on packets when the number of learned MAC addresses exceeds the maximum number.

Alarm

Whether an alarm is generated when the number of learned MAC addresses exceeds the maximum.
  • enable: indicates that an alarm is generated.
  • disable: indicates that an alarm is not generated.
To enable the alarm function, run the mac-address limit command.
Related Topics

display snmp-agent trap feature-name fei_comm all

Function

The display snmp-agent trap feature-name fei_comm all command displays the status of all trap messages about the forwarding engine instance common module.

Format

display snmp-agent trap feature-name fei_comm all

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display snmp-agent trap feature-name fei_comm all command to view the status of all trap messages about the forwarding engine instance common module.

Example

# Display the status of all trap messages about the forwarding engine instance common module.

<HUAWEI> display snmp-agent trap feature-name fei_comm all
------------------------------------------------------------------------------  
Feature name: FEI_COMM                                                          
Trap number : 2                                                                 
------------------------------------------------------------------------------  
Trap name                      Default switch status   Current switch status    
hwPortSecRcvIllegalMacAlarm    on                      on                       
hwXQoSStormControlTrap         on                      on     
Table 7-16  Description of the display snmp-agent trap feature-name fei_comm all command output

Item

Description

Feature name

Name of the module that a trap message belongs to.

Trap number

Number of trap messages.

Trap name

Name of a trap message. The forwarding engine instance common module supports the following trap messages:

  • hwPortSecRcvIllegalMacAlarm: enables the trap function for invalid MAC addresses is enabled after the number of secure MAC addresses reaches the maximum.
  • hwXQoSStormControlTrap: enables the trap function when the rate of broadcast, multicast, or unknown unicast packets exceeds the threshold.

Default switch status

Status of the default trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status

Status of the current trap switch:
  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

drop illegal-mac enable

Function

The drop illegal-mac enable command enables the switch to discard packets with an all-0 invalid MAC address.

The undo drop illegal-mac enable command disables the switch from discarding packets with an all-0 invalid MAC address.

By default, the switch does not discard packets with an all-0 MAC address.

NOTE:

CE6870EI and CE6880EI do not support this function.

Format

drop illegal-mac enable

undo drop illegal-mac enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. You can run the drop illegal-mac enable command to configure the switch to discard such packets. After receiving the packets with an all-0 source or destination MAC address, the switch discards the packets and generates alarms.

This command reduces incorrect MAC address entries on the device.

Precautions

If the alarm function is disabled on the device, the network management system cannot receive any alarm message.

Example

# Configure the switch to discard packets with an all-0 invalid MAC address.

<HUAWEI> system-view
[~HUAWEI] drop illegal-mac enable

mac-address aging-time

Function

The mac-address aging-time command sets the aging time of dynamic MAC address entries.

The undo mac-address aging-time command restores the default aging time of dynamic MAC address entries.

By default, the aging time of dynamic MAC address entries is 300 seconds.

Format

mac-address aging-time aging-time

undo mac-address aging-time

Parameters

Parameter

Description

Value

aging-time

Specifies the aging time of dynamic MAC address entries.

The value is 0 or an integer that ranges from 60 to 1000000, in seconds. The default value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The network topology changes frequently, and the switch will learn many MAC addresses. You can run the mac-address aging-time command to set a proper aging time for dynamic MAC address entries so that aged MAC address entries are deleted from the MAC address table. This reduces MAC address entries in the MAC address table.

The system starts an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated within a certain period (twice the aging time), the entry is deleted. If the entry is updated within this period, the aging timer of this entry is reset. If the aging time is short, the switch is sensitive to network changes.

When setting the aging time of dynamic MAC address entries, follow these rules:

  • Set a longer aging time on a stable network and a shorter aging time on an unstable network.
  • The capacity of the MAC address table on a low end device is small; therefore, set a relatively short aging time on low end devices to save the MAC address table space.

Precautions

Dynamic MAC address entries are lost after system restart. Static MAC address entries and blackhole MAC address entries are not aged or lost.

If the aging time is 0, dynamic MAC addresses will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.

If you run the mac-address aging-time command multiple times, only the latest configuration takes effect.

Example

# Set the aging time of dynamic MAC address entries to 500 seconds.

<HUAWEI> system-view
[~HUAWEI] mac-address aging-time 500

mac-address blackhole

Function

The mac-address blackhole command configures a blackhole MAC address entry.

The undo mac-address blackhole command deletes a blackhole MAC address entry.

By default, no blackhole MAC address entry is configured.

Format

mac-address blackhole mac-address vlan vlan-id

undo mac-address blackhole [ mac-address ] [ vlan vlan-id ]

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a blackhole MAC address entry.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF or a multicast MAC address.

vlan vlan-id

Specifies the VLAN ID in a blackhole MAC address entry.

The value is an integer that ranges from 1 to 4094. The VLAN cannot be the reserved VLAN configured by the vlan reserved command.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Blackhole MAC address entries can be used to filter out invalid MAC addresses. To prevent a hacker from using a MAC address to attack a user device or network, configure the MAC address of an untrusted user as the blackhole MAC address. The switch directly discards the received packets where the source or destination MAC address is the blackhole MAC address and the VLAN ID of the packets corresponds to the blackhole MAC address.

Prerequisites

The interface has been added to a VLAN.

Precautions

  • If you configure a blackhole MAC address entry when the MAC address table is full, the device processes the MAC address entry as follows:
    • If a dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the blackhole MAC address entry replaces the dynamic MAC address entry.
    • If no dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the blackhole MAC address entry cannot be added to the MAC address table.
  • You can run the mac-address blackhole command multiple times to configure multiple blackhole MAC address entries.

Example

# Add a blackhole MAC address entry to the MAC address table. In the blackhole MAC address entry, the MAC address is 0004-0004-0004 and the VLAN ID is VLAN 5.

<HUAWEI> system-view
[~HUAWEI] vlan 5
[*HUAWEI-vlan5] quit
[*HUAWEI] mac-address blackhole 0004-0004-0004 vlan 5

mac-address drop static-conflict enable

Function

The mac-address drop static-conflict enable command enables the device to discard packets in which the destination MAC address and the configured static MAC address conflict.

The undo mac-address drop static-conflict enable command disables the device from discarding packets in which the destination MAC address and the configured static MAC address conflict.

By default, the device is enabled to discard packets in which the destination MAC address and the configured static MAC address conflict.

NOTE:

Only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE6856HI, CE7850EI, CE7855EI, CE8850EI, and CE8860EI support this command.

Format

mac-address drop static-conflict enable

undo mac-address drop static-conflict enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device discards packets in which the destination MAC address and the configured static MAC address conflict. This function reduces the device burden and ensures security.

Example

# Enable the device to discard packets in which the destination MAC address and the configured static MAC address conflict.

<HUAWEI> system-view
[~HUAWEI] mac-address drop static-conflict enable

mac-address flapping aging-time

Function

The mac-address flapping aging-time command sets the aging time of flapping MAC addresses.

The undo mac-address flapping aging-time command restores the default aging time of flapping MAC addresses.

By default, the aging time of flapping MAC addresses is 300 seconds.

Format

mac-address flapping aging-time aging-time

undo mac-address flapping aging-time

Parameters

Parameter

Description

Value

aging-time

Specifies the aging time of flapping MAC addresses.

The value is an integer that ranges from 60 to 900, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If modifying the aging time of flapping MAC address entries takes a long time, MAC address flapping may occur again and the Error-Down time may be increased. To ensure that the system performs MAC address flapping detection in a timely manner, run the mac-address flapping aging-time command to shorten the aging time of flapping MAC addresses.

Precautions

If you run the mac-address flapping aging-time command multiple times, only the latest configuration takes effect.

Example

# Set the aging time of flapping MAC addresses to 500 seconds.

<HUAWEI> system-view
[~HUAWEI] mac-address flapping aging-time 500

mac-address flapping detection

Function

The mac-address flapping detection command enables MAC address flapping detection.

The undo mac-address flapping detection command disables MAC address flapping detection.

By default, MAC address flapping detection is enabled. The detection security level is middle.

Format

mac-address flapping detection [ security-level { low | middle | high } ]

undo mac-address flapping detection [ security-level { low | middle | high } ]

Parameters

Parameter Description Value
security-level Enables or disables MAC address flapping detection with a specific security level. -
low Specifies a low security level for MAC address flapping detection. Specifically, after MAC addresses change for 50 times, the system considers that MAC address flapping occurs. -
middle Specifies a middle security level for MAC address flapping detection. Specifically, after MAC addresses change for 10 times, the system considers that MAC address flapping occurs. -
high Specifies a high security level for MAC address flapping detection. Specifically, after MAC addresses change for 3 times, the system considers that MAC address flapping occurs. -

Views

System view

Default Level

2: Configuration level

Usage Guidelines

MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN. The MAC address entry learned later replaces the earlier one.

MAC address flapping occurs in the following situations:

  • Network cables of switches are connected incorrectly or switches use incorrect configurations.
  • Unauthorized users simulate MAC address of valid network devices to attack the network.

MAC address flapping detection enables the Switch to check all MAC addresses. When MAC address flapping occurs, the Switch sends a trap message to the NMS. You can locate the fault according to the trap message. You can also run the display mac-address flapping command to view MAC address flapping records.

By default, MAC address triggered ARP entry update is enabled. If MAC address flapping occurs for more than 10 times, MAC address triggered ARP entry update is disabled. After MAC address flapping is eliminated, MAC address triggered ARP entry update is enabled automatically.

The undo mac-address flapping detection command disables MAC address flapping from being detected. In this case, a network loop cannot be detected in time.

Example

# Enable global MAC address flapping detection.

<HUAWEI> system-view
[~HUAWEI] mac-address flapping detection

mac-address flapping detection exclude mac-address

Function

The mac-address flapping detection exclude command adds a MAC address to the flapping detection whitelist, so that the MAC address flapping detection will not be performed for the MAC address.

The undo mac-address flapping detection exclude command deletes a MAC address from the flapping detection whitelist.

By default, no MAC address is added to the MAC flapping detection whitelist.

Format

mac-address flapping detection exclude mac-address mac-address-mask

undo mac-address flapping detection exclude mac-address mac-address-mask

Parameters

Parameter Description Value
mac-address

Specifies a MAC address.

The value is in the format of H-H-H. H is a 4-digit hexadecimal number, such as 00e0 and fc01. If an H contains less than four hexadecimal digits, the first digits contained in the H are 0s. For example, if an H is e0, it is equal to 00e0.

mac-address-mask

Specifies a MAC address mask.

The value is an integer ranging from 24 to 48.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the system performs flapping detection for all MAC addresses. In some scenarios, for example, in a scenario where the flapping of a MAC address is caused by a specific device or operation faults, flapping detection does not need to be implemented for the MAC address, so flapping detection is not needed for this MAC address.

To disable the system from implementing flapping detection for a MAC address, run the mac-address flapping detection exclude command to add the MAC address to the MAC flapping detection whitelist. After configuration, if flapping occurs on the specific MAC address, no MAC flapping alarm or record is generated for this MAC address.

Example

# Add a MAC address to the MAC flapping detection whitelist.

<HUAWEI> system-view
[~HUAWEI] mac-address flapping detection exclude 1-1-1 48

mac-address flapping detection exclude vlan

Function

The mac-address flapping detection exclude vlan command excludes a VLAN from MAC address flapping detection.

The undo mac-address flapping detection exclude vlan command restores MAC address flapping detection for a VLAN.

By default, the system performs MAC address flapping detection in all VLANs.

Format

mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo mac-address flapping detection exclude vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

Parameters

Parameter

Description

Value

vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN where MAC address flapping detection is not required.

  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID.

vlan-id2 must be greater than vlan-id1.

You can specify a maximum of 10 VLANs.

  • The value of vlan-id1 is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.
  • The value of vlan-id2 is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

all

Indicates that all VLANs are excluded from MAC address flapping detection.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the system performs MAC address flapping detection in all VLANs. In a data center virtualization scenario (virtual terminal migration), MAC address flapping may occur. This is a normal situation where MAC address flapping detection is not required.

You can run the mac-address flapping detection exclude vlan command to exclude a VLAN from MAC address flapping detection. If MAC address flapping occurs in this VLAN, the virtual terminal does not send a trap message or record this event.

Precautions

If you run the mac-address flapping detection exclude vlan command multiple times, multiple VLANs are configured.

Example

# Exclude VLAN 5 from MAC address flapping detection.

<HUAWEI> system-view
[~HUAWEI] mac-address flapping detection exclude vlan 5

mac-address flapping periodical trap enable

Function

The mac-address flapping periodical trap enable command enables the function to periodically report MAC address flapping traps.

The undo mac-address flapping periodical trap enable command disables the function to periodically report MAC address flapping traps.

By default, the function to periodically report MAC address flapping traps is disabled.

Format

mac-address flapping periodical trap enable

undo mac-address flapping periodical trap enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Configuring global MAC address flapping detection helps to check whether MAC addresses flap. If MAC address flapping occurs, a trap is generated. By default, a trap is reported every 30 minutes. To timely check whether MAC address flapping occurs, run the mac-address flapping periodical trap enable command to enable the function to periodically report MAC address flapping traps.

Follow-up Procedure

Run the mac-address flapping periodical trap interval interval command to set the interval at which MAC address flapping traps are reported.

Example

# Enable the function to periodically report MAC address flapping traps.

<HUAWEI> system-view
[~HUAWEI] mac-address flapping periodical trap enable

mac-address flapping periodical trap interval

Function

The mac-address flapping periodical trap interval command sets the interval at which MAC address flapping traps are reported.

The undo mac-address flapping periodical trap interval command restores the default value.

By default, the interval at which MAC address flapping traps are reported is 2 minutes.

Format

mac-address flapping periodical trap interval interval

undo mac-address flapping periodical trap interval [ interval ]

Parameters

Parameter Description Value
interval Specifies the interval at which MAC address flapping traps are reported. The value is an integer ranging from 2 to 30, in minutes.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Configuring global MAC address flapping detection helps to check whether MAC addresses flap. If MAC address flapping occurs, a trap is generated. By default, a trap is reported every 30 minutes. To timely check whether MAC address flapping occurs, run the mac-address flapping periodical trap interval interval command to set the interval at which MAC address flapping traps are reported.

Prerequisites

The function to periodically report MAC address flapping traps has been enabled using the mac-address flapping periodical trap enable command.

Example

# Set the interval at which MAC address flapping traps are reported to 5 minutes.
<HUAWEI> system-view
[~HUAWEI] mac-address flapping periodical trap interval 5

mac-address flapping trigger

Function

The mac-address flapping trigger command configures an interface to enter the Error-Down state when MAC address flapping is detected on the interface.

The undo mac-address flapping trigger command cancels the configuration.

By default, an interface is not configured to enter the Error-Down state when MAC address flapping is detected on the interface.

Format

mac-address flapping trigger error-down

undo mac-address flapping trigger error-down

Parameters

Parameter

Description

Value

error-down

Shuts down an interface when MAC address flapping is detected on the interface.

-

Views

GE interface view, 10GE interface view, 40GE interface view, 25GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the user network where the device is deployed does not support loop prevention protocols, configure the device to shut down the interfaces where MAC address flapping occurs. This reduces the impact of MAC address flapping on the user network.

The device shuts down an interface when detecting MAC address flapping on the interface. Only one interface can be shut down during one aging time configured by the mac-address flapping aging-time command.

NOTE:

This command can be configured for all interfaces and is only valid for Move-Port.

Precautions

Do not run the mac-address flapping trigger command on uplink interfaces.

The device enabled with MAC address flapping detection can only detect loops on a single point, but cannot obtain the entire network topology. If the user network connected to the device supports loop prevention protocols, use the loop prevention protocols instead of MAC address flapping detection.

When the action is set to error-down, if MAC address flapping occurs, the interface enters the Error-Down state and the device sends an alarm to the NMS. The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off. You can run the display error-down recovery command to check information about all interfaces in Error-Down state on the device.

When the interface is in Error-Down state, check the cause. You can use the following modes to restore the interface status:
  • Manual (after the interface enters the Error-Down state)

    When there are few interfaces in Error-Down state, you can run the shutdown and undo shutdown commands in the interface view or run the restart command to restore the interface.

  • Auto (before the interface enters the Error-Down state)

    If there are many interfaces in Error-Down state, the manual mode brings in heavy workload and the configuration of some interfaces may be ignored. To prevent this problem, run the error-down auto-recovery cause mac-address-flapping interval interval-value command in the system view to enable an interface in error-down state to go Up and set a recovery delay. You can run the display error-down recovery command to view automatic recovery information about the interface.

    NOTE:

    This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the interface that enters the Error-Down state after the error-down auto-recovery cause mac-address-flapping interval interval-value command is used.

When the system detects MAC address flapping, the interface enters the Error-Down state. If faults are not rectified, you can run the shutdown and undo shutdown commands or the restart command to restart the interface. Within the aging time of dynamic MAC address entries, the interface does not enter the Error-Down state when MAC address flapping occurs.

Example

# Shut down 10GE1/0/1 when MAC address flapping is detected.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] mac-address flapping trigger error-down

mac-address hash-mode

Function

The mac-address hash-mode command configures a MAC hash algorithm on the device.

The undo mac-address hash-mode command restores the default MAC hash algorithm on the device.

By default, the device uses crc32-lower.

NOTE:
Only the CE5810EI, CE5850HI, CE6800 series (excluding CE6870EI and CE6880EI), CE7800 series, and CE8800 series support this command.

Format

mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb }

undo mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb }

Parameters

Parameter

Description

Value

crc16-lower

Indicates the hash algorithm based on low order bits of CRC16.

-

crc16-upper

Indicates the hash algorithm based on high order bits of CRC16.

-

crc32-lower

Indicates the hash algorithm based on low order bits of CRC32.

-

crc32-upper

Indicates the hash algorithm based on high order bits of CRC32.

-

lsb

Indicates the hash algorithm based on the lowest bit of the key value.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device uses a hash algorithm to improve MAC address forwarding performance. If multiple MAC addresses match a key value, a hash conflict occurs.

When a hash conflict occurs, the device may fail to learn many MAC addresses and some traffic can only be broadcast. This results in heavy broadcast traffic on the device. If such a problem occurs, use an appropriate hash algorithm to reduce the hash conflict.

Precautions

  • MAC addresses are distributed on a network randomly, so the system cannot determine the best hash algorithm. Generally, the default hash algorithm is the best one, so do not change the hash algorithm unless you have special requirement.

  • An appropriate hash algorithm can only reduce hash conflicts, but cannot prevent them.

  • After changing the hash algorithm and saving the configuration, restart the device for the configuration to take effect.

  • If you run the mac-address hash-mode command multiple times, only the latest configuration takes effect.

Example

# Set the hash algorithm on the device to crc16-lower.

<HUAWEI> system-view
[~HUAWEI] mac-address hash-mode crc16-lower

mac-address learning disable (Interface view and VLAN view)

Function

The mac-address learning disable command disables MAC address learning.

The undo mac-address learning disable command enables MAC address learning.

By default, MAC address learning is enabled.

Format

mac-address learning disable [ action { discard | forward } ]

undo mac-address learning disable

Parameters

Parameter

Description

Value

action

Indicates the action that the interface takes after MAC address learning is disabled.

  • This parameter takes effect only in the interface view and port group view, and the specified interface must be a Layer 2 interface.

  • You can use this parameter to determine whether packets are forwarded when the specified interface does not need to learn MAC addresses.

By default, an interface forwards the packets carrying new MAC addresses after MAC address learning is disabled.

-

discard

Discards the packets whose source MAC addresses do not match the MAC address table.

-

forward

Forwards the packets according to the MAC address table.

-

Views

GE interface view, 10GE interface view, 40GE interface view, 25GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want an interface to forward only packets with certain MAC addresses, use this command. For example, if an interface is connected to a server, configure a static MAC address entry with the MAC address of the server, and then disable MAC address learning and set the action to discard on the interface. The configuration prevents other servers or terminals from accessing the interface and improves network stability and security.

When a switch with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the switch forwards the frames through the corresponding outbound interface according to the MAC address entry. MAC address learning reduces broadcast packets on a network.

You can use the mac-address learning disable command to disable MAC address learning on an interface. The action performed on received packets can be set to discard or forward.

  • When the action is set to forward, the switch searches for the source MAC address of the packet in the MAC address table. If the source MAC address is found in the MAC address table, the switch forwards the packet according to the MAC address entry. If the source MAC address is not found, the switch broadcasts the packet.
  • When the action is set to discard, the switch searches for the source MAC address of the packet in the MAC address table. If the source MAC address is found in the MAC address table, the switch forwards the packet according to the MAC address entry. If the source MAC address is not found, the switch discards the packet. The default action is forward.

Precautions

After MAC address learning is disabled on an interface, the device does not learn new MAC addresses on the interface, but untrusted terminals can still access the network.

Example

# Disable MAC address learning in 10GE 1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[*HUAWEI-10GE1/0/1] mac-address learning disable

mac-address learning disable (VLAN view)

Function

The mac-address learning disable command disables MAC address learning.

The undo mac-address learning disable command enables MAC address learning.

By default, MAC address learning is enabled.

Format

mac-address learning disable

undo mac-address learning disable

Parameters

None

Views

VLAN view, VLAN-Range view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To improve the device security, configure the VLANs where only packets with specified MAC addresses are allowed. After MAC address learning is disabled, the AR does not learn new MAC addresses from a VLAN. Communication cannot be implemented through this VLAN, so the network stability and security are improved.

When the switch enabled with MAC address learning receives an Ethernet frame, it records the source MAC address of the Ethernet frame and adds it to a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the switch forwards the frames through the corresponding outbound interface based on the MAC address entry. MAC address learning reduces broadcast packets on a network.

Example

# Disable MAC address learning in VLAN 2.

<HUAWEI> system-view
[~HUAWEI] vlan 2
[*HUAWEI-vlan2] mac-address learning disable

mac-address learning disable (traffic behavior view)

Function

The mac-address learning disable command disables MAC address learning in a traffic behavior.

The undo mac-address learning disable command enables MAC address learning in a traffic behavior.

By default, MAC address learning is enabled in a traffic behavior.

Format

mac-address learning disable

undo mac-address learning disable

Parameters

None

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-address learning disable command is used in the following scenarios:

  • When a network is running stably and the MAC address of packets is fixed, a device does not need to learn MAC addresses of other packets. To save MAC addresses and improve device efficiency, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.
  • Some unauthorized users may change MAC addresses frequently to attack the network. To prevent MAC address overflow and protect device performance, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.

Follow-up Procedure

Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing the action of disabling MAC address learning.

Precautions

Example

# Disable MAC address learning in the traffic behavior test.

<HUAWEI> system-view
[~HUAWEI] traffic behavior test
[*HUAWEI-behavior-test] mac-address learning disable

mac-address notification

Function

The mac-address notification command enables the trap function for MAC address learning or aging.

The undo mac-address notification command disables the trap function for MAC address learning or aging.

By default, the trap function for MAC address learning or aging is disabled.

Format

mac-address notification { aging | learning | all }

undo mac-address notification { aging | learning | all }

Parameters

Parameter

Description

Value

aging

Enables the trap function for MAC address aging.

-

learning

Enables the trap function for MAC address learning.

-

all

Enables the trap function for MAC address learning and aging.

-

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

To learn MAC address change in a timely manner, run the mac-address notification command to enable the trap function for MAC address learning or aging.

Example

# Enable the trap function for MAC address learning on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] mac-address notification learning

mac-address notification interval

Function

The mac-address notification interval command sets the interval at which the device checks MAC address learning or aging.

The undo mac-address notification interval command restores the default interval at which the device checks MAC address learning or aging.

By default, the device checks MAC address learning or aging at intervals of 10s.

Format

mac-address notification interval interval-time

undo mac-address notification interval [ interval-time ]

Parameters

Parameter

Description

Value

interval-time

Specifies the interval at which the device checks MAC address learning or aging.

The value is an integer that ranges from 10 to 600, in seconds. The default value is 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the mac-address notification command is used to enable the trap function when the device learns MAC addresses or MAC addresses are aged, the device periodically checks whether MAC addresses are learned or aged. You can run the mac-address notification interval command to set the interval.

Example

# Set the interval at which the device checks MAC address learning or aging to 20s.

<HUAWEI> system-view
[~HUAWEI] mac-address notification interval 20

mac-address static vlan

Function

The mac-address static vlan command configures a static MAC address entry.

The undo mac-address static vlan command deletes a static MAC address entry.

By default, no static MAC address entry is configured.

Format

mac-address static mac-address interface-type interface-number vlan vlan-id

undo mac-address static [ interface-type interface-number | vlan vlan-id ] *

undo mac-address static mac-address interface-type interface-number vlan vlan-id

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a static MAC address entry.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF or a multicast MAC address.

interface-type interface-number

Specifies the outbound interface in a static MAC address entry.

-

vlan vlan-id

Specifies the ID of the VLAN that the outbound interface belongs to.

The value is an integer that ranges from 1 to 4094. The VLAN cannot be the reserved VLAN configured by the vlan reserved command.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Static MAC address entries are used for the following purposes:
  • Improve security. The device directly discards packets sent from unauthorized users using authorized users' MAC addresses.
  • Guide unicast forwarding and save bandwidth.

Precautions

  • The VLAN in a static MAC address entry must have been created and the outbound interface in the same static MAC address entry has been added to the VLAN.
  • If you configure a static MAC address entry when the MAC address table is full, the device processes the MAC address entry as follows:
    • If a dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the static MAC address entry replaces the dynamic MAC address entry.
    • If no dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the static MAC address entry cannot be added to the MAC address table.
  • You can run the mac-address static command multiple times to configure multiple static MAC address entries.
  • If there is a MAC address that is generated based on DHCP snooping binding entries, the MAC address cannot be configured as a static MAC address.

Example

# Add a static MAC address entry to the MAC address table. In the MAC address entry, the destination MAC address is 0003-0003-0003, the VLAN ID is 4, and the outbound interface is 10ge1/0/2. That is, the device forwards packets with the destination MAC address of 0003-0003-0003 from VLAN 4 through 10ge1/0/2.

<HUAWEI> system-view
[~HUAWEI] vlan 4
[*HUAWEI-vlan4] quit
[*HUAWEI] interface 10ge 1/0/2
[*HUAWEI-10GE1/0/2] port link-type access
[*HUAWEI-10GE1/0/2] port default vlan 4
[*HUAWEI-10GE1/0/2] quit
[*HUAWEI] mac-address static 0003-0003-0003 10ge 1/0/2 vlan 4

mac-address update arp enable

Function

The mac-address update arp enable command enables the MAC address-triggered ARP entry update function. That is, the Switch is enabled to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.

The undo mac-address update arp enable command disables the MAC address-triggered ARP entry update function.

By default, the MAC address-triggered ARP entry update function is enabled.

Format

mac-address update arp enable

undo mac-address update arp enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding. The ARP entries that define the mapping between IP addresses and MAC addresses guide communication between devices on different network segments.

The outbound interface in a MAC address entry is updated by packets, whereas the outbound interface in an ARP entry is updated after the aging time is reached. In this case, the outbound interfaces in the MAC address entry and ARP entry may be different. To address this issue, run the mac-address update arp enable command to enable the Switch to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.

In data center virtualization scenarios, when the location of a virtual machine (VM) changes, user traffic on the network may be interrupted if the VM cannot send gratuitous ARP messages promptly to update ARP entries on the gateway. In this case, the device relearns ARP entries by exchanging ARP messages only after ARP entries on the gateway age.

When the VM location is changed after MAC-ARP association is enabled and a gateway's MAC entries are updated upon receipt of Layer 2 user traffic, ARP entries and outbound interface information are updated as follows to accelerate Layer 3 traffic convergence:
  • If ARP entries exist and the outbound interface of MAC entries is inconsistent with that of ARP entries, ARP entries are updated based on MAC entries, and outbound interface information is updated.
  • If ARP entries do not exist, a broadcast suppression table is searched based on MAC entries and ARP probe is re-initiated to update ARP entries and outbound interface information.

Precautions

  • This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when the corresponding MAC address entries change.

  • The mac-address update arp enable command does not take effect after ARP entry fixing is enabled by using the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable command.

  • After the mac-address update arp enable command is run, the Switch updates an ARP entry only if the outbound interface in the corresponding MAC address entry changes.

  • By default, MAC address triggered ARP entry update is enabled. If MAC address flapping occurs for more than 10 times, MAC address triggered ARP entry update is disabled. After MAC address flapping is eliminated, MAC address triggered ARP entry update is enabled automatically.

Example

# Enable the MAC address-triggered ARP entry update function.

<HUAWEI> system-view
[~HUAWEI] mac-address update arp enable
Related Topics

mac-address learning priority

Function

The mac-address learning priority command sets the MAC address learning priority of an interface.

The undo mac-address learning priority command restores the default MAC learning priority of an interface.

By default, the MAC address learning priority of an interface is 0.

NOTE:

Only CE6870EI and CE6880EI switch do not support this command.

Format

mac-address learning priority priority-id

undo mac-address learning priority

Parameters

Parameter

Description

Value

priority priority-id

Specifies the MAC address learning priority of an interface.

The value is an integer that ranges from 0 to 3. A larger value indicates a higher priority.

Views

GE interface view, 10GE interface view, 40GE interface view, 25GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, run the mac-address learning priority command to set the priority of the uplink interface to be higher than the user-side interfaces. When these interfaces learn the same MAC address, the MAC address entry learned by the uplink interface overrides MAC address entries learned by the user-side interfaces. Therefore, the switch will not learn MAC addresses of unauthorized users, and authorized users can access the server and use network resources.

You can run the undo mac-address learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority.

Both the undo mac-address learning priority allow-flapping command and the mac-address learning priority command can prevent MAC address flapping. The difference between the two commands is as follows:

  • The undo mac-address learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the CE8800, CE7800, CE6800, and CE5800 series switches after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
  • The mac-address learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.

Precautions

If you run the mac-address learning priority command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the MAC address learning priority of 10GE1/0/2 to 3.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/2
[~HUAWEI-10GE1/0/2] mac-address learning priority 3

mac-address learning priority allow-flapping

Function

The mac-address learning priority allow-flapping command allows MAC address flapping between interfaces with the same priority.

The undo mac-address learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority.

By default, MAC address flapping between interfaces with the same priority is allowed.

NOTE:

Only CE6870EI and CE6880EI switch do not support this command.

Format

mac-address learning priority priority-id allow-flapping

undo mac-address learning priority priority-id allow-flapping

Parameters

Parameter

Description

Value

priority priority-id

Specifies the MAC address learning priority of an interface.

The value is an integer that ranges from 0 to 3. A larger value indicates a higher priority.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, you can run the undo mac-address learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority. MAC address then will not be learned by multiple interfaces. This prevents attackers from using the MAC addresses of valid devices to attack the switch.

Both the mac-address learning priority command and the undo mac-address learning priority allow-flapping command can prevent MAC address flapping. The difference between the two commands is as follows:

  • The undo mac-address learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
  • The mac-address learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.

Example

# Forbid MAC address flapping between interfaces with priority 1.

<HUAWEI> system-view
[~HUAWEI] undo mac-address learning priority 1 allow-flapping

mac-address limit

Function

The mac-address limit command sets the maximum number of MAC addresses that can be learned.

The undo mac-address limit command cancels the configuration.

By default, the number of learned MAC addresses is not limited.

Format

mac-address limit { maximum max-num | action { discard | forward } | alarm { disable | enable } } *

undo mac-address limit

Parameters

Parameter

Description

Value

action { discard | forward }

Indicates the action to be taken when the number of learned MAC address entries reaches the limit.
  • discard: discards packets with new source MAC addresses.
  • forward: forwards packets with new source MAC addresses but does not add the new MAC addresses to the MAC address table.

If no action is specified in the command, the default action discard is used in interface view, and forward is used in VLAN view.

alarm { disable | enable }

Indicates whether the system generates an alarm when the number of learned MAC address entries reaches the limit.
  • disable: No alarm is generated when the number of learned MAC addresses reaches the limit.
  • enable: An alarm is generated when the number of learned MAC addresses reaches the limit.

If you do not set this parameter in the command, the alarm function is enabled by default.

maximum max-num

Sets the maximum number of MAC addresses that can be learned.

The value is a decimal integer ranging from 0 to 32767. The value 0 indicates that the highest rate of MAC address learning is not limited.

Views

VLAN view, VLAN-Range view, GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-address limit command limits the number of access users and prevents attacks to the MAC address tables. You can enable the function to improve network security.

Precautions

When the number of learned MAC addresses reaches the limit, the switch forwards the packets with new source MAC addresses but does not add the new MAC addresses to the MAC address table.

The mac-address limit and port-security enable commands cannot be used on the same interface.

If a device has learned some MAC addresses on an interface or VLAN, you can run the reset mac-address command to clear the learned MAC address entries; otherwise, the maximum number of the MAC addresses that can be learned is inaccurate.

NOTE:
  • This command is valid for new online users and invalid for existing online users.

  • This command is invalid for packets forwarded at Layer 3.

  • After MAC address limiting is configured on an interface, the VXLAN packets received by an interface on a switch model excluding the CE6870EI or CE6880EI are not affected by this function.

  • When the maximum number of learned MAC addresses in the VLAN view is reached, and the user host uses another interface to connect to the device due to physical position change, the device does not learn the new MAC address and the user cannot go online. You can use the following solutions:
    • If the user host's physical position is fixed, limit the number of learned MAC addresses in the VLAN view.
    • If the user host's physical position often changes, do not limit the number of learned MAC addresses in the VLAN view.

Example

# Set the maximum number of MAC addresses that can be learned by 10GE1/0/2 to 30, and configure the device to generate an alarm when the number learned of MAC addresses reaches the limit.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/2
[~HUAWEI-10GE1/0/2] mac-address limit alarm enable maximum 30

mac-address miss action discard

Function

The mac-address miss action discard command configures the system to discard the packets that do not match any MAC address entry in a VLAN.

The undo mac-address miss action discard command restores the default configuration. That is, the system broadcasts the packets that do not match any MAC address entry in a VLAN.

By default, the system broadcasts the packets that do not match any MAC address entry in a VLAN.

Format

mac-address miss action discard

undo mac-address miss action discard

Parameters

None

Views

VLAN view, VLAN-Range view

Default Level

2: Configuration level

Usage Guidelines

When a DHCP user goes offline, the MAC address entry of the user ages. If there are packets destined for this user, the system cannot find the MAC address entry, so it broadcasts the packets to all interfaces in the VLAN. In this case, all users can receive the packets. This affects packet security. The mac-address miss action discard command can reduce workload on the device and improve packet security.

Example

# Configure the system to discard the packets that do not match any MAC address entry in VLAN 100.

<HUAWEI> system-view
[~HUAWEI] vlan 100
[*HUAWEI-vlan100] mac-address miss action discard
Related Topics

port bridge enable

Function

The port bridge enable command enables the port bridge function on an interface. The interface then can forward packets whose source and destination MAC addresses are both learned by this interface.

The undo port bridge enable command disables the port bridge function.

By default, the port bridge function is disabled on an interface.

NOTE:

CE6880EI does not support this command.

Format

port bridge enable

undo port bridge enable

Parameters

None

Views

GE interface view, 10GE interface view, 40GE interface view, 25GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

By default, an interface does not forward packets whose source and destination MAC addresses are both learned by this interface. When the interface receives such a packet, it discards the packet as an invalid packet.

After the port bridge function is enabled on the interface, the interface forwards such a packet if the destination MAC address of the packet is in the MAC address table.

The port bridge function is used in the following scenarios:

The device is used as an access device in a data center and is connected to servers. Each server is configured with multiple virtual machines. The virtual machines need to transmit data to each other. If data between virtual machines is transmitted on the server, the data transmission rate and server performance may be affected. To improve the data transmission rate and server performance, enable the port bridge function on the interfaces connected to the servers so that the device forwards data packets between the virtual machines.

Example

# Enable the port bridge function on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10GE 1/0/1
[~HUAWEI-10GE1/0/1] port bridge enable
Related Topics

reset mac-address

Function

The reset mac-address command deletes dynamically learned MAC address entries on a device.

Format

reset mac-address mac-address [ vlan vlan-id ]

reset mac-address interface-type interface-number [ vlan vlan-id ]

reset mac-address vlan vlan-id [ interface-type interface-number ]

reset mac-address

Parameters

Parameter Description Value
mac-address Deletes a MAC address entry mapped to a MAC address. The value is in the format of H-H-H. Each H is a 4-bit hexadecimal number, such as 00e0 or fc01. If an H contains less than 4 bits, 0s are padded ahead. For example, an H is e0. It is displayed as 00e0 in the MAC address. The MAC address cannot be a broadcast MAC address (FFFF-FFFF-FFFF) or a multicast MAC address (the eighth bit is 1).
vlan vlan-id Deletes a MAC address entry with a specified VLAN ID.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface-type interface-number Deletes a MAC address entry on a specified interface. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To delete dynamically learned MAC address entries (entries to be deserted, for example), run the reset mac-address command.

Prerequisites

Before running the reset mac-address vlan command to delete MAC address entries in a specified VLAN, ensure that the VLAN has been created.

Precautions

After the reset mac-address command is run, the dynamically learned MAC address entries are deleted and cannot be restored. Exercise caution before you determine to run this command. To prevent incorrect deletion of available MAC address entries, specify VLAN ID or interface name for a MAC address entry to be deleted.

Example

# Delete a specified MAC address entry.

<HUAWEI> reset mac-address 1-1-1

# Delete MAC address entries mapped to a specified VLAN ID.

<HUAWEI> reset mac-address vlan 10

# Delete MAC address entries on a specified interface.

<HUAWEI> reset mac-address 10ge 1/0/1

# Delete MAC address entries based on the VLAN to which a specified interface belongs.

<HUAWEI> reset mac-address 10ge 1/0/1 vlan 10

reset mac-address flapping record

Function

The reset mac-address flapping record command clears MAC address flapping records.

Format

reset mac-address flapping record [ all ]

Parameters

Parameter Description Value
all Clears all MAC address flapping records, including historical and active ones. -

Views

User view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before collecting MAC address flapping statistics, run the reset mac-address flapping record command to clear the current statistics.

Precautions

  • The reset mac-address flapping record command clears only MAC address flapping records in which MAC addresses do not flap. To clear all MAC address flapping records, specify all.

  • After clearing MAC address flapping records, you can run the display mac-address flapping command to view current MAC address flapping records.

  • The cleared MAC address flapping records cannot be restored.

  • When MAC address flapping occurs in a VLAN or BD and the loop is not eliminated, if the interface is added to or removed from an Eth-Trunk, the values of Original-Port and Move-Ports in MAC address flapping records remain unchanged. After the loop is eliminated, delete MAC address flapping entries and perform detection again. This prevents the incorrect source and flapped interfaces from being detected, loop location, and punishment action (Error-Down state or storm control) from being delivered to the incorrect flapped interface.

Example

# Clear MAC address flapping records.

<HUAWEI> reset mac-address flapping record

snmp-agent trap enable feature-name fei_comm trap-name hwportsecrcvillegalmacalarm

Function

The snmp-agent trap enable feature-name fei_comm trap-name hwportsecrcvillegalmacalarm command enables the trap function for invalid MAC addresses after the number of secure MAC addresses reaches the maximum.

The undo snmp-agent trap enable feature-name fei_comm trap-name hwportsecrcvillegalmacalarm command disables the trap function for invalid MAC addresses after the number of secure MAC addresses reaches the maximum.

By default, the trap function for invalid MAC addresses is enabled after the number of secure MAC addresses reaches the maximum.

Format

snmp-agent trap enable feature-name fei_comm [ trap-name hwportsecrcvillegalmacalarm ]

undo snmp-agent trap enable feature-name fei_comm [ trap-name hwportsecrcvillegalmacalarm ]

Parameters

Parameter Description Value
trap-name

Enables the trap function for the specified event.

-
hwportsecrcvillegalmacalarm

Enables the trap function for invalid MAC addresses is enabled after the number of secure MAC addresses reaches the maximum.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

You can run this command to enable the trap function for invalid MAC addresses after the number of secure MAC addresses reaches the maximum.

Example

# Enable the trap function for invalid MAC addresses is enabled after the number of secure MAC addresses reaches the maximum.

<HUAWEI> system-view
[~HUAWEI] snmp-agent trap enable feature-name fei_comm hwportsecrcvillegalmacalarm

undo mac-address

Function

The undo mac-address command deletes one or more MAC address entries.

Format

undo mac-address { interface-type interface-number | vlan vlan-id } *

undo mac-address mac-address [ vlan vlan-id ]

undo mac-address [ mac-address ] vlan vlan-id

undo mac-address all

NOTE:

The command cannot delete dynamically learned MAC address, for details on how to delete dynamically learned MAC address entries on a device, see reset mac-address.

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a MAC address entry to be deleted.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF or a multicast MAC address.

interface-type interface-number

Specifies the interface in a MAC address entry to be deleted.

-

vlan vlan-id

Specifies the VLAN ID in a MAC address entry to be deleted.

The value is an integer that ranges from 1 to 4094. The VLAN cannot be the reserved VLAN configured by the vlan reserved command.

all

Delete all static, blackhole, security, and sticky MAC address entries.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A MAC address table saves a limited number of MAC addresses. If the MAC address table is full, the device cannot learn new MAC address entries until old MAC addresses are aged out. Packets matching no MAC address entry are broadcast, wasting bandwidth resources. This command can delete useless MAC address entries to release the MAC address table space.

You can delete some of MAC address entries as required. For example:
  • If you do not specify interface-type interface-number, the command deletes MAC address entries of the specified type on all interfaces.
  • If you do not specify vlan vlan-id, the command deletes MAC address entries of the specified type in all VLANs.

Example

# Delete all MAC address entries.

<HUAWEI> system-view
[~HUAWEI] undo mac-address all

# Delete all MAC address entries on 10ge1/0/1.

<HUAWEI> system-view
[~HUAWEI] undo mac-address 10ge 1/0/1

# Delete all MAC address entries in VLAN 5.

<HUAWEI> system-view
[~HUAWEI] undo mac-address vlan 5

# Delete all MAC address entries in which the MAC address is 0004-0004-0004.

<HUAWEI> system-view
[~HUAWEI] undo mac-address 0004-0004-0004

undo mac-address limit all

Function

The undo mac-address limit all command deletes all MAC address limiting rules.

Format

undo mac-address limit all

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command deletes all the rules configured by the mac-address limit command.

Precautions

Before using this command, run the display mac-address limit command to check the MAC address limiting rules and confirm your operation.

Example

# Delete all MAC address limiting rules.

<HUAWEI> system-view
[~HUAWEI] undo mac-address limit all
Related Topics
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 70579

Downloads: 376

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next