No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Ethernet Switching

S7700 and S9700 V200R011C10

This document describes the configuration of Ethernet services, including configuring link aggregation, VLANs, Voice VLAN, VLAN mapping, QinQ, GVRP, MAC table, STP/RSTP/MSTP, SEP, and so on.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Summary of MAC Address Table Configuration Tasks

Summary of MAC Address Table Configuration Tasks

Table 2-5  MAC address table configuration tasks
Scenario Description Task

MAC addresses and interfaces need to be bound statically.

Configure static MAC address entries to bind MAC addresses and interfaces, improving security of authorized users.

Configuring a Static MAC Address Entry

Attack packets from unauthorized users need to be filtered out.

Configure blackhole MAC address entries to filter out packets from unauthorized users, thereby protecting the system against attacks.

Configuring a Blackhole MAC Address Entry

Aging of dynamic MAC address entries needs to be flexibly controlled.

Set the aging time according to your needs. Set the aging time to a large value or 0 (not to age dynamic MAC address entries) on a stable network; set a short aging time in other situations.

Setting the Aging Time of Dynamic MAC Address Entries

MAC address learning needs to be controlled.

Attacks initiated by unauthorized users may exhaust MAC address entries. To prevent this problem, disable MAC address learning or limit the number of learned MAC address entries.

Disabling MAC Address Learning

Configuring the MAC Address Limiting Function

The MAC address table needs to be monitored.

You can configure various trap functions about MAC addresses to monitor the usage of MAC address entries.

  • Configure an alarm threshold for MAC address usage. When the MAC address usage exceeds the upper threshold, the switch generates an alarm. When the MAC address usage falls below the lower threshold, the switch reports a clear alarm.
  • Enable the trap function for MAC address learning or aging. When a MAC address entry is learned or aged out, the switch sends an alarm.
  • Enable the trap function for MAC address hash conflicts. If the device cannot learn MAC address entries while its MAC address table is not full, the switch reports an alarm about a MAC address hash conflict.

Enabling MAC Address Trap Functions

The outbound interfaces in ARP entries need to be updated quickly.

Configure the MAC address-triggered ARP entry update function. When the outbound interface in a MAC address entry changes, the device updates the outbound interface in the corresponding ARP entry before ARP probing. This function shortens service interruption time.

Enabling MAC Address-triggered ARP Entry Update

MAC address flapping needs to be prevented.

MAC address flapping occurs on a network when the network has a loop or undergoes an attack. You can use the following methods to prevent MAC address flapping:

  • Configure the MAC address learning priorities for interfaces. When the same MAC address is learned by two interfaces of different priorities, the MAC address entries learned by the interface with a higher priority override the MAC address entries learned by the other interface.
  • Prevent MAC address entries from being overridden on interfaces with the same priority.

Configuring MAC Address Flapping Prevention

MAC address flapping needs to be detected.

MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN and the MAC address entry learned later overrides the earlier one.

MAC address flapping detection enables a switch to check whether any MAC address flaps between interfaces and determine whether a loop occurs. When MAC address flapping occurs, the switch sends an alarm to the NMS. The network maintenance personnel can locate the loop based on the alarm information and historical records for MAC address flapping. This greatly improves network maintainability. If the network connected to the switch does not support loop prevention protocols, configure the switch to shut down the interfaces where MAC address flapping occurs to reduce the impact of MAC address flapping on the network.

Configuring MAC Address Flapping Detection

The switch needs to discard packets with an all-0 source or destination MAC address.

A faulty host or device may send packets with an all-0 source or destination MAC address to a switch. Configure the switch to discard such packets and send an alarm to the NMS so that the network administrator can locate the faulty host or device based on the alarm information.

Configuring the Switch to Discard Packets with an All-0 MAC Address

The switch needs to discard packets in which destination MAC addresses do not match the MAC address table.

After a DHCP user goes offline, the MAC address entry of the user ages out. If there are packets destined for this user, the system cannot find the MAC address entry. The system then broadcasts the packets to all interfaces in the VLAN. In this case, all users receive the packets, which brings security risks. After the switch is configured to discard packets that do not match any MAC address entry, the switch discards such packets. This function mitigates the burden on the switch and enhances security.

Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry

An interface needs to forward packets of which the source and destination MAC addresses are both learned on the interface.

By default, an interface does not forward packets whose source and destination MAC addresses are both learned by this interface. When the interface receives such a packet, it discards the packet as an invalid packet. After the port bridge function is enabled on the interface, the interface forwards such packets. This function applies to a switch that connects to devices incapable of Layer 2 forwarding or functions as an access device in a data center.

Enabling Port Bridge

Updated: 2019-10-18

Document ID: EDOC1000178310

Views: 300018

Downloads: 141

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next