S1720, S2700, S5700, and S6720 V200R011C10 Command Reference
This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
MAC Address Table Configuration Commands
- Command Support
- display bridge mac-address
- display mac-address
- display mac-address aging-time
- display mac-address blackhole
- display mac-address dynamic
- display mac-address flapping
- display mac-address flapping record
- display mac-address hash-mode
- display mac-address mux
- display mac-address oam
- display mac-address static
- display mac-address summary
- display mac-address total-number
- display mac-limit
- display snmp-agent trap feature-name l2if all
- display snmp-agent trap feature-name l2ifppi all
- drop illegal-mac alarm
- drop illegal-mac enable
- mac-address aging-time
- mac-address blackhole
- mac-address destination hit aging enable
- mac-address flapping action
- mac-address flapping action priority
- mac-address flapping aging-time
- mac-address flapping detection
- mac-address flapping detection exclude vlan
- mac-address flapping detection security-level
- mac-address flapping quit-vlan recover-time
- mac-address hash-bucket-mode
- mac-address hash-mode
- mac-address learning disable (interface view and VLAN view)
- mac-address learning disable (traffic behavior view)
- mac-address static vlan
- mac-address threshold-alarm
- mac-address trap hash-conflict enable
- mac-address trap hash-conflict history
- mac-address trap hash-conflict interval
- mac-address trap notification
- mac-address trap notification interval
- mac-address update arp
- mac-learning priority
- mac-learning priority allow-flapping
- mac-learning priority flapping-defend action
- mac-limit
- mac-spoofing-defend enable (interface view)
- mac-spoofing-defend enable (system view)
- port bridge enable
- remark destination-mac
- reset mac-address flapping record
- snmp-agent trap enable feature-name l2if
- snmp-agent trap enable feature-name l2ifppi
- undo mac-address
- undo mac-address temporary
- undo mac-limit all
display bridge mac-address
display mac-address
Function
The display mac-address command displays the MAC address table of the switch. A MAC address entry contains the destination MAC address, VLAN ID or VSI, outbound interface, and entry type.
Format
display mac-address [ mac-address ] [ vlan vlan-id | vsi vsi-name ] [ verbose ]
display mac-address [ vlan vlan-id | interface-type interface-number ] * [ verbose ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
mac-address |
Specifies the destination MAC address in an entry. |
The value is in H-H-H format. H is a hexadecimal number of 4 digits, for example, 00e0 and fc01. If you enter less than four digits, 0s are prefixed to the input digits. For example, if you enter e0, the system changes e0 to 00e0. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address. |
vlan vlan-id |
Displays MAC address entries in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
vsi vsi-name |
Displays MAC address entries in a specified VSI. vsi-name specifies the name of a VSI. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
interface-type interface-number |
Displays the MAC address entries with a specified outbound interface.
|
- |
verbose |
Displays detailed information about MAC address entries. |
- |
Usage Guidelines
Usage Scenario
The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.
The display mac-address command displays all MAC address entries, such as dynamic MAC address entries, static MAC address entries, and blackhole MAC address entries. A MAC address entry contains the destination MAC address, VLAN ID or VSI, outbound interface, and entry type.
Follow-up Procedure
If any MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address static command to add a correct one.
Precautions
If you run the display mac-address command without parameters, all MAC address entries are displayed.
- The displayed information is repeatedly refreshed, so you cannot find the required information.
- The system traverses and retrieves information for a long time, and does not respond to any request.
Example
# Display all MAC address entries.
<HUAWEI> display mac-address ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0000-0000-0033 100/-/- GE0/0/1 dynamic 0000-0000-0001 200/-/- GE0/0/2 static ------------------------------------------------------------------------------- Total items displayed = 2
# Display detailed information about all MAC address entries in VLAN 10.
<HUAWEI> display mac-address vlan 10 verbose ------------------------------------------------------------------------------- MAC Address : 0000-0000-0001 VLAN : 10 Learned-From: GE0/0/2 Type : dynamic ------------------------------------------------------------------------------- Total items displayed = 1
Item |
Description |
|---|---|
MAC Address |
Destination MAC address in a MAC address entry. |
VLAN/VSI/BD |
ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to. |
Learned-From |
Interface that learns a MAC address. |
Type |
Type of a MAC address entry.
NOTE:
Among existing MAC address entries, only MAC addresses of the dynamic type can be overwritten as MAC addresses of other types. |
display mac-address aging-time
Function
The display mac-address aging-time command displays the aging time of dynamic MAC address entries in the MAC address table.
Usage Guidelines
Usage Scenario
This command displays the aging time of dynamic MAC address entries on the switch. You can check whether the aging time is suitable for network requirements and device performance.
Follow-up Procedure
If the aging time is unsuitable for requirements or device performance, run the mac-address aging-time command to set the aging time properly.
Precautions
If the aging time is 0, dynamic MAC addresses will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.
Example
# Display the aging time of dynamic MAC address entries.
<HUAWEI> display mac-address aging-time Aging time: 300 second(s)
Item |
Description |
|---|---|
Aging time |
Aging time of dynamic MAC address entries, in seconds. To set the aging time, run the mac-address aging-time command. |
display mac-address blackhole
Parameters
| Parameter | Description | Value |
|---|---|---|
| vlan vlan-id | Displays blackhole MAC address entries in a specified VLAN. | The value is an integer that ranges from 1 to 4094. |
| vsi vsi-name | Displays blackhole MAC address entries of a specified virtual switch instance (VSI). vsi-name specifies the name of a VSI. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
| verbose | Displays detailed information about blackhole MAC address entries. | - |
Usage Guidelines
Usage Scenario
The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.
- Blackhole MAC address entries that are used to discard packets with the specified MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
- Static MAC entries that are manually configured and will not be aged out.
- Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.
To check whether blackhole MAC address entries are configured correctly, run this command. These entries ensure communication between authorized users.
Follow-up Procedure
If any blackhole MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address blackhole command to add a correct one.
Precautions
If you run the display mac-address blackhole command without parameters, all blackhole MAC address entries are displayed.
If the MAC address table does not contain any blackhole MAC address, no information is displayed.
Example
# Display all blackhole MAC address entries.
<HUAWEI> display mac-address blackhole ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0022-0022-0033 100/-/- - blackhole 0000-0000-0001 200/-/- - blackhole ------------------------------------------------------------------------------- Total items displayed = 2
# Display blackhole MAC address entries in VLAN 100.
<HUAWEI> display mac-address blackhole vlan 100 ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0022-0022-0033 100/-/- - blackhole 0000-0000-0001 100/-/- - blackhole ------------------------------------------------------------------------------- Total items displayed = 2
Item |
Description |
|---|---|
MAC Address |
Destination MAC address in a blackhole MAC address entry. |
VLAN/VSI/BD |
ID of the VLAN, name of the VSI, or ID of the BD that a MAC address belongs to. |
Learned-From |
When the type of a MAC address entry is blackhole, "-" is displayed. |
Type |
Type of a MAC address entry. blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address blackhole command. |
display mac-address dynamic
Format
display mac-address dynamic [ [ slot ] slot-id ] [ vlan vlan-id | interface-type interface-number ] * [ verbose ]
display mac-address dynamic [ [ slot ] slot-id ] [ vsi vsi-name [ peer ip-address ] ] [ verbose ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
slot slot-id |
Displays dynamic MAC address entries on a specified board. |
The value is an integer and must be the slot ID of a running board. |
vlan vlan-id |
Displays dynamic MAC address entries in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
vsi vsi-name |
Displays dynamic MAC address entries of a specified virtual switch instance (VSI). vsi-name specifies the name of a VSI. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
peer ip-address |
Displays the dynamic MAC address entry mapped to a specified peer IPv4 address. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
- |
interface-type interface-number |
Displays dynamic MAC address entries with a specified outbound interface.
|
- |
verbose |
Displays detailed information about dynamic MAC address entries. |
- |
Usage Guidelines
Usage Scenario
The MAC address table needs to be updated constantly because the network topology always changes. You can use this command to view learned MAC addresses in real time.
Follow-up Procedure
If the displayed dynamic MAC address entries are invalid, run the undo mac-address command to delete dynamic MAC address entries.
Precautions
If you run the display mac-address dynamic command without parameters, all dynamic MAC address entries are displayed.
If the MAC address table does not contain any dynamic MAC address entry, no information is displayed.
- The displayed information is repeatedly refreshed, so you cannot find the required information.
- The system traverses and retrieves information for a long time, and does not respond to any request.
Example
# Display all dynamic MAC address entries.
<HUAWEI> display mac-address dynamic ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0022-0022-0033 100/-/- GE0/0/1 dynamic 0000-0000-0001 200/-/- GE0/0/2 dynamic ------------------------------------------------------------------------------- Total items displayed = 2
# Display all dynamic MAC address entries in VLAN 9.
<HUAWEI> display mac-address dynamic vlan 9 ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0000-0007-0122 9/-/- GE0/0/1 dynamic 0000-0007-0106 9/-/- GE0/0/1 dynamic 0000-0007-0114 9/-/- GE0/0/1 dynamic ------------------------------------------------------------------------------- Total items displayed = 3
# Display detailed information about all dynamic MAC address entries in VLAN 9.
<HUAWEI> display mac-address dynamic vlan 9 verbose ------------------------------------------------------------------------------- MAC Address : 0000-0007-0117 VLAN: 9 Learned-From: GE0/0/1 Type: dynamic MAC Address : 0000-0007-0133 VLAN: 9 Learned-From: GE0/0/1 Type: dynamic MAC Address : 0000-0007-0121 VLAN: 9 Learned-From: GE0/0/1 Type: dynamic ------------------------------------------------------------------------------- Total items displayed = 3
Item |
Description |
|---|---|
MAC Address |
Destination MAC address in a dynamic MAC address entry. |
VLAN/VSI/BD |
ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to. |
Learned-From |
Interface that learns a MAC address. |
Type |
Type of a MAC address entry. dynamic: indicates a MAC address entry learned by the switch, which will be aged out when the aging time expires. |
display mac-address flapping
Function
The display mac-address flapping command displays the configuration of MAC address flapping detection.
Usage Guidelines
Usage Scenario
After MAC address flapping detection is configured, you can run the display mac-address flapping command to check the configuration.
The command output includes the following information:
- Whether MAC address flapping detection is configured.
- Aging time of flapping MAC addresses.
- Delay time before the interface joins a VLAN again after it is removed from the VLAN.
- VLAN that does not require MAC address flapping detection.
- List of VLANs of three security levels defined for MAC address flapping detection
Example
# Display the configuration of MAC address flapping detection.
<HUAWEI> display mac-address flapping
MAC address Flapping Configurations :
----------------------------------------------------------------------------
Flapping detection : Enable
Aging time(sec) : 300
Quit VLAN Recover time(min) : 10
Exclude VLAN list : -
Low level VLAN list : -
Middle level VLAN list : 1 to 4094
High level VLAN list : -
----------------------------------------------------------------------------
Item |
Description |
|---|---|
Flapping detection |
MAC address flapping detection status:
To specify the parameter, run the mac-address flapping detection command. |
Aging time(sec) |
Aging time of flapping MAC addresses. To specify the parameter, run the mac-address flapping aging-time command. |
Quit VLAN Recover time(min) |
Delay time before the interface joins a VLAN again after it is removed from the VLAN. To specify the parameter, run the mac-address flapping quit-vlan recover-time command. The default value is 10. If the value is 0, the interface cannot join a VLAN again after it is removed from the VLAN. |
| Exclude VLAN list | VLAN that does not require MAC address flapping detection. To specify the parameter, run the mac-address flapping detection exclude vlan command. If such a VLAN is specified, the VLAN ID is displayed. If the VLAN is not specified, this field is displayed as -. |
| Low level VLAN list | List of VLANs of low security level defined for MAC address flapping detection. To specify the parameter, run the mac-address flapping detection security-level command. |
| Middle level VLAN list | List of VLANs of middle security level defined for MAC address flapping detection. To specify the parameter, run the mac-address flapping detection security-level command. |
| High level VLAN list | List of VLANs of high security level defined for MAC address flapping detection. To specify the parameter, run the mac-address flapping detection security-level command. |
display mac-address flapping record
Parameters
Parameter |
Description |
Value |
|---|---|---|
slot slot-id |
Displays MAC address flapping records on a stacked device. |
The value is an integer and is determined by the stack ID of the device. If no stacking is configured, the value is 0. |
begin YYYY/MM/DD HH:MM:SS |
Displays MAC address flapping records generated from the specified time to the current time. YYYY/MM/DD indicates year/month/date. HH:MM:SS indicates hour:minute:second. |
|
Usage Guidelines
Usage Scenario
The display mac-address flapping record command output helps locate the position where MAC address flapping occurs.
Precautions
The command output is displayed only when MAC address flapping has occurred.
Example
# Display all MAC address flapping records.
<HUAWEI> display mac-address flapping record S : start time E : end time (Q) : quit VLAN (D) : error down ------------------------------------------------------------------------------ Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum ------------------------------------------------------------------------------- S:2011-08-31 17:22:36 300 0000-0000-0007 Eth-Trunk1 Eth-Trunk2 81 E:2011-08-31 17:22:44 ------------------------------------------------------------------------------- Total items on slot 0: 1
# Display MAC address flapping records generated from 2012/06/04 09:00:00 to the current time.
<HUAWEI> display mac-address flapping record begin 2012/06/04 09:00:00 S : start time E : end time (Q) : quit VLAN (D) : error down ------------------------------------------------------------------------------- Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum ------------------------------------------------------------------------------- S:2012-06-04 17:22:38 300 0000-0000-0007 Eth-Trunk2 Eth-Trunk1 5 E:2012-06-04 17:22:42 ------------------------------------------------------------------------------- Total items on slot 0: 1
Item |
Description |
|---|---|
Move-Time |
Start time and end time MAC address flapping occurs. If the DST is configured, the DST plus the flapping start time or end time is displayed,for example: StartTime: 2012-02-02 15:54:10 DST. |
VLAN |
VLAN where MAC address flapping occurs. |
MAC-Address |
Flapping MAC address. NOTE:
Only one MAC address that flaps is displayed for the same VLAN on the same device. |
Original-Port |
Port that learns the MAC address first. |
Move-Ports |
Ports that learn the MAC address later. |
MoveNum |
Number of times the MAC address has flapped. NOTE:
The maximum value is 65535. When the number of times the MAC address has flapped exceeds 65535, the MoveNum field still displays 65535. |
display mac-address hash-mode
Function
The display mac-address hash-mode command displays the running hash mode and configured hash mode on the device.
The S5720HI does not support this command.
Usage Guidelines
Usage Scenario
After a hash mode is configured, you can run the display mac-address hash-mode command to check the configuration.
Precautions
After the hash algorithm is changed, restart the device for the configuration to take effect.
Example
# Display the running hash mode and configured hash mode on the device.
<HUAWEI> display mac-address hash-mode MAC address hash mode status: -------------------------------------------- Slot CurMode CfgMode -------------------------------------------- 0 crc16-lower crc32-lower --------------------------------------------
Item |
Description |
|---|---|
Slot |
Stack ID. |
CurMode |
Running hash mode on the device. After changing the hash algorithm and saving the configuration, restart the device for the configuration to take effect. |
CfgMode |
Configured hash mode on the device. To specify the parameter, run the mac-address hash-mode command. |
display mac-address mux
Parameters
Parameter |
Description |
Value |
|---|---|---|
vlan vlan-id |
Displays MUX MAC address entries in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
interface-type interface-number |
Displays MUX MAC address entries with a specified outbound interface.
|
- |
verbose |
Displays detailed information about MUX MAC address entries. If this parameter is not specified, brief information about MUX MAC address entries is displayed. |
- |
Usage Guidelines
Usage Scenario
The MUX VLAN function isolates Layer 2 traffic between interfaces in a VLAN. A MUX MAC address entry is learned by a MUX VLAN enabled interface. The learned MUX MAC address entries are deleted after the switch restarts.
After configuring the MUX VLAN function, you can run the display mac-address mux command to check whether the learned MUX MAC address entries are correct.
Follow-up Procedure
If the displayed MUX MAC address entries are invalid, run the undo mac-address command to delete MUX MAC address entries.
Precautions
If you run the display mac-address mux command without parameters, all MUX MAC address entries are displayed.
If the MAC address table does not contain any MUX MAC address entry, no information is displayed.
- The displayed information is repeatedly refreshed, so you cannot find the required information.
- The system traverses and retrieves information for a long time, and does not respond to any request.
Example
# Display all MUX MAC address entries.
<HUAWEI> display mac-address mux ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0022-0022-0033 100/-/- GE0/0/2 mux ------------------------------------------------------------------------------- Total items displayed = 1
# Display detailed information about all MUX MAC address entries in VLAN 10.
<HUAWEI> display mac-address mux vlan 10 verbose ------------------------------------------------------------------------------- MAC Address : 0000-0000-0001 VLAN : 10 Learned-From: GE0/0/2 Type : mux ------------------------------------------------------------------------------- Total items displayed = 1
Item |
Description |
|---|---|
MAC Address |
Destination MAC address in a MUX MAC address entry. |
VLAN/VSI/BD |
ID of the VLAN, or name of the virtual switch instance (VSI), or ID of the BD that a MAC address belongs to. |
Learned-From |
Interface that learns a MAC address. |
Type |
Type of a MAC address entry. mux: indicates a MAC address entry learned by a MUX VLAN enabled interface. |
display mac-address oam
Function
The display mac-address oam command displays information about MAC address entries of the OAM type.
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this command.
Usage Guidelines
Usage Scenario
VPLS data forwarding depends on MAC address learning. Data packets in a VPLS domain can be correctly forwarded only when the MAC addresses of the data packets are correctly learned by PEs.
MAC populate is used to check whether MAC addresses can be learned by devices in a VSI by populating an OAM MAC address into the VPLS domain.
If the devices in a specified VSI in the VPLS domain have learned the populated MAC address, running the display mac-address oam command can display detailed information about the populated OAM MAC address.
MAC purge is used to purge the populated OAM MAC address.
If the learned OAM MAC address is purged on the device, running the display mac-address oam command can show that the learned OAM MAC address has been purged.
Prerequisites
- Configuring the diagnosis of the OAM MAC address learning capacity is completed before you check detailed information about the populated OAM MAC address.
- Purging the OAM MAC address learned by the devices on the VPLS network is completed before you check whether the OAM MAC has been purged.
Example
# Display MAC address entries of the OAM type in the MAC address table.
<HUAWEI> display mac-address oam
------------------------------------------------------------------------------------------ MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------------------ 0000-0000-0010 -/vsi1/- GigabitEthernet0/0/1 OAM-PU 0000-0000-0020 -/vsi1/- GigabitEthernet0/0/1 OAM-PO ------------------------------------------------------------------------------------------ Total items displayed = 2
Item |
Description |
|---|---|
MAC Address |
Indicates the MAC address of the OAM type. |
VLAN/VSI/BD |
|
Learned-From |
Indicates an interface on which the MAC addresses of the OAM type are configured. |
Type |
Indicates the OAM type of the MAC address.
|
display mac-address static
Format
display mac-address static [ vsi vsi-name ] [ verbose ]
display mac-address static [ vlan vlan-id | interface-type interface-number ] * [ verbose ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
vlan vlan-id |
Displays static MAC address entries in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
vsi vsi-name |
Displays static MAC address entries in a specified VSI. vsi-name specifies the name of a VSI. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
interface-type interface-number |
Displays the static MAC address entries on a specified interface. |
- |
verbose |
Displays detailed information about static MAC address entries. |
- |
Usage Guidelines
Usage Scenario
The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.
- Static MAC entries that are manually configured and will not be aged out.
- Blackhole MAC address entries that are used to discard packets with the specified source MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
- Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.
To improve network security, configure static MAC address entries to ensure that packets destined for specified MAC addresses are forwarded by the specified interfaces. This prevents attack packets with bogus MAC addresses and guarantees communication between the switch and the upstream device or server. After configuring static MAC address entries, you can run the display mac-address static command to verify the configuration.
Follow-up Procedure
If any static MAC address entry is incorrect, run the undo mac-address command to delete it.
Precautions
If you run the display mac-address static command without parameters, all static MAC address entries are displayed.
If the MAC address table does not contain any static MAC address entry, no information is displayed.
Example
# Display all static MAC address entries.
<HUAWEI> display mac-address static ------------------------------------------------------------------------------- MAC Address VLAN/VSI/BD Learned-From Type ------------------------------------------------------------------------------- 0000-0000-0033 100/-/- GE0/0/1 static 0000-0000-0001 200/-/- GE0/0/2 static ------------------------------------------------------------------------------- Total items displayed = 2
# Display detailed information about all static MAC address entries in VLAN 10.
<HUAWEI> display mac-address static vlan 10 verbose ------------------------------------------------------------------------------- MAC Address : 0000-0000-0001 VLAN : 10 Learned-From: GE0/0/1 Type : static ------------------------------------------------------------------------------- Total items displayed = 1
Item |
Description |
|---|---|
MAC Address |
Destination MAC address in a static MAC address entry. |
VLAN/VSI/BD |
ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to. |
Learned-From |
Interface that learns a MAC address. |
Type |
Type of a MAC address entry. static: indicates a static MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address static vlan, mac-address static vlanif, mac-address static vsi, mac-address static bridge-domain, or mac-address static bridge-domain vni command. |
display mac-address summary
Usage Guidelines
Usage Scenario
The MAC address table of the device stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.
When the switch has many MAC address entries of different types.
Precautions
If slot slot-id is specified, this command displays statistics on MAC address entries on the specified board. If this parameter is not specified, this command displays statistics on MAC address entries on all cards.
- If no static or blackhole MAC addresses are configured on the device, statistics about the two types of MAC address entries are 0.
If MAC address learning is disabled on the device, statistics about dynamic MAC address entries are 0.
Using the undo mac-address learning disable command in the Ethernet interface view can enable MAC address learning.
Example
# View statistics on all MAC address entries in the system.
<HUAWEI> display mac-address summary
Summary information of slot 0:
-----------------------------------
Static : 2
Blackhole : 0
Dyn-Local : 0
Dyn-Remote : 0
Dyn-Trunk : 0
Sticky : 0
Security : 0
Sec-config : 0
Authen : 0
Guest : 0
Mux : 0
Snooping : 0
Pre-Mac : 0
In-used : 5
Capacity : 32768
-----------------------------------
Item |
Description |
|---|---|
Static |
Number of static MAC address entries. |
Blackhole |
Number of blackhole MAC address entries |
Dyn-Local |
Number of MAC address entries learned by the local board. |
Dyn-Remote |
Number of MAC address entries synchronized from other boards. |
Dyn-Trunk |
Total number of MAC address entries learned by all trunk interfaces. |
Sticky |
Number of sticky MAC address entries. |
Security |
Number of secure dynamic MAC address entries. |
Sec-config |
Number of secure static MAC address entries. |
Authen |
Number of MAC address entries corresponding to authentication users. |
Guest |
Number of MAC address entries learned by interfaces in the guest VLAN. |
Mux |
Number of MAC address entries learned by interfaces enabled with the MUX VLAN function. |
Snooping |
Number of Snooping MAC address entries. |
Pre-Mac |
Number of Pre-authen MAC address entries. |
In-used |
Total number of existing MAC address entries. |
Capacity |
Capacity of the MAC address table. The actual value varies according to device models. |
display mac-address total-number
Function
The display mac-address total-number command displays the number of MAC address entries of a specified type.
Format
display mac-address total-number [ slot slot-id ]
display mac-address total-number [ vsi vsi-name ]
display mac-address total-number [ vlan vlan-id | interface-type interface-number ] *
display mac-address total-number vlan all
display mac-address total-number { mux | security | sticky | sec-config | snooping | pre-authen | authen } [ vlan vlan-id | interface-type interface-number ] *
display mac-address total-number blackhole [ vlan vlan-id | vsi vsi-name ]
display mac-address total-number dynamic [ slot slot-id ] [ vlan vlan-id | interface-type interface-number ] *
display mac-address total-number dynamic [ slot slot-id ] [ vsi vsi-name ]
display mac-address total-number static [ vlan vlan-id | interface-type interface-number ] *
display mac-address total-number static vsi vsi-name
Parameters
Parameter |
Description |
Value |
|---|---|---|
slot slot-id |
Displays the number of MAC address entries on a specified board. |
The value is an integer and must be the slot ID of a running board. |
mux |
Displays the number of MUX MAC address entries. |
- |
dynamic |
Displays the number of dynamic MAC address entries. |
- |
security |
Displays the number of secure dynamic MAC address entries. |
- |
sec-config |
Displays the number of secure static MAC address entries. |
- |
snooping |
Displays the number of static MAC address entries generated based on the dynamic DHCP snooping binding table. |
- |
pre-authen |
Displays the number of static MAC address entries corresponding to a user in pre-connection state after NAC authentication is enabled. |
- |
authen |
Displays the number of static MAC address entries that is generated after a user passes NAC authentication. |
- |
sticky |
Displays the number of sticky MAC address entries. |
- |
blackhole |
Displays the number of blackhole MAC address entries. |
- |
static |
Displays the number of static MAC address entries. |
- |
vlan vlan-id |
Displays the number of MAC address entries in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
vlan all |
Displays the number of MAC address entries in all VLANs. |
- |
interface-type interface-number |
Displays the number of MAC address entries learned by a specified interface. |
- |
vsi vsi-name |
Displays the number of MAC address entries in a specified VSI. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.
When the switch has many MAC address entries of different types, you can use the display mac-address total-number command to view statistics on MAC address entries of a specified type.
Precautions
If no parameter is specified, the total number of MAC address entries in the system is displayed.
If interface-type interface-number is not specified, the total number of MAC addresses learned by all interfaces is displayed.
If interface-type interface-number is specified, the total number of MAC address entries in the VLAN where the interface resides is displayed.
If vlan vlan-id is not specified, the total number of MAC addresses in all VLANs is displayed.
display mac-limit
Function
The display mac-limit command displays the rules that limit the number of learned MAC addresses.
Parameters
Parameter |
Description |
Value |
|---|---|---|
interface-type interface-number |
Displays the MAC address limiting rule on a specified interface.
|
- |
vlan vlan-id |
Displays the MAC address limiting rules in a specified VLAN. |
The value is an integer that ranges from 1 to 4094. |
vsi vsi-name |
Displays the MAC address limiting rules in a specified VSI. vsi-name specifies the name of a VSI. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
To check whether MAC address limiting rules are configured correctly, run the display mac-limit command. If a rule is incorrect, run the mac-limit command to modify the rule or run the undo mac-limit all command to delete it.
Precautions
If no parameter is specified, MAC address learning limit rules of all interfaces, VSIs, and VLANs are displayed.
Example
# Display the MAC address limiting rule on GigabitEthernet0/0/1.
<HUAWEI> display mac-limit GigabitEthernet 0/0/1 GigabitEthernet0/0/1 MAC limit: Maximum MAC count 1000, used count 0 Action: forward, Alarm: enable
# Display all the MAC address limiting rules.
<HUAWEI> display mac-limit MAC Limit is enabled Total MAC Limit rule count : 1 PORT VLAN/VSI/SI SLOT Maximum Rate(ms) Action Alarm ---------------------------------------------------------------------------- GE0/0/1 - - 100 - forward enable
Item |
Description |
|---|---|
GigabitEthernet 0/0/1 MAC limit: |
MAC address limiting rule for the interface. To specify the parameters, run the mac-limit command. |
Maximum MAC count |
Maximum number of MAC addresses that can be learned. |
used count |
Number of MAC addresses that have been learned. |
Total MAC Limit rule count |
Number of configured MAC address limiting rules. |
PORT |
Name of an interface. |
VLAN/VSI/SI |
ID of a VLAN VSI name, or service instance (SI) name. |
SLOT |
Slot ID of the board where a MAC address limiting rule is configured. |
Maximum |
Maximum number of MAC addresses that can be learned. To set the maximum number of MAC addresses, run the mac-limit command. |
Rate(ms) |
Indicates the interval at which MAC addresses are learned. |
Action |
Action performed on packets when the number of learned MAC addresses exceeds the maximum.forward: forwards packets with new source MAC addresses. |
Alarm |
Whether an alarm is generated when the number of learned MAC addresses exceeds the maximum.
|
display snmp-agent trap feature-name l2if all
Function
The display snmp-agent trap feature-name l2if all command displays all trap messages of the L2IF module.
Usage Guidelines
Usage Scenario
After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name l2if all command to check the status of all traps of l2if. You can use the snmp-agent trap enable feature-name l2if command to enable the trap function of l2if.
Prerequisites
SNMP has been enabled. See snmp-agent.
Example
# Display all trap messages of the L2IF module.
<HUAWEI> display snmp-agent trap feature-name l2if all ------------------------------------------------------------------------------ Feature name: L2IF Trap number : 6 ------------------------------------------------------------------------------ Trap name Default switch status Current switch status hwSlotMacLimitNumRaisingThreshold off off hwSlotMacLimitNumFallingThreshold off off hwMuxVlanGroupCountExceedThreshold off off hwMuxVlanGroupCountExceedThresholdResume off off hwVlantransCountExceedThreshold off off hwVlantransCountExceedThresholdResume off off
Item |
Description |
|---|---|
Feature name |
Name of the module to which a trap message belongs. |
Trap number |
Number of trap messages. |
Trap name |
Name of a trap message of the L2IF module:
NOTE:
Only the S2750EI, S5700LI, and S5700S-LI support hwMuxVlanGroupCountExceedThreshold, hwMuxVlanGroupCountExceedThresholdResume, hwVlantransCountExceedThreshold, and hwVlantransCountExceedThresholdResume. |
Default switch status |
Status of the default trap function:
|
Current switch status |
Status of the current trap function:
To specify the parameter, run the snmp-agent trap enable feature-name l2if command. |
display snmp-agent trap feature-name l2ifppi all
Function
The display snmp-agent trap feature-name l2ifppi all command displays the status of all traps on the l2ifppi module.
Usage Guidelines
Usage Scenario
After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name l2ifppi all command to check the status of all traps of l2ifppi. You can use the snmp-agent trap enable feature-name l2ifppi command to enable the trap function of l2ifppi.
Prerequisites
SNMP has been enabled. See snmp-agent.
Example
# Display all the traps of the l2ifppi module.
<HUAWEI>display snmp-agent trap feature-name l2ifppi all
------------------------------------------------------------------------------
Feature name: L2IFPPI
Trap number : 15
------------------------------------------------------------------------------
Trap name Default switch status Current switch status
hwPortSecRcvInsecurePktAlarm on on
hwMflpVlanAlarm on on
hwMflpVsiAlarm on on
hwMflpBdAlarm on on
hwMacLimitOverThresholdAlarm on on
hwMacLimitOverThresholdAlarmResume
on on
hwRecIllegalMacPktAlarm on on
hwPortStickyReachMaxAlarm on on
hwMflpQuitVlanAlarm on on
hwMflpQuitVlanResume on on
hwPortVlanSecureMacAlarm on on
hwMacTrapAlarm on on
hwSlotMacUsageRaisingThreshold on on
hwSlotMacUsageFallingThreshold on on
hwBoardPowerOff on on
hwMacTrapHashConflictAlarm on on
Item |
Specification |
|---|---|
Feature name |
Name of the module that the trap belongs to. |
Trap number |
Number of traps. |
Trap name |
Trap name. Traps of the l2ifppi module include:
|
Default switch status |
Default status of the trap function:
|
Current switch status |
Status of the trap function:
To specify the parameter, run the snmp-agent trap enable feature-name l2ifppi command. |
drop illegal-mac alarm
Function
The drop illegal-mac alarm command configures the switch to send a trap to the network management system (NMS) when receiving a packet with an all-0 MAC address.
The undo drop illegal-mac alarm command deletes the configuration.
By default, the switch does not send a trap to the NMS when receiving a packet with an all-0 MAC address.
Usage Guidelines
Usage Scenario
Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. The drop illegal-mac alarm command configures the switch to send a trap to the NMS when receiving a packet with an all-0 MAC address. You can locate the faulty network adapter according to the trap message.
Precautions
If the alarm function is disabled on the switch, the NMS cannot receive any trap message.
After you run the drop illegal-mac alarm command, the switch sends a trap only once after receiving packets with an all-0 MAC address. To configure the switch to send traps continuously, run the drop illegal-mac alarm command repeatedly.
This command and IPv6 over IPv4 cannot be configured simultaneously on the S6720SI, S6720S-SI, S5730SI, S5730S-EI, S5720SI, and S5720S-SI.
drop illegal-mac enable
Function
The drop illegal-mac enable command enables the switch to discard packets with an all-0 invalid MAC address.
The undo drop illegal-mac enable command disables the switch from discarding packets with an all-0 invalid MAC address.
By default, the switch does not discard packets with an all-0 MAC address.
Usage Guidelines
Usage Scenario
Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. You can run the drop illegal-mac enable command to configure the switch to discard such packets. After receiving the packets with an all-0 source or destination MAC address, the switch discards the packets.
This command reduces incorrect MAC address entries on the device.
Precautions
If the alarm function is disabled on the device, the network management system cannot receive any alarm message.
mac-address aging-time
Function
The mac-address aging-time command sets the aging time of dynamic MAC address entries.
The undo mac-address aging-time command restores the default aging time of dynamic MAC address entries.
By default, the aging time of dynamic MAC address entries is 300 seconds.
Usage Guidelines
Usage Scenario
The network topology changes frequently, and the switch will learn many MAC addresses. You can run the mac-address aging-time command to set a proper aging time for dynamic MAC address entries so that aged MAC address entries are deleted from the MAC address table. This reduces MAC address entries in the MAC address table.
The system starts an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated within a certain period (twice the aging time), the entry is deleted. If the entry is updated within this period, the aging timer of this entry is reset. If the aging time is short, the switch is sensitive to network changes.
When setting the aging time of dynamic MAC address entries, follow these rules:
- Set a longer aging time on a stable network and a shorter aging time on an unstable network.
- The capacity of the MAC address table on a low-end device is small; therefore, set a relatively short aging time on low end devices to save the MAC address table space.
Precautions
Dynamic MAC address entries are lost after system restart. Static MAC address entries and blackhole MAC address entries are not aged or lost.
If the aging time is 0, dynamic MAC address entries will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.
If you run the mac-address aging-time command multiple times, only the latest configuration takes effect.
mac-address blackhole
Function
The mac-address blackhole command configures a blackhole MAC address entry.
The undo mac-address blackhole command deletes a blackhole MAC address entry.
By default, no blackhole MAC address entry is configured.
Format
mac-address blackhole mac-address [ vlan vlan-id | vsi vsi-name ]
undo mac-address blackhole [ mac-address ] [ vlan vlan-id | vsi vsi-name ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
mac-address |
Specifies the MAC address in a blackhole MAC address entry. |
The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address. |
vlan vlan-id |
Specifies the VLAN ID in a blackhole MAC address entry. |
The value is an integer that ranges from 1 to 4094. |
vsi vsi-name |
Specifies the name of a VSI in a blackhole MAC address entry. The VSI must have been created. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
- |
Usage Guidelines
Usage Scenario
To protect a device or network against MAC address attacks, configure MAC addresses of untrusted users as blackhole MAC addresses. The device then directly discards the received packets of which the source or destination MAC addresses match the blackhole MAC address entries.
Prerequisites
The network administrator is familiar with the MAC addresses of all devices on the network. If the MAC address of an authorized user is configured as a blackhole MAC address, the user's communications will be interrupted.
Configuration Impact
If the source or destination MAC address of a packet matches a blackhole MAC address entry, the packet will be discarded. After being configured and saved, blackhole MAC address entries are not lost after the system reset.
Precautions
- Blackhole MAC address entries can be added or deleted, and they
will not be aged.
Unlike configuring a static MAC entry, you can configure a blackhole MAC entry without specifying an outbound interface.
If the specified VLAN is the control VLAN for Rapid Ring Protection Protocol (RRPP), the mac-address blackhole command cannot be run.
- Blackhole MAC address entries fall into global and VLAN- or VSI-based blackhole MAC address entries. Global blackhole MAC address entries are configured using the mac-address blackhole command with only a MAC address specified. They do not occupy the MAC address table space.
- If you configure a VLAN- or VSI-based blackhole
MAC address entry when the MAC address table is full, the device processes
the MAC address entry as follows:
- If a dynamic MAC address entry with the same MAC address and VLAN ID or VSI name exists in the MAC address table, the blackhole MAC address entry replaces the dynamic MAC address entry.
- If no dynamic MAC address entry with the same MAC address and VLAN ID or VSI name exists in the MAC address table, the blackhole MAC address entry cannot be added to the MAC address table.
- You can run the mac-address blackhole command multiple times to configure multiple blackhole MAC address entries.
- For the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, or S6720S-SI switch, if both traffic policy-based redirection action and VLAN-based blackhole MAC address are configured, the switch will not discard the packet if its source or destination MAC address is a blackhole MAC address and the packet matches the redirection policy. For other device models, the switch discards the packet.
Example
# Add a blackhole MAC address entry to the MAC address table. In the blackhole MAC address entry, the MAC address is 0004-0004-0004 and the VLAN ID is VLAN 5.
<HUAWEI> system-view [HUAWEI] vlan 5 [HUAWEI-vlan5] quit [HUAWEI] mac-address blackhole 0004-0004-0004 vlan 5
# Configure a global blackhole MAC address entry in which the MAC address is 0005-0005-0005.
<HUAWEI> system-view [HUAWEI] mac-address blackhole 0005-0005-0005
# Add a blackhole MAC address entry in which the MAC address is 0011-2233-4455 to VSI a2. The device directly discards the received frame in which the source or destination MAC address is 0011-2233-4455 and the VSI name is a2.
<HUAWEI> system-view [HUAWEI] mac-address blackhole 0011-2233-4455 vsi a2
mac-address destination hit aging enable
Function
The mac-address destination hit aging enable command configures the device to age MAC address entries no matter whether the entries match destination MAC addresses of packets.
The undo mac-address destination hit aging enable command restores the default configuration.
By default, if MAC address entries match destination MAC addresses of packets, the system recalculates the aging time.
Usage Guidelines
Usage Scenario
When a user uses one-way services such as the video on demand service, packets are transmitted unidirectionally from the server to the user terminal. When the user terminal is shut down, the server still sends packets. Therefore, the dynamic MAC address entry with the destination MAC address of the packets remains in the MAC address table.
To delete MAC address entries matching one-way service packets after user terminals are shut down, run the mac-address destination hit aging enable command to enable the device to age dynamic MAC address entries matching dynamic MAC addresses of received packets.
Configuration Impact
This command is used only when one-way services are deployed on a network.
Precautions
This command only free up space in the MAC address table but cannot save system resources. If the device cannot find the matching entry in the MAC address table, it broadcasts the packets.
mac-address flapping action
Function
The mac-address flapping action command configures the action to perform on an interface when MAC address flapping is detected on the interface.
The undo mac-address flapping action command deletes the action.
By default, the system does not perform any action when detecting MAC address flapping on an interface.
Format
mac-address flapping action { error-down | quit-vlan }
undo mac-address flapping action { error-down | quit-vlan }
Views
Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
When the switch connects to a user network that does not support loop prevention protocols, configure a loop prevention action for the switch to perform when detecting MAC address flapping. This reduces the impact of MAC address flapping on the user network.
When MAC address flapping occurs on an interface with a loop prevention action configured, the switch performs the configured action. When the action is set to error-down, the switch shuts down the interface. When the action is set to quit-VLAN, the switch removes the interface from the VLAN where MAC address flapping occurs. Only one interface can be shut down during one aging time configured by the mac-address flapping aging-time command.
Follow-up Procedure
When the action is set to error-down, the interface cannot be automatically restored after it is shut down. You can only restore the interface by running the shutdown and undo shutdown commands or the restart command in the interface view.
To enable the interface to go Up automatically, you must run the error-down auto-recovery cause mac-address-flapping command in the system view before the interface enters the error-down state. This command enables an interface in error-down state to go Up and sets a recovery time. The interface goes Up automatically after the time expires.
- If the action is set to quit-vlan, the interface can be automatically restored after a specified time period after it is removed from the VLAN. The default recovery time is 10 minutes. The recovery delay time can be set using the mac-address flapping quit-vlan recover-time time-value command in the system view.
Precautions
Do not run the mac-address flapping action command on uplink interfaces.
MAC address flapping detection can only detect loops on interfaces, but cannot obtain the entire network topology. If the user network connected to the switch supports loop prevention protocols, use the loop prevention protocols instead of MAC address flapping detection.
If you run the mac-address flapping action command multiple times in the same interface view, only the latest configuration takes effect.
Example
# Configure the switch to shut down GE0/0/1 when detecting MAC address flapping on the interface.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] mac-address flapping action error-down Info: This command may shut down the interface after MAC address flapping is detected.
# Configure the switch to remove GE0/0/1 from the VLAN where MAC address flapping occurs.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] mac-address flapping action quit-vlan
mac-address flapping action priority
Function
The mac-address flapping action priority command sets the priority for the action against MAC address flapping on an interface.
The undo mac-address flapping action priority command restores the default configuration.
By default, the action against MAC address flapping on an interface is 127.
Views
Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
When the switch connects to a user network that does not support loop prevention protocols, configure a loop prevention action for the switch to perform when detecting MAC address flapping. This reduces the impact of MAC address flapping on the user network. The mac-address flapping action priority command sets the priority of the action.
When a MAC address flaps between two interfaces and both the interfaces have an action and priority configured, the switch performs the action (error-down or quit-VLAN) configured on the interface with lower priority. If the two interfaces have the same priority, the switch performs the action on the interface that learns the MAC address later. If the later interface has no action configured, the switch performs the action on the interface that learns the MAC address earlier.
The switch compares priorities of the interfaces only when the interfaces have the same action configured. If one interface is configured with the error-down action, and the other is configured with the quit-VLAN action, the switch performs the actions on both interfaces even if their priorities are same.
Precautions
If you run the mac-address flapping action priority command multiple times in the same interface view, only the latest configuration takes effect.
mac-address flapping aging-time
Function
The mac-address flapping aging-time command sets the aging time of flapping MAC addresses.
The undo mac-address flapping aging-time command restores the default aging time of flapping MAC addresses.
By default, the aging time of flapping MAC addresses is 300 seconds.
Usage Guidelines
Usage Scenario
Increasing the aging time of flapping MAC addresses will cause MAC address flapping again and increase the error-down time. To ensure that the system performs MAC address flapping detection in a timely manner, run the mac-address flapping aging-time command to shorten the aging time of flapping MAC addresses.
Precautions
If you run the mac-address flapping aging-time command multiple times, only the latest configuration takes effect.
mac-address flapping detection
Function
The mac-address flapping detection command enables global MAC address flapping detection.
The undo mac-address flapping detection command disables global MAC address flapping detection.
By default, global MAC address flapping detection is enabled.
Usage Guidelines
MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN. The MAC address entry learned later replaces the earlier one.
MAC address flapping occurs in the following situations:
- Network cables of switches are connected incorrectly or switches use incorrect configurations.
- Unauthorized users simulate MAC address of valid network devices to attack the network.
Global MAC address flapping detection enables the Switch to check all MAC addresses. When MAC address flapping occurs, the Switch sends a trap message to the NMS. You can locate the fault according to the trap message. You can also run the display mac-address flapping record command to view MAC address flapping records.
mac-address flapping detection exclude vlan
Function
The mac-address flapping detection exclude vlan command excludes a VLAN from MAC address flapping detection.
The undo mac-address flapping detection exclude vlan command restores MAC address flapping detection for a VLAN.
By default, the system performs MAC address flapping detection in all VLANs.
Format
mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
undo mac-address flapping detection exclude vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }
Parameters
Parameter |
Description |
Value |
|---|---|---|
vlan-id1 [ to vlan-id2 ] |
Specifies the ID of a VLAN where MAC address flapping detection is not required.
vlan-id2 must be greater than vlan-id1. You can specify a maximum of 10 VLANs. |
|
all |
Indicates that all VLANs are excluded from MAC address flapping detection. |
- |
Usage Guidelines
Usage Scenario
By default, the system performs MAC address flapping detection in all VLANs. When a switch connected to a load balancing server with dual network adapters, the server's MAC address may be learned by two interfaces on the switch. This is a normal situation where MAC address flapping detection is not required.
You can run the mac-address flapping detection exclude vlan command to exclude a VLAN from MAC address flapping detection. If MAC address flapping occurs in this VLAN, the system does not send a trap message or record this event.
Precautions
If you run the mac-address flapping detection exclude vlan command multiple times, multiple VLANs are excluded from MAC address flapping detection.
mac-address flapping detection security-level
Function
The mac-address flapping detection security-level command configures the security level of VLANs for MAC address flapping detection.
The undo mac-address flapping detection security-level command restores the default security of VLANs for MAC address flapping detection.
By default, the security level of a VLAN for MAC address flapping detection is middle. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times.
Format
mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level { high | middle | low }
undo mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level [ high | middle | low ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
vlan-id1 [ to vlan-id2 ] |
Specifies the VLANs of which the security level needs to be set for MAC address flapping detection.
The value of vlan-id2 must be larger than the value of vlan-id1. You can specify a maximum of 10 VLAN ID ranges in a command. |
|
| all | Configures security level of all VLANs for MAC address flapping detection. |
- |
| high | Sets the security level of specified VLANs to high. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces three times. |
- |
| middle | Sets the security level of specified VLANs to middle. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times. |
- |
| low | Sets the security level of specified VLANs to low. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 50 times. |
- |
Usage Guidelines
Usage Scenario
By default, the switch considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times. On an unstable network, it may be a normal situation when a MAC address moves between interfaces 10 times. You can set the security level for VLANs according to the actual situation of your network. The switch reports a MAC address flapping when a MAC address moves between interfaces for the specified number of times.
mac-address flapping quit-vlan recover-time
Function
The mac-address flapping quit-vlan recover-time command sets the delay time an interface waits to join a VLAN again after it is removed from the VLAN due to MAC address flapping.
The undo mac-address flapping quit-vlan recover-time command restores the default delay time.
By default, the delay time is 10 minutes.
Format
mac-address flapping quit-vlan recover-time time-value
undo mac-address flapping quit-vlan recover-time
Parameters
Parameter |
Description |
Value |
|---|---|---|
time-value |
Specifies the delay time an interface waits to join a VLAN again after it is removed from the VLAN due to MAC address flapping. |
The value is an integer ranging from 0 to 1440, in minutes. The default value is 10. The value 0 indicates that the interface cannot join a VLAN again after it is removed from the VLAN. |
Usage Guidelines
Usage Scenario
If an interface is removed from a VLAN because MAC address flapping occurs in the VLAN, the interface can automatically join the VLAN again after a delay.
Precautions
If an interface is removed from multiple VLANs due to MAC address flapping, the system counts the delay time since the interface is removed from the last VLAN.
mac-address hash-bucket-mode
Function
The mac-address hash-bucket-mode command sets the hash bucket size of the MAC address table.
The undo mac-address hash-bucket-mode command restores the default hash bucket size of the MAC address table.
By default, the hash bucket size of the MAC address table is 4.
Only the S1720GFR, S1720GW, S1720GWR, S1720GW-E, S1720GWR-E, S2750EI, S5700LI, S5700S-LI, S5720LI, S5720S-LI, S5720SI, and S5720S-SI support the configuration.
Format
mac-address hash-bucket-mode { size4 | size8 | size12 | size16 }
undo mac-address hash-bucket-mode
Parameters
Parameter |
Description |
Value |
|---|---|---|
size4 |
Indicates that the hash bucket size of the MAC address table is 4. |
- |
size8 |
Indicates that the hash bucket size of the MAC address table is 8. |
- |
size12 |
Indicates that the hash bucket size of the MAC address table is 12. |
- |
size16 |
Indicates that the hash bucket size of the MAC address table is 16. |
- |
Usage Guidelines
Usage Scenario
To improve the MAC address forwarding performance, the MAC address table of the device is saved using a hash link. When the same key value is obtained for multiple MAC addresses according to the hash algorithm, some MAC addresses may be not learned. That is, the MAC address hash conflict occurs. When the MAC address hash conflict occurs, traffic with this destination MAC address can only be broadcast. This occupies device bandwidth and resources.
When the MAC address hash conflict aggravates, run this command to increase the hash bucket size of the MAC address table.
Configuration Impact
A larger hash bucket size will lower device forwarding performance.
Precautions
When the hash bucket size becomes small, you need to restart the device.
mac-address hash-mode
Function
The mac-address hash-mode command configures a MAC hash algorithm on the device.
The undo mac-address hash-mode command restores the default MAC hash algorithm on the device.
By default, the hash algorithm on the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI is crc. The hash algorithm on other models is crc32-lower.
Format
On the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI:
mac-address hash-mode { xor | crc } slot slot-id
undo mac-address hash-mode [ xor | crc ] slot slot-id
On devices except S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and S5720S-SI:
mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb } slot slot-id
undo mac-address hash-mode [ crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb ] slot slot-id
Parameters
Parameter |
Description |
Value |
|---|---|---|
crc |
Indicates the CRC-based hash algorithm. |
- |
crc16-lower |
Indicates the hash algorithm based on low order bits of CRC16. |
- |
crc16-upper |
Indicates the hash algorithm based on high order bits of CRC16. |
- |
crc32-lower |
Indicates the hash algorithm based on low order bits of CRC32. |
- |
crc32-upper |
Indicates the hash algorithm based on high order bits of CRC32. |
- |
lsb |
Indicates the hash algorithm based on the lowest bit of the key value. |
- |
slot slot-id |
Indicates the hash algorithm on the stacked switch. |
The value is an integer and is the stack ID of the switch. |
xor |
Indicates the Exclusive-Or mode. |
- |
Usage Guidelines
Usage Scenario
The device uses a hash algorithm to improve MAC address forwarding performance. If multiple MAC addresses match a key value, a hash conflict occurs.
When a hash conflict occurs, the device may fail to learn many MAC addresses and some traffic can only be broadcast. This results in heavy broadcast traffic on the device. If such a problem occurs, use an appropriate hash algorithm to reduce the hash conflict.
Precautions
MAC addresses are distributed on a network randomly, so the system cannot determine the best hash algorithm. Generally, the default hash algorithm is the best one, so do not change the hash algorithm unless you have special requirement.
An appropriate hash algorithm can only reduce hash conflicts, but cannot prevent them.
After changing the hash algorithm and saving the configuration, restart the device for the configuration to take effect.
If you run the mac-address hash-mode command multiple times, only the latest configuration takes effect.
mac-address learning disable (interface view and VLAN view)
Function
The mac-address learning disable command disables MAC address learning.
The undo mac-address learning disable command enables MAC address learning.
By default, MAC address learning is enabled.
Format
mac-address learning disable [ action { discard | forward } ] (Interface view)
mac-address learning disable (VLAN view)
undo mac-address learning disable
Parameters
Parameter |
Description |
Value |
|---|---|---|
action |
Indicates the action that the interface takes after MAC address learning is disabled.
By default, an interface forwards the packets carrying new MAC addresses after MAC address learning is disabled. |
- |
discard |
Discards the packets whose source MAC addresses do not match the MAC address table. |
- |
forward |
Forwards the packets according to the MAC address table. |
- |
Views
VLAN view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
If you want an interface to forward only packets with certain MAC addresses, use this command. For example, if an interface is connected to a server, configure a static MAC address entry with the MAC address of the server, and then disable MAC address learning and set the action to discard on the interface. The configuration prevents other servers or terminals from accessing the interface and improves network stability and security.
When a switch with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the switch forwards the frames through the corresponding outbound interface according to the MAC address entry. MAC address learning reduces broadcast packets on a network.
You can use the mac-address learning disable command to disable MAC address learning on an interface. The action performed on received packets can be set to discard or forward.
By default, the switch takes the forward action after MAC address learning is disabled. That is, the switch forwards packets according to the MAC address table. When the action is set to discard, the switch looks up the source MAC address of the packet in the MAC address table. If the source MAC address is found in the MAC address table, the switch forwards the packet according to the matching MAC address entry. If the source MAC address is not found, the switch discards the packet.
Precautions
Before running the mac-address learning disable command on an Eth-Trunk interface, ensure that the Eth-Trunk interface works in Layer 2 mode; otherwise, the configuration fails. To switch an Eth-Trunk interface from the Layer 3 mode to the Layer 2 mode, you can run the portswitch command in the view of the Eth-Trunk interface.
This action cannot be configured in the VLAN view.
After MAC address learning is disabled on an interface, the device does not learn new MAC addresses on the interface. Untrusted terminals can still access the network.
mac-address learning disable (traffic behavior view)
Function
The mac-address learning disable command disables MAC address learning in a traffic behavior.
The undo mac-address learning disable command enables MAC address learning in a traffic behavior.
By default, MAC address learning is enabled in a traffic behavior.
Usage Guidelines
Usage Scenario
The mac-address learning disable command is used in the following scenarios:
- When a network is running stably and the MAC address of packets is fixed, a device does not need to learn MAC addresses of other packets. To save MAC addresses and improve device efficiency, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.
- Some unauthorized users may change MAC addresses frequently to attack the network. To prevent MAC address overflow and protect device performance, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.
Follow-up Procedure
Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing the action of disabling MAC address learning.
Precautions
After the traffic behavior containing mac-address learning disable is bound to the specified traffic classifier, the source MAC addresses of packets matching the traffic classifier are not learned. The source MAC addresses of packets that do not match the traffic classifier are still learned by default.
The mac-address learning disable command is similar to the mac-address learning disable command in the interface view or VLAN view. The difference is that the mac-address learning disable command is valid for the packets matching the user-defined traffic classifier and is applied to the system, an interface, or a VLAN by using the traffic policy. The mac-address learning disable command is used in the interface view, port group view, or VLAN view and is valid for all the packets in the corresponding view.
To disable MAC address learning on an interface, in a port group, or in a VLAN, run the mac-address learning disable command in the corresponding view. To disable MAC address learning for a specified traffic classifier, run the mac-address learning disable command in the traffic behavior view.
mac-address static vlan
Function
The mac-address static vlan command configures a static MAC address entry.
The undo mac-address static vlan command deletes a static MAC address entry.
By default, no static MAC address entry is configured.
Format
mac-address static mac-address interface-type interface-number vlan vlan-id
undo mac-address static [ interface-type interface-number | vlan vlan-id ] *
undo mac-address static mac-address interface-type interface-number vlan vlan-id
For details on how to configure a VSI-based static MAC address entry, see mac-address static vlanif and mac-address static vsi.
Parameters
Parameter |
Description |
Value |
|---|---|---|
mac-address |
Specifies the MAC address in a static MAC address entry. |
The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address. |
interface-type interface-number |
Specifies the outbound interface in a static MAC address entry. |
- |
vlan vlan-id |
Specifies the ID of the VLAN that the outbound interface belongs to. |
The value is an integer that ranges from 1 to 4094. |
Usage Guidelines
Usage Scenario
- Improve security. The device directly discards packets sent from unauthorized users using authorized users' MAC addresses.
- Guide unicast forwarding and save bandwidth.
Precautions
- The VLAN in a static MAC address entry must have been created and the outbound interface in the same static MAC address entry has been added to the VLAN.
- If you configure a static MAC address entry when the MAC address
table is full, the device processes the MAC address entry as follows:
- If a dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the static MAC address entry replaces the dynamic MAC address entry.
- If no dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the static MAC address entry cannot be added to the MAC address table.
- You can run the mac-address static command multiple times to configure multiple static MAC address entries.
Example
# Add a static MAC address entry to the MAC address table. In the MAC address entry, the destination MAC address is 0003-0003-0003, the VLAN ID is 4, and the outbound interface is gigabitethernet0/0/2. That is, the device forwards packets with the destination MAC address of 0003-0003-0003 from VLAN 4 through gigabitethernet0/0/2.
<HUAWEI> system-view [HUAWEI] vlan 4 [HUAWEI-vlan4] quit [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] port link-type access [HUAWEI-GigabitEthernet0/0/2] port default vlan 4 [HUAWEI-GigabitEthernet0/0/2] quit [HUAWEI] mac-address static 0003-0003-0003 gigabitethernet 0/0/2 vlan 4
mac-address threshold-alarm
Function
The mac-address threshold-alarm command configures upper and lower alarm thresholds for the MAC address usage.
The undo mac-address threshold-alarm command restores the default upper and lower alarm thresholds for the MAC address usage.
By default, the upper and lower alarm thresholds for the MAC address usage are 80% and 70% respectively. An alarm is sent when the MAC address usage is higher than 80% or lower than 70%.
Format
mac-address threshold-alarm upper-limit upper-limit-value lower-limit lower-limit-value
undo mac-address threshold-alarm
Parameters
Parameter |
Description |
Value |
|---|---|---|
upper-limit upper-limit-value |
Specifies the upper alarm threshold for the MAC address usage, in percentage. |
The value is an integer that ranges from 1 to 100. The default value is 80. |
lower-limit lower-limit-value |
Specifies the lower alarm threshold for the MAC address usage, in percentage. |
The value is an integer that ranges from 1 to 100. The default value is 70. lower-limit-value must be smaller than or equal to upper-limit-value. |
Usage Guidelines
Usage Scenario
MAC address resources are core resources of the device and the device supports limited MAC addresses. The MAC address usage affects device running. You can run the mac-address threshold-alarm command to configure upper and lower alarm thresholds for the MAC address usage. When the MAC address usage is larger than the upper alarm threshold or smaller than the lower alarm threshold, an alarm is generated to notify the administrator. The administrator then can learn the MAC address usage in a timely manner.
Precautions
When you run the mac-address threshold-alarm command multiple times, only the latest configuration takes effect.
mac-address trap hash-conflict enable
Function
The mac-address trap hash-conflict enable command enables the trap function for the MAC address hash conflict.
The undo mac-address trap hash-conflict enable command disables the trap function for the MAC address hash conflict.
By default, the trap function for the MAC address hash conflict is enabled.
Usage Guidelines
To improve the MAC address forwarding performance, the MAC address table of the device is saved using a hash link. When the same key value is obtained for multiple MAC addresses according to the hash algorithm, some MAC addresses may be not learned. That is, the MAC address hash conflict occurs.
In this situation, the MAC address table space is not full but the MAC address entry cannot be learned. When the MAC address hash conflict occurs, traffic with this destination MAC address can be only broadcast. This occupies device bandwidth and resources. You can replace the device or network adapter of the terminal.
After the trap function for the MAC address hash conflict is configured, the administrator can immediately discover MAC address hash conflicts.
mac-address trap hash-conflict history
Function
The mac-address trap hash-conflict history command sets the number of alarms reported at an interval when the MAC address hash conflict occurs.
The undo mac-address trap hash-conflict history command restores the default number of alarms reported at an interval when the MAC address hash conflict occurs.
By default, 10 alarms are reported at an interval when the MAC address hash conflict occurs.
Format
mac-address trap hash-conflict history history-number
undo mac-address trap hash-conflict history
Usage Guidelines
Usage Scenario
After the trap function for the MAC address hash conflict is enabled, the device reports a maximum of 10 alarms every 60s. Each alarm carries a MAC address for which the hash conflict occurs.
If hash values of more than 10 MAC addresses conflict, reports about subsequent MAC address hash conflicts cannot be reported. You can run this command to set the number of alarms reported at an interval.
Precautions
When you run the mac-address trap hash-conflict history command multiple times, only the latest configuration takes effect.
mac-address trap hash-conflict interval
Function
The mac-address trap hash-conflict interval command sets the interval at which alarms are reported when the MAC address hash conflict occurs.
The undo mac-address trap hash-conflict interval command restores the default interval at which alarms are reported when the MAC address hash conflict occurs.
By default, alarms are reported at intervals of 60s when the MAC address hash conflict occurs.
Format
mac-address trap hash-conflict interval interval-time
undo mac-address trap hash-conflict interval
Usage Guidelines
Usage Scenario
After the trap function for the MAC address hash conflict is enabled, the device reports a maximum of 10 alarms every 60s. Each alarm carries a MAC address for which the hash conflict occurs.
If a small interval is used, alarms about MAC address hash conflicts are reported immediately. When there are many MAC address hash conflicts, many alarms are reported.
If a long interval is used and many MAC address hash conflicts occur, alarms will be suppressed. You can adjust the interval according to the requirements.
Precautions
When you run the mac-address trap hash-conflict interval command multiple times, only the latest configuration takes effect.
mac-address trap notification
Function
The mac-address trap notification command enables the trap function for MAC address learning or aging.
The undo mac-address trap notification command disables the trap function for MAC address learning or aging.
By default, the trap function for MAC address learning or aging is disabled.
Views
Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
To learn MAC address change in a timely manner, run the mac-address trap notification command to enable the trap function for MAC address learning or aging.
Precautions
When you run the mac-address trap notification command multiple times, only the latest configuration takes effect.
The trap function for MAC address learning or aging is not supported for the MAC address entries in a VSI.
mac-address trap notification interval
Function
The mac-address trap notification interval command sets the interval at which the device checks MAC address learning or aging.
The undo mac-address trap notification interval command restores the default interval at which the device checks MAC address learning or aging.
By default, the device checks MAC address learning or aging at intervals of 10s.
Format
mac-address trap notification interval interval-time
undo mac-address trap notification interval
Usage Guidelines
After the mac-address trap notification command is used to enable the trap function when the device learns MAC addresses or MAC addresses are aged, the device periodically checks whether MAC addresses are learned or aged. You can run the mac-address trap notification interval command to set the interval.
mac-address update arp
Function
The mac-address update arp command enables the MAC address-triggered ARP entry update function. That is, the Switch is enabled to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.
The undo mac-address update arp command disables the MAC address-triggered ARP entry update function.
By default, the MAC address-triggered ARP entry update function is disabled.
Usage Guidelines
Usage Scenario
On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding. The ARP entries that define the mapping between IP addresses and MAC addresses guide communication between devices on different network segments.
The outbound interface in a MAC address entry is updated by packets, whereas the outbound interface in an ARP entry is updated after the aging time is reached. In this case, the outbound interfaces in the MAC address entry and ARP entry may be different. To address this issue, run the mac-address update arp command to enable the Switch to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.
Precautions
This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when the corresponding MAC address entries change.
The mac-address update arp command does not take effect after ARP entry fixing is enabled by using the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable command.
After the mac-address update arp command is run, the Switch updates an ARP entry only if the outbound interface in the corresponding MAC address entry changes.
After this command is executed, the arp anti-attack gratuitous-arp drop command becomes invalid and the Switch cannot drop gratuitous ARP packets.
mac-learning priority
Function
The mac-learning priority command sets the MAC address learning priority of an interface.
The undo mac-learning priority command restores the default MAC learning priority of an interface.
By default, the MAC address learning priority of an interface is 0.
Views
GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, run the mac-learning priority command to set the priority of the uplink interface to be higher than the user-side interfaces. When these interfaces learn the same MAC address, the MAC address entry learned by the uplink interface overrides MAC address entries learned by the user-side interfaces. Therefore, the switch will not learn MAC addresses of unauthorized users, and authorized users can access the server and use network resources.
You can run the undo mac-learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority.
Both the undo mac-learning priority allow-flapping command and the mac-learning priority command can prevent MAC address flapping. The difference between the two commands is as follows:
- The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
- The mac-learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.
Precautions
If you run the mac-learning priority command multiple times in the same interface view, only the latest configuration takes effect.
The function is not supported for the MAC address entries in a VSI.
mac-learning priority allow-flapping
Function
The mac-learning priority allow-flapping command allows MAC address flapping between interfaces with the same priority.
The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority.
By default, MAC address flapping between interfaces with the same priority is allowed.
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this configuration.
Format
mac-learning priority priority-id allow-flapping
undo mac-learning priority priority-id allow-flapping
Usage Guidelines
Usage Scenario
An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, you can run the undo mac-learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority. MAC address then will not be learned by multiple interfaces. This prevents attackers from using the MAC addresses of valid devices to attack the switch.
Both the mac-learning priority command and the undo mac-learning priority allow-flapping command can prevent MAC address flapping. The difference between the two commands is as follows:
- The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
- The mac-learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.
Precautions
The function is not supported for the MAC address entries in a VSI.
mac-learning priority flapping-defend action
Function
The mac-learning priority flapping-defend action command configures an action to be taken when the switch is configured to prohibit MAC address flapping.
The undo mac-learning priority flapping-defend action command restores the default action when the switch is configured to prohibit MAC address flapping.
By default, the action is forward when the switch is configured to prohibit MAC address flapping.
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this configuration.
Format
mac-learning priority flapping-defend action { forward | discard }
undo mac-learning priority flapping-defend action
Usage Guidelines
Usage Scenario
An uplink interface of the switch is connected to a server, and a downlink interface is connected to a user. To prevent a malicious user from using a forged server's MAC address to attack the switch, run the mac-learning priority command in the interface view or the undo mac-learning priority allow-flapping command in the system view to prohibit MAC address flapping. A MAC address then will not be learned by multiple interfaces, and the malicious user cannot use the MAC address of a valid device to attack the switch. However, packets of the malicious user are still forwarded. You can configure the discard action to discard packets from the malicious user when MAC address flapping is prohibited.
Precautions
- If the mac-learning priority or undo mac-learning priority allow-flapping command is not used, the action specified using this command is invalid.
- This command is invalid for MAC addresses in a VSI.
mac-limit
Function
The mac-limit command configures a rule to limit the number of MAC addresses that can be learned.
The undo mac-limit command deletes the rule.
By default, the number of learned MAC addresses is not limited.
Format
mac-limit { maximum max-num | action { discard | forward } | alarm { disable | enable } } * (Interface view)
mac-limit { maximum max-num | action { discard | forward } | alarm { disable | enable } } * (VLAN view, on the S5720EI)
mac-limit { maximum max-num | alarm { disable | enable } } * (VLAN view, except the S5720EI. When the number of learned MAC address entries reaches the limit on a device, the device still forwards packets with new source MAC addresses, but does not add the new MAC addresses to the MAC address table.)
undo mac-limit
Parameters
Parameter |
Description |
Value |
|---|---|---|
action { discard | forward } |
Indicates the action performed when the number
of learned MAC address entries reaches the limit.
|
If no action is specified in the command, the default action discard is used. |
alarm { disable | enable } |
Indicates whether the system generates an alarm
when the number of learned MAC address entries reaches the limit.
|
If you do not set this parameter in the command, the alarm function is enabled by default. |
maximum max-num |
Sets the maximum number of MAC addresses that can be learned. NOTE:
If maximum is not set, you must run
the mac-limit command with maximum specified. If you have run the mac-limit command to
set the maximum number of MAC addresses that can be learned, you do
not need to set maximum max-num when running this command
again. |
The value is a decimal integer that ranges from 0 to 4096. The value 0 indicates that the highest rate of MAC address learning is not limited. |
Views
VLAN view, Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
The mac-limit command limits the number of access users and prevents attacks to the MAC address tables. You can enable the function to improve network security.
Precautions
The mac-limit command configuration takes effect only for dynamically learned MAC addresses. If some MAC addresses have been learned, run the undo mac-address dynamic command to delete the learned MAC address entries. If you do not delete them, less new MAC addresses can be learned than the value configured using the mac-limit command.
After the port-security enable command is configured on an interface, mac-limit cannot take effect. Do not configure mac-limit and port-security enable simultaneously.
The MAC address limiting function and NAC conflict on an interface; therefore, the mac-limit and mac-authen, dot1x enable, web-auth-server or authentication-profile commands cannot be used on the same interface.
Example
# Set the maximum number of MAC addresses that can be learned by GigabitEthernet0/0/2 to 30. Configure the device to generate an alarm when the number learned of MAC addresses reaches the limit.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] mac-limit maximum 30 alarm enable
mac-spoofing-defend enable (interface view)
Views
GE interface view, Ethernet interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
Usage Scenario
User behaviors are uncontrollable; therefore, a user device may send bogus packets with the server MAC address to prevent other users from accessing the real server. To prevent such attacks, you can use the mac-spoofing-defend enable command to configure the network-side interface connected to the server as a trusted interface. The MAC address learned by the interface will not be learned by other interfaces. This prevents the attacks of bogus packets with the server MAC address.
Prerequisites
The MAC spoofing defense function has been enabled by using the mac-spoofing-defend enable command in the system view.
Precautions
- After the device connected to the trusted interface is powered off, the MAC address entry matching the device MAC address is aged out after a certain period. After another device is connected to the interface, the MAC address of this device will not be learned by other interfaces.
- On the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750, S2720EI, S5720LI, S5720S-LI, S5700LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, and S5700S-LI, when the TPID configured by the qinq protocol command on the inbound interface is different from the TPID in received packets and the mac-spoofing-defend enable command is also used on the inbound interface, the MAC address of packets in the VLAN specified by the PVID is learned, but not the MAC address-based VLAN, protocol-based VLAN, IP subnet-based VLAN, or policy VLAN. For example, the TPID on port A is 0x9100, the PVID is 10, MAC address-based VLAN is VLAN 20, received packet A contains VLAN 30 and TPID of 0x8100 that matches the MAC address-based VLAN. Because TPID values are different, the interface considers that packet A is untagged and adds VLAN 20 to packet A. The MAC address in VLAN 20 is therefore learned. If the mac-spoofing-defend enable command is configured on port A, the MAC address in VLAN 10 is incorrectly learned.
mac-spoofing-defend enable (system view)
Function
The mac-spoofing-defend enable command enables global MAC spoofing defense.
The undo mac-spoofing-defend enable command disables global MAC spoofing defense.
By default, global MAC spoofing defense is disabled.
S5720EI, S5720HI, S6720EI, and S6720S-EI do not support this command.
Usage Guidelines
Usage Scenario
User behaviors are uncontrollable; therefore, a user device may send bogus packets with the server MAC address to prevent other users from accessing the real server. To prevent such attacks, you can use the mac-spoofing-defend enable command to configure the network-side interface connected to the server as a trusted interface. The MAC address learned by the interface will not be learned by other interfaces. This prevents the attacks of bogus packets with the server MAC address.
Before configuring an interface as a trusted interface, you must use the mac-spoofing-defend enable command to enable global MAC spoofing defense.
Precautions
After you run the undo mac-spoofing-defend enable command in the system view to disable global MAC spoofing defense, the mac-spoofing-defend enable command cannot be used in the interface view.
port bridge enable
Function
The port bridge enable command enables the port bridge function on an interface. The interface then can forward packets whose source and destination MAC addresses are both learned by this interface.
The undo port bridge enable command disables the port bridge function.
By default, the port bridge function is disabled on an interface.
Views
Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view
Usage Guidelines
By default, an interface does not forward packets whose source and destination MAC addresses are both learned by this interface. When the interface receives such a packet, it discards the packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards such a packet if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
- The switch connects to devices that do not support Layer 2 forwarding. When users connected to the devices need to communicate, the devices send packets of the users to the switch for packet forwarding. Because source and destination MAC addresses of the packets are learned on the same interface, the port bridge function needs to be enabled on the interface so that the interface can forward such packets.
- The switch is used as an access device in a data center and is connected to servers. Each server is configured with multiple virtual machines. The virtual machines need to transmit data to each other. If servers perform data switching for virtual machines, the data switching speed and server performance are reduced. To improve the data transmission rate and server performance, enable the port bridge function on the interfaces connected to the servers so that the switch forwards data packets between the virtual machines.
remark destination-mac
Function
The remark destination-mac command configures an action of re-marking the destination MAC address in packets in a traffic behavior.
The undo remark destination-mac command deletes the configuration.
By default, an action of re-marking the destination MAC address in packets is not configured in a traffic behavior.
Usage Guidelines
Usage Scenario
You can use the remark destination-mac command to re-mark the destination MAC address in packets in a traffic behavior so that the downstream device can identify packets and provide differentiated services.
Follow-up Procedure
Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing destination MAC address re-marking.
Precautions
- In a traffic behavior, the remark destination-mac command cannot be used with the redirect ip-nexthop or redirect ip-multihop command.
- A traffic policy containing remark destination-mac cannot be applied to the outbound direction.
- If you run the remark destination-mac command in the same traffic classifier view multiple times, only the latest configuration takes effect.
reset mac-address flapping record
Usage Guidelines
Usage Scenario
Before collecting MAC address flapping statistics, run the reset mac-address flapping record command to clear the current statistics.
Precautions
This command deletes only the historical MAC address flapping records that have been aged.
After clearing MAC address flapping records, you can run the display mac-address flapping record command to view current MAC address flapping records.
The cleared MAC address flapping records cannot be restored.
snmp-agent trap enable feature-name l2if
Function
The snmp-agent trap enable feature-name l2if command enables the trap function for the L2IF module.
The undo snmp-agent trap enable feature-name l2if command disables the trap function for the L2IF module.
By default, the trap function is disabled for the L2IF module.
Format
snmp-agent trap enable feature-name l2if [ trap-name { hwslotmaclimitnumfallingthreshold | hwslotmaclimitnumraisingthreshold | hwmuxvlangroupcountexceedthreshold | hwmuxvlangroupcountexceedthresholdresume | hwvlantranscountexceedthreshold | hwvlantranscountexceedthresholdresume } ]
undo snmp-agent trap enable feature-name l2if [ trap-name { hwslotmaclimitnumfallingthreshold | hwslotmaclimitnumraisingthreshold | hwmuxvlangroupcountexceedthreshold | hwmuxvlangroupcountexceedthresholdresume | hwvlantranscountexceedthreshold | hwvlantranscountexceedthresholdresume } ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
trap-name |
Enables or disables the trap function for the specified event. |
- |
hwslotmaclimitnumfallingthreshold |
Sends a Huawei proprietary trap when the number of MAC addresses dynamically learnt through the Slot falls below the lower limit. |
- |
hwslotmaclimitnumraisingthreshold |
Sends a Huawei proprietary trap when the number of MAC addresses dynamically learnt through the Slot exceeds the upper limit. |
- |
hwmuxvlangroupcountexceedthreshold |
Sends a Huawei proprietary trap when the number of group VLANs configured in the MUX-VLAN's principal VLAN exceeded the upper threshold. |
- |
hwmuxvlangroupcountexceedthresholdresume |
Sends a Huawei proprietary trap when the number of group VLANs configured in the MUX-VLAN's principal VLAN fell below the upper threshold. |
- |
hwvlantranscountexceedthreshold |
Sends a Huawei proprietary trap when the number of VLAN mapping configurations, VLAN stacking configurations, or both on the interface exceeded the upper threshold. |
- |
hwvlantranscountexceedthresholdresume |
Sends a Huawei proprietary trap when the number of VLAN mapping configurations, VLAN stacking configurations, or both fell below the upper threshold. |
- |
Usage Guidelines
When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.
snmp-agent trap enable feature-name l2ifppi
Function
The snmp-agent trap enable feature-name l2ifppi command enables the trap function for the l2ifppi module.
The undo snmp-agent trap enable feature-name l2ifppi command disables the trap function for the l2ifppi module.
By default, the trap function is enabled for the l2ifppi module.
Format
snmp-agent trap enable feature-name l2ifppi [ trap-name { hwportsecrcvinsecurepktalarm | hwmflpvlanalarm | hwmflpvsialarm | hwmaclimitoverthresholdalarm | hwmaclimitoverthresholdalarmresume | hwrecillegalmacpktalarm |hwportstickyreachmaxalarm | hwmflpquitvlanalarm | hwmflpquitvlanresume | hwportvlansecuremacalarm | hwmactrapalarm | hwslotmacusageraisingthreshold | hwslotmacusagefallingthreshold | hwboardpoweroff | hwmactraphashconflictalarm | hwmflpbdalarm } ]
undo snmp-agent trap enable feature-name l2ifppi [ trap-name { hwportsecrcvinsecurepktalarm | hwmflpvlanalarm | hwmflpvsialarm | hwmaclimitoverthresholdalarm | hwmaclimitoverthresholdalarmresume | hwrecillegalmacpktalarm |hwportstickyreachmaxalarm | hwmflpquitvlanalarm | hwmflpquitvlanresume | hwportvlansecuremacalarm | hwmactrapalarm | hwslotmacusageraisingthreshold | hwslotmacusagefallingthreshold | hwboardpoweroff | hwmactraphashconflictalarm | hwmflpbdalarm } ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
trap-name |
Enables or disables the trap function for the specified event. |
- |
hwportsecrcvinsecurepktalarm |
Enables the device to send a Huawei proprietary trap when the number of learned secure MAC addresses on an interface of the device reaches the limit and the device receives invalid packets. |
- |
hwmflpvlanalarm |
Enables the device to send a Huawei proprietary trap when MAC address flapping occurs in a VLAN on the device. |
- |
hwmflpvsialarm |
Enables the device to send a Huawei proprietary trap when MAC address flapping occurs in a VSI on the device. |
- |
hwmaclimitoverthresholdalarm |
Enables the device to send a Huawei proprietary trap when the number of MAC addresses reaches the threshold. |
- |
hwmaclimitoverthresholdalarmresume |
Enables the device to send a Huawei proprietary trap when the number of MAC addresses falls below the threshold. |
- |
hwrecillegalmacpktalarm |
Enables the device to send a Huawei proprietary trap when the device receives packets with the MAC address of all 0s. |
- |
hwportstickyreachmaxalarm |
Enables the device to send a Huawei proprietary trap when the number of secure MAC addresses reaches the maximum value. |
- |
hwmflpquitvlanalarm |
Enables the device to send a trap when an interface is removed from a VLAN due to MAC address flapping. |
- |
hwmflpquitvlanresume |
Enables the device to send a trap in the following situation: An interface is removed from a VLAN due to MAC address flapping. After the recovery time is reached, the interface joins the VLAN again. |
- |
hwportvlansecuremacalarm |
Enables the device to send a Huawei proprietary trap when the number of learned secure MAC addresses on an interface of the device reaches the limit and the device receives invalid packets. |
- |
hwmactrapalarm |
Enables the device to send a Huawei proprietary trap when MAC addresses are added or deleted on the device. |
- |
hwslotmacusageraisingthreshold |
Enables the device to send a Huawei proprietary trap when the MAC address usage in a specified slot reaches a configured threshold. |
- |
hwslotmacusagefallingthreshold |
Enables the device to send a Huawei proprietary trap when the MAC address usage in a specified slot is restored. |
- |
hwboardpoweroff |
Enables the device to send a Huawei proprietary trap when a card is forcibly powered off because the card does not support the changed Eth-Trunk specifications. |
- |
hwmactraphashconflictalarm |
Enables the device to send a Huawei proprietary trap when a MAC address hash conflict occurs. |
- |
| hwmflpbdalarm | Enables the device to send a Huawei proprietary trap when MAC address flapping occurs in a BD on the device. |
- |
Usage Guidelines
When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.
You can specify trap-name to enable the trap function for one or more events.
undo mac-address
Format
undo mac-address [ all | dynamic ] [ interface-type interface-number | vlan vlan-id ] *
undo mac-address { all | dynamic } [ vsi vsi-name ]
undo mac-address mac-address [ vlan vlan-id | vsi vsi-name ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
mac-address |
Specifies the MAC address in a MAC address entry to be deleted. |
The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address. |
interface-type interface-number |
Specifies the interface in a MAC address entry to be deleted. |
- |
vlan vlan-id |
Specifies the VLAN ID in a MAC address entry to be deleted. |
The value is an integer that ranges from 1 to 4094. |
all |
Specifies that all MAC address entries excluding DHCP sticky MAC address entries and NAC MAC address entries are deleted. |
- |
vsi vsi-name |
Specifies the name of a VSI. The VSI must have been created. NOTE:
Only the S5720EI, S5720HI, S6720EI, and S6720S-EI support this parameter. |
- |
dynamic |
Deletes dynamic MAC address entries, that is, MAC address entries learned by an interface. |
- |
Usage Guidelines
A MAC address table saves a limited number of MAC addresses. If the MAC address table is full, the device cannot learn new MAC address entries until old MAC addresses are aged out. Packets matching no MAC address entry are broadcast, wasting bandwidth resources. This command can delete useless MAC address entries to release the MAC address table space.
- If you do not specify interface-type interface-number, the command deletes MAC address entries of the specified type on all interfaces.
- If you do not specify vlan vlan-id, the command deletes MAC address entries of the specified type in all VLANs.
Example
# Delete all MAC address entries.
<HUAWEI> system-view [HUAWEI] undo mac-address all
# Delete all dynamic MAC address entries.
<HUAWEI> system-view [HUAWEI] undo mac-address dynamic
# Delete all MAC address entries on gigabitethernet0/0/1.
<HUAWEI> system-view [HUAWEI] undo mac-address gigabitethernet 0/0/1
# Delete all MAC address entries in VLAN 5.
<HUAWEI> system-view [HUAWEI] undo mac-address vlan 5
# Delete all dynamic MAC address entries in the VSI a2.
<HUAWEI> system-view [HUAWEI] undo mac-address dynamic vsi a2
# Delete all MAC address entries in which the MAC address is 0004-0004-0004.
<HUAWEI> system-view [HUAWEI] undo mac-address 0004-0004-0004
undo mac-address temporary
Function
The undo mac-address temporary command deletes all the temporary MAC address entries in the system.
Usage Guidelines
When the interface card is pulled out, the static MAC address entries configured on the interfaces are reserved as temporary MAC address entries. After the interface card is plugged again, the static MAC address entries are restored.
If the interface card is not plugged after being pulled out, the temporary MAC address entries become unnecessary and occupy the system resources. In this case, you can run the undo mac-address temporary command to delete all the temporary MAC address entries in the system.
undo mac-limit all
Usage Guidelines
Usage Scenario
This command deletes all the rules configured by the mac-limit command.
Precautions
Before using this command, run the display mac-limit command to check the MAC address limiting rules and confirm your operation.
- Command Support
- display bridge mac-address
- display mac-address
- display mac-address aging-time
- display mac-address blackhole
- display mac-address dynamic
- display mac-address flapping
- display mac-address flapping record
- display mac-address hash-mode
- display mac-address mux
- display mac-address oam
- display mac-address static
- display mac-address summary
- display mac-address total-number
- display mac-limit
- display snmp-agent trap feature-name l2if all
- display snmp-agent trap feature-name l2ifppi all
- drop illegal-mac alarm
- drop illegal-mac enable
- mac-address aging-time
- mac-address blackhole
- mac-address destination hit aging enable
- mac-address flapping action
- mac-address flapping action priority
- mac-address flapping aging-time
- mac-address flapping detection
- mac-address flapping detection exclude vlan
- mac-address flapping detection security-level
- mac-address flapping quit-vlan recover-time
- mac-address hash-bucket-mode
- mac-address hash-mode
- mac-address learning disable (interface view and VLAN view)
- mac-address learning disable (traffic behavior view)
- mac-address static vlan
- mac-address threshold-alarm
- mac-address trap hash-conflict enable
- mac-address trap hash-conflict history
- mac-address trap hash-conflict interval
- mac-address trap notification
- mac-address trap notification interval
- mac-address update arp
- mac-learning priority
- mac-learning priority allow-flapping
- mac-learning priority flapping-defend action
- mac-limit
- mac-spoofing-defend enable (interface view)
- mac-spoofing-defend enable (system view)
- port bridge enable
- remark destination-mac
- reset mac-address flapping record
- snmp-agent trap enable feature-name l2if
- snmp-agent trap enable feature-name l2ifppi
- undo mac-address
- undo mac-address temporary
- undo mac-limit all