No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Command Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MAC Address Table Configuration Commands

MAC Address Table Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display bridge mac-address

Function

The display bridge mac-address command displays the bridge MAC address of a device.

Format

display bridge mac-address

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you need to view the bridge MAC address of a device, run the display bridge mac-address command.

Example

# Display the bridge MAC address of a device.

<HUAWEI> display bridge mac-address
System bridge MAC address: 00e0-f74b-6d00
Table 5-1  Description of the display bridge mac-address command output

Item

Description

System bridge MAC address

Indicates the bridge MAC address of a device.

display mac-address

Function

The display mac-address command displays the MAC address table of the switch. A MAC address entry contains the destination MAC address, VLAN ID/VSI/BD, outbound interface, and entry type.

Format

display mac-address [ mac-address ] [ vlan vlan-id | vsi vsi-name ] [ verbose ]

display mac-address [ vlan vlan-id | interface-type interface-number ] * [ verbose ]

Parameters

Parameter

Description

Value

mac-address

Specifies the destination MAC address in an entry.

The value is in H-H-H format. H is a hexadecimal number of 4 digits, for example, 00e0 and fc01. If you enter less than four digits, 0s are prefixed to the input digits. For example, if you enter e0, the system changes e0 to 00e0. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

vlan vlan-id

Displays MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

vsi vsi-name

Displays MAC address entries in a specified VSI.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

interface-type interface-number

Displays the MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.
NOTE:
The management interface is not supported.

-

verbose

Displays detailed information about MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The display mac-address command displays all MAC address entries, such as dynamic MAC address entries, static MAC address entries, and blackhole MAC address entries. A MAC address entry contains the destination MAC address, VLAN ID/VSI/BD, outbound interface, and entry type.

Follow-up Procedure

If any MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address static command to add a correct one.

Precautions

If you run the display mac-address command without parameters, all MAC address entries are displayed.

When the switch has a large number of MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all MAC address entries.

<HUAWEI> display mac-address
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-//-                     GE1/0/1             dynamic 
0000-0000-0001       -/HUAWEI/-                  GE1/0/2             static 
-------------------------------------------------------------------------------
Total items displayed = 2 

# Display detailed information about all MAC address entries in VLAN 10.

<HUAWEI> display mac-address vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 0000-0000-0001            VLAN : 10                            
Learned-From: GE1/0/2                 Type : dynamic                       
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 1
Table 5-2  Description of the display mac-address command output

Item

Description

MAC Address

Destination MAC address in a MAC address entry.

VLAN/VSI/BD

ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.
  • static: indicates a static MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address static vlan, mac-address static vlanif, mac-address static vsi, mac-address static bridge-domain, or mac-address static bridge-domain vni command.
  • blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address blackhole command.
  • dynamic: indicates a MAC address entry learned by the switch, which will be aged out when the aging time expires.
  • OAM-PU: indicates a MAC address entry configured by using the mac-purge command.
  • OAM-PO: indicates a MAC address entry configured by using the mac-populate command.
  • security: indicates a MAC address entry that an interface learns after port security is enabled.
  • sec-config: indicates a static secure MAC address entry configured by using the port-security mac-address command.
  • sticky: indicates a MAC address entry that an interface learns after the sticky MAC function is enabled.
  • mux: indicates a MAC address entry learned by a MUX VLAN enabled interface.
  • snooping: indicates a static MAC address entry generated based on the dynamic DHCP snooping binding table.
  • authen: indicates a MAC address entry corresponding to the NAC authentication user that obtains an IP address (excluding the Layer 3 authentication user of which the MAC address cannot be generated and wireless user in direct forwarding mode).
  • pre-authen: indicates a MAC address entry corresponding to a user that is in pre-connection state and does not obtain an IP address after NAC authentication is enabled.
  • evpn: indicates a MAC address entry of EVPN.
NOTE:

Among existing MAC address entries, only MAC addresses of the dynamic type can be overwritten as MAC addresses of other types.

A MAC address entry of EVPN can be displayed only in V200R013C00SPC500.

display mac-address aging-time

Function

The display mac-address aging-time command displays the aging time of dynamic MAC address entries in the MAC address table.

Format

display mac-address aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command displays the aging time of dynamic MAC address entries on the switch. You can check whether the aging time is suitable for network requirements and device performance.

Follow-up Procedure

If the aging time is unsuitable for requirements or device performance, run the mac-address aging-time command to set the aging time properly.

Precautions

If the aging time is 0, dynamic MAC addresses will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.

Example

# Display the aging time of dynamic MAC address entries.

<HUAWEI> display mac-address aging-time
  Aging time: 300 second(s)
Table 5-3  Description of the display mac-address aging-time command output

Item

Description

Aging time

Aging time of dynamic MAC address entries, in seconds. To set the aging time, run the mac-address aging-time command.

display mac-address blackhole

Function

The display mac-address blackhole command displays blackhole MAC address entries.

Format

display mac-address blackhole [ vlan vlan-id | vsi vsi-name ] [ verbose ]

Parameters

Parameter Description Value
vlan vlan-id Displays blackhole MAC address entries in a specified VLAN. The value is an integer that ranges from 1 to 4094.
vsi vsi-name Displays blackhole MAC address entries of a specified virtual switch instance (VSI). The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
verbose Displays detailed information about blackhole MAC address entries. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The MAC address table contains the following MAC address entries:
  • Blackhole MAC address entries that are used to discard packets with the specified MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
  • Static MAC entries that are manually configured and will not be aged out.
  • Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.

To check whether blackhole MAC address entries are configured correctly, run this command. These entries ensure communication between authorized users.

Follow-up Procedure

If any blackhole MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address blackhole command to add a correct one.

Precautions

If you run the display mac-address blackhole command without parameters, all blackhole MAC address entries are displayed.

If the MAC address table does not contain any blackhole MAC address, no information is displayed.

Example

# Display all blackhole MAC address entries.

<HUAWEI> display mac-address blackhole
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-/-                      -                  blackhole 
0000-0000-0001       -/HUAWEI/-                   -                  blackhole 


-------------------------------------------------------------------------------
Total items displayed = 2

# Display blackhole MAC address entries in VLAN 100.

<HUAWEI> display mac-address blackhole vlan 100
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-/-                      -                  blackhole 
0000-0000-0001       100/-/-                      -                  blackhole 

-------------------------------------------------------------------------------
Total items displayed = 2  
Table 5-4  Description of the display mac-address blackhole command output

Item

Description

MAC Address

Destination MAC address in a blackhole MAC address entry.

VLAN/VSI/BD

ID of the VLAN, name of the VSI, or ID of the BD that a MAC address belongs to.

Learned-From

When the type of a MAC address entry is blackhole, "-" is displayed.

Type

Type of a MAC address entry.

blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address blackhole command.

display mac-address dynamic

Function

The display mac-address dynamic command displays dynamic MAC address entries.

Format

display mac-address dynamic [ [ slot ] slot-id ] [ vlan vlan-id | interface-type interface-number ] * [ verbose ]

display mac-address dynamic [ [ slot ] slot-id ] [ vsi vsi-name [ peer ip-address ] ] [ verbose ]

Parameters

Parameter

Description

Value

slot slot-id

Displays dynamic MAC address entries on a specified card.

The value is an integer and must be the slot ID of a running card.

vlan vlan-id

Displays dynamic MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

vsi vsi-name

Displays dynamic MAC address entries of a specified virtual switch instance (VSI). vsi-name specifies the name of a VSI.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

peer ip-address

Displays the dynamic MAC address entry mapped to a specified peer IPv4 address.

-

interface-type interface-number

Displays dynamic MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

verbose

Displays detailed information about dynamic MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table needs to be updated constantly because the network topology always changes. You can use this command to view learned MAC addresses in real time.

Follow-up Procedure

If the displayed dynamic MAC address entries are invalid, run the undo mac-address command to delete dynamic MAC address entries.

Precautions

If you run the display mac-address dynamic command without parameters, all dynamic MAC address entries are displayed.

If the MAC address table does not contain any dynamic MAC address entry, no information is displayed.

When the switch has a large number of dynamic MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all dynamic MAC address entries.

<HUAWEI> display mac-address dynamic
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-/-                     GE1/0/1             dynamic 
0000-0000-0001       -/HUAWEI/-                  GE1/0/2             dynamic 

-------------------------------------------------------------------------------
Total items displayed = 2 

# Display all dynamic MAC address entries in VLAN 9 on the card in slot 1.

<HUAWEI> display mac-address dynamic slot 1 vlan 9
------------------------------------------------------------------------------- 
MAC Address     VLAN/VSI/BD                       Learned-From        Type       
-------------------------------------------------------------------------------
0000-0007-0122  9/-/-                             GE1/0/1             dynamic    
0000-0007-0106  9/-/-                             GE1/0/1             dynamic    
0000-0007-0114  9/-/-                             GE1/0/1             dynamic    
                                                                                
------------------------------------------------------------------------------- 
Total items on slot 1 displayed = 3

# Display detailed information about all dynamic MAC address entries in VLAN 9 on the card in slot 1.

<HUAWEI> display mac-address dynamic slot 1 vlan 9 verbose
------------------------------------------------------------------------------- 
MAC Address : 0000-0007-0117             VLAN: 9                                
Learned-From: GE1/0/1                    Type: dynamic                          
                                                                                
MAC Address : 0000-0007-0133             VLAN: 9                                
Learned-From: GE1/0/2                    Type: dynamic                          
                                                                                
MAC Address : 0000-0007-0121             VLAN: 9                                
Learned-From: GE1/0/3                    Type: dynamic                          
                                                                                
------------------------------------------------------------------------------- 
Total items on slot 1 displayed = 3                                          

# Display the dynamic MAC address entry mapped to peer IP address 10.1.1.2 in VSI 10.

<HUAWEI> display mac-address dynamic vsi 10 peer 10.1.1.2 verbose
------------------------------------------------------------------------------- 
MAC Address : 0000-0007-0117             VSI  : 10                             
Learned-From: GE1/0/1                    Type: dynamic                          
Peer-Ip     : 10.1.1.2                   Pw-Id: 1                           
Total items  displayed = 1                                          
Table 5-5  Description of the display mac-address dynamic command output

Item

Description

MAC Address

Destination MAC address in a dynamic MAC address entry.

VLAN/VSI/BD

ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

dynamic: indicates a MAC address entry learned by the switch, which will be aged out when the aging time expires.

Peer-Ip

IPv4 address of the remote device.

Pw-Id

PW name.

display mac-address flapping

Function

The display mac-address flapping command displays the configuration of MAC address flapping detection.

Format

display mac-address flapping

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After MAC address flapping detection is configured, you can run the display mac-address flapping command to check the configuration.

The command output includes the following information:

  • Whether MAC address flapping detection is configured.
  • Aging time of flapping MAC addresses.
  • Delay time before the interface joins a VLAN again after it is removed from the VLAN.
  • VLAN that does not require MAC address flapping detection.
  • List of VLANs of three security levels defined for MAC address flapping detection

Example

# Display the configuration of MAC address flapping detection.

<HUAWEI> display mac-address flapping
MAC address Flapping Configurations :                                                                                               
----------------------------------------------------------------------------                                                        
  Flapping detection          : Enable                                                                                              
  Aging time(sec)             : 300                                                                                                 
  Quit VLAN Recover time(min) : 10                                                                                                  
  Exclude VLAN list           : -                                                                                                   
  Low level VLAN list         : -                                                                                                   
  Middle level VLAN list      : 1 to 4094                                                                                           
  High level VLAN list        : -                                                                                                  
----------------------------------------------------------------------------
Table 5-6  Description of the display mac-address flapping command output

Item

Description

Flapping detection

MAC address flapping detection status:

  • Enable: MAC address flapping detection is enabled.
  • Disable: MAC address flapping detection is disabled.

To specify the parameter, run the mac-address flapping detection command.

Aging time(sec)

Aging time of flapping MAC addresses.

To specify the parameter, run the mac-address flapping aging-time command.

Quit VLAN Recover time(min)

Delay time before the interface joins a VLAN again after it is removed from the VLAN. To specify the parameter, run the mac-address flapping quit-vlan recover-time command.

The default value is 10. If the value is 0, the interface cannot join a VLAN again after it is removed from the VLAN.

Exclude VLAN list

VLAN that does not require MAC address flapping detection. To specify the parameter, run the mac-address flapping detection exclude vlan command.

If such a VLAN is specified, the VLAN ID is displayed. If the VLAN is not specified, this field is displayed as -.

Low level VLAN list

List of VLANs of low security level defined for MAC address flapping detection.

To specify the parameter, run the mac-address flapping detection vlan security-level command.

Middle level VLAN list

List of VLANs of middle security level defined for MAC address flapping detection.

To specify the parameter, run the mac-address flapping detection vlan security-level command.

High level VLAN list

List of VLANs of high security level defined for MAC address flapping detection.

To specify the parameter, run the mac-address flapping detection vlan security-level command.

display mac-address flapping record

Function

The display mac-address flapping record command displays MAC address flapping records.

Format

display mac-address flapping record [ slot slot-id ] [ begin YYYY/MM/DD HH:MM:SS ]

Parameters

Parameter

Description

Value

slot slot-id

Specifies a slot ID.

The value depends on the device configuration.

begin YYYY/MM/DD HH:MM:SS

Displays MAC address flapping records generated from the specified time to the current time.

YYYY/MM/DD indicates year/month/date.

HH:MM:SS indicates hour:minute:second.

  • YYYY/MM/DD ranges from 2000/01/01 to 2099/12/31.
  • HH:MM:SS ranges from 00:00:00 to 23:59:59.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The display mac-address flapping record command output helps locate the position where MAC address flapping occurs.

Precautions

The command output is displayed only when MAC address flapping has occurred.

Example

# Display all MAC address flapping records.

<HUAWEI> display mac-address flapping record
 S  : start time                                                                
 E  : end time                                                                  
(Q) : quit VLAN 
(D) : error down 
------------------------------------------------------------------------------
Move-Time             VLAN  MAC-Address   Original-Port Move-Ports   MoveNum
-------------------------------------------------------------------------------
S:2011-08-31 17:22:36 300  0000-0000-0007 Eth-Trunk1   Eth-Trunk2   81
E:2011-08-31 17:22:44

-------------------------------------------------------------------------------
Total items on slot 2: 1
	

# Display MAC address flapping records generated from 2012/06/04 09:00:00 to the current time.

<HUAWEI> display mac-address flapping record begin 2012/06/04 09:00:00
 S  : start time                                                                
 E  : end time                                                                  
(Q) : quit VLAN                                                                 
(D) : error down   
-------------------------------------------------------------------------------
Move-Time                 VLAN MAC-Address   Original-Port Move-Ports   MoveNum
-------------------------------------------------------------------------------
S:2012-06-04 17:22:38 300  0000-0000-0007 Eth-Trunk2   Eth-Trunk1   5
E:2012-06-04 17:22:42

-------------------------------------------------------------------------------
Total items on slot 2: 1
Table 5-7  Description of the display mac-address flapping record command output

Item

Description

Move-Time

Start time and end time MAC address flapping occurs. If the DST is configured, the DST plus the flapping start time or end time is displayed,for example: StartTime: 2012-02-02 15:54:10 DST.

VLAN

VLAN where MAC address flapping occurs.

MAC-Address

Flapping MAC address.

NOTE:

Only one MAC address that flaps is displayed for the same VLAN in the same slot.

Original-Port

Port that learns the MAC address first.

Move-Ports

Ports that learn the MAC address later.

MoveNum

Number of times the MAC address has flapped. The maximum value is 65535. When the number of times the MAC address has flapped exceeds 65535, the MoveNum field still displays 65535.

display mac-address hash-mode

Function

The display mac-address hash-mode command displays the running hash mode and configured hash mode on the device.

NOTE:

The X series cards do not support this command.

Format

display mac-address hash-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After a hash mode is configured, you can run the display mac-address hash-mode command to check the configuration.

Precautions

After the hash algorithm is changed, restart the board for the configuration to take effect.

Example

# Display the running hash mode and configured hash mode on the device.

<HUAWEI> display mac-address hash-mode
  MAC address hash mode status:                                                 
--------------------------------------------                                    
 Slot       CurMode         CfgMode                                             
--------------------------------------------                                    
 1         crc16-lower     crc32-lower                                         
--------------------------------------------      
Table 5-8  Description of the display mac-address hash-mode command output

Item

Description

Slot

Slot ID.

CurMode

Running hash mode in the specified slot.

After changing the hash algorithm and saving the configuration, restart the device for the configuration to take effect.

CfgMode

Configured hash mode in the specified slot.

To specify the parameter, run the mac-address hash-mode command.

Related Topics

display mac-address mux

Function

The display mac-address mux command displays MUX MAC address entries.

Format

display mac-address mux [ vlan vlan-id | interface-type interface-number ] * [ verbose ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays MUX MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays MUX MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

verbose

Displays detailed information about MUX MAC address entries. If this parameter is not specified, brief information about MUX MAC address entries is displayed.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MUX VLAN function isolates Layer 2 traffic between interfaces in a VLAN. A MUX MAC address entry is learned by a MUX VLAN enabled interface. The learned MUX MAC address entries are deleted after the switch restarts.

After configuring the MUX VLAN function, you can run the display mac-address mux command to check whether the learned MUX MAC address entries are correct.

Follow-up Procedure

If the displayed MUX MAC address entries are invalid, run the undo mac-address command to delete MUX MAC address entries.

Precautions

If you run the display mac-address mux command without parameters, all MUX MAC address entries are displayed.

If the MAC address table does not contain any MUX MAC address entry, no information is displayed.

When the switch has a large number of MUX MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all MUX MAC address entries.

<HUAWEI> display mac-address mux
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-/-                     GE1/0/2           mux       

-------------------------------------------------------------------------------
Total items displayed = 1 

# Display detailed information about all MUX MAC address entries in VLAN 10.

<HUAWEI> display mac-address mux vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 0000-0000-0001            VLAN : 10                            
Learned-From: GE1/0/2                 Type : mux                        
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 1
Table 5-9  Description of the display mac-address mux command output

Item

Description

MAC Address

Destination MAC address in a MUX MAC address entry.

VLAN/VSI/BD

ID of the VLAN, or name of the virtual switch instance (VSI), or ID of the BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

mux: indicates a MAC address entry learned by a MUX VLAN enabled interface.

display mac-address oam

Function

The display mac-address oam command displays information about MAC address entries of the OAM type.

Format

display mac-address oam

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

VPLS data forwarding depends on MAC address learning. Data packets in a VPLS domain can be correctly forwarded only when the MAC addresses of the data packets are correctly learned by PEs.

VPLS MAC diagnostic tools can be used to check whether MAC address learning works properly on the devices in a VPLS domain. VPLS MAC diagnostic tools include MAC populate and MAC purge.
  • MAC populate is used to check whether MAC addresses can be learned by devices in a VSI by populating an OAM MAC address into the VPLS domain.

    If the devices in a specified VSI in the VPLS domain have learned the populated MAC address, running the display mac-address oam command can display detailed information about the populated OAM MAC address.

  • MAC purge is used to purge the populated OAM MAC address.

    If the learned OAM MAC address is purged on the device, running the display mac-address oam command can show that the learned OAM MAC address has been purged.

Prerequisites

  • Configuring the diagnosis of the OAM MAC address learning capacity is completed before you check detailed information about the populated OAM MAC address.
  • Purging the OAM MAC address learned by the devices on the VPLS network is completed before you check whether the OAM MAC has been purged.

Example

# Display MAC address entries of the OAM type in the MAC address table.

<HUAWEI> display mac-address oam
------------------------------------------------------------------------------------------
MAC Address     VLAN/VSI/BD             Learned-From          Type       
------------------------------------------------------------------------------------------
0000-0000-0010  -/vsi1/-                GigabitEthernet1/0/1  OAM-PU     
0000-0000-0020  -/vsi1/-                GigabitEthernet1/0/1  OAM-PO     

------------------------------------------------------------------------------------------
Total items displayed = 2   
Table 5-10  Description of the display mac-address oam command output

Item

Description

MAC Address

Indicates the MAC address of the OAM type.

VLAN/VSI/BD

  • VLAN: the value is always displayed as "-".
  • VSI: indicates the VSI to which the MAC addresses of the OAM type belong.
  • BD: the value is always displayed as "-".

Learned-From

Indicates an interface on which the MAC addresses of the OAM type are configured.

Type

Indicates the OAM type of the MAC address.
  • OAM-PU: indicates the OAM MAC address entry that is used to discard data frames containing a specified destination MAC address, configured by using the mac-purge command.

  • OAM-PO: indicates the OAM MAC address entry that is used to test whether the function of learning dynamic MAC addresses is normal on the interface board. The entry is displayed as the dynamic MAC address on the interface board. In addition, the entry, the same as a common dynamic MAC address, supports VPLS forwarding, configured by using the mac-populate command.

display mac-address static

Function

The display mac-address static command displays static MAC address entries.

Format

display mac-address static [ vsi vsi-name ] [ verbose ]

display mac-address static [ vlan vlan-id | interface-type interface-number ] * [ verbose ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays static MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

vsi vsi-name

Displays static MAC address entries in a specified VSI. vsi-name specifies the name of a VSI.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

interface-type interface-number

Displays the static MAC address entries on a specified interface.

-

verbose

Displays detailed information about static MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The MAC address table contains the following MAC address entries:
  • Static MAC entries that are manually configured and will not be aged out.
  • Blackhole MAC address entries that are used to discard packets with the specified source MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
  • Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.

To improve network security, configure static MAC address entries to ensure that packets destined for specified MAC addresses are forwarded by the specified interfaces. This prevents attack packets with bogus MAC addresses and guarantees communication between the switch and the upstream device or server. After configuring static MAC address entries, you can run the display mac-address static command to verify the configuration.

Follow-up Procedure

If any static MAC address entry is incorrect, run the undo mac-address command to delete it.

Precautions

If you run the display mac-address static command without parameters, all static MAC address entries are displayed.

If the MAC address table does not contain any static MAC address entry, no information is displayed.

Example

# Display all static MAC address entries.

<HUAWEI> display mac-address static
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033       100/-/-                     GE1/0/1             static 
0000-0000-0001       -/HUAWEI/-                  GE1/0/2             static 

-------------------------------------------------------------------------------
Total items displayed = 2 

# Display detailed information about all static MAC address entries in VLAN 10.

<HUAWEI> display mac-address static vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 0000-0000-0001            VLAN : 10                            
Learned-From: GE1/0/2                   Type : static                       
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 1
Table 5-11  Description of the display mac-address static command output

Item

Description

MAC Address

Destination MAC address in a static MAC address entry.

VLAN/VSI/BD

ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

static: indicates a static MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address static vlan, mac-address static vlanif, mac-address static vsi, mac-address static bridge-domain, or mac-address static bridge-domain vni command.

display mac-address summary

Function

The display mac-address summary command displays statistics on MAC address entries.

Format

display mac-address summary [ slot slot-id ]

Parameters

Parameter

Description

Value

slot slot-id

Displays statistics on MAC address entries on a specified card.

The value is an integer and must be the slot ID of a running card.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the device stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

When the switch has many MAC address entries of different types, you can use the display mac-address summary command to view the summary of MAC address entries in the system. In the command output, Local and Remote identify the MAC address entries learned by the local card and MAC address entries synchronized from other cards.

Precautions

  • If slot slot-id is specified, this command displays statistics on MAC address entries on the specified card. If this parameter is not specified, this command displays statistics on MAC address entries on all cards.

  • If no static or blackhole MAC addresses are configured on the device, statistics about the two types of MAC address entries are 0.
  • If MAC address learning is disabled on the device, statistics about dynamic MAC address entries are 0.

    Using the undo mac-address learning disable command in the Ethernet interface view can enable MAC address learning.

Example

# View statistics on all MAC address entries in the system.

<HUAWEI> display mac-address summary
Summary information of slot 1:
-----------------------------------                                             
Static     :               1 
Blackhole  :               1 
Dyn-Local  :               3 
Dyn-Remote :               5 
Dyn-Trunk  :               0 
OAM        :               0 
Sticky     :               0 
Security   :               0 
Sec-config :               0 
Authen     :               0 
Guest      :               0 
Mux        :               0 
Snooping   :               0 
Pre-Mac    :               0 
Evpn       :               0 
In-used    :               10 
Capacity   :               524288                                                
-----------------------------------                                             
Table 5-12  Description of the display mac-address summary command output

Item

Description

Static

Number of static MAC address entries.

Blackhole

Number of blackhole MAC address entries.

Dyn-Local

Number of MAC address entries learned by the local card.

Dyn-Remote

Number of MAC address entries synchronized from other cards.

Dyn-Trunk

Total number of MAC address entries learned by all trunk interfaces.

NOTE:
If the interfaces of other cards (not the cards on which the Eth-Trunk member interfaces reside) are added to the VLAN corresponding to the MAC addresses learned by an Eth-Trunk, the MAC addresses learned by the Eth-Trunk will be synchronized to the cards. Otherwise, the MAC addresses will not be synchronized to the other cards.

OAM

Number of MAC address entries related to the OAM function.

Sticky

Number of sticky MAC address entries.

Security

Number of secure dynamic MAC address entries.

Sec-config

Number of secure static MAC address entries.

Authen

Number of MAC address entries corresponding to authentication users.

Guest

Number of MAC address entries learned by interfaces in the guest VLAN.

Mux

Number of MAC address entries learned by interfaces enabled with the MUX VLAN function.

Snooping

Number of Snooping MAC address entries.

Pre-Mac

Number of Pre-authen MAC address entries.

Evpn

Number of EVPN MAC address entries.

NOTE:

This field is supported only in V200R013C00SPC500.

In-used

Total number of existing MAC address entries.

Capacity

Capacity of the MAC address table. The actual value varies according to device models.

display mac-address total-number

Function

The display mac-address total-number command displays the number of MAC address entries of a specified type.

Format

display mac-address total-number [ slot slot-id ]

display mac-address total-number [ vsi vsi-name ]

display mac-address total-number [ vlan vlan-id | interface-type interface-number ] *

display mac-address total-number vlan all

display mac-address total-number { mux | security | sticky | sec-config | snooping | pre-authen | authen } [ vlan vlan-id | interface-type interface-number ] *

display mac-address total-number blackhole [ vlan vlan-id | vsi vsi-name ]

display mac-address total-number dynamic [ slot slot-id ] [ vlan vlan-id | interface-type interface-number ] *

display mac-address total-number dynamic [ slot slot-id ] [ vsi vsi-name ]

display mac-address total-number static [ vlan vlan-id | interface-type interface-number ] *

display mac-address total-number static vsi vsi-name

Parameters

Parameter

Description

Value

slot slot-id

Displays the number of MAC address entries on a specified card.

The value is an integer and must be the slot ID of a running card.

mux

Displays the number of MUX MAC address entries.

-

dynamic

Displays the number of dynamic MAC address entries.

-

security

Displays the number of secure dynamic MAC address entries.

-

sec-config

Displays the number of secure static MAC address entries.

-

snooping

Displays the number of static MAC address entries generated based on the dynamic DHCP snooping binding table.

-

pre-authen

Displays the number of static MAC address entries corresponding to a user in pre-connection state after NAC authentication is enabled.

-

authen

Displays the number of static MAC address entries that is generated after a user passes NAC authentication.

-

sticky

Displays the number of sticky MAC address entries.

-

blackhole

Displays the number of blackhole MAC address entries.

-

static

Displays the number of static MAC address entries.

-

vlan vlan-id

Displays the number of MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

vlan all

Displays the number of MAC address entries in all VLANs.

-

interface-type interface-number

Displays the number of MAC address entries learned by a specified interface.

-

vsi vsi-name

Displays the number of MAC address entries in a specified VSI.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

When the switch has many MAC address entries of different types, you can use the display mac-address total-number command to view statistics on MAC address entries of a specified type.

Precautions

If no parameter is specified, the total number of MAC address entries in the system is displayed.

If interface-type interface-number is not specified, the total number of MAC addresses learned by all interfaces is displayed.

If vlan vlan-id is not specified, the total number of MAC addresses in all VLANs is displayed.

Example

# Display the number of dynamic MAC address entries.

<HUAWEI> display mac-address total-number dynamic
Total number of MAC address : 20
Table 5-13  Description of the display mac-address total-number command output

Item

Description

Total number of MAC address

Total number of MAC address entries in the system.

display mac-limit

Function

The display mac-limit command displays the rules that limit the number of learned MAC addresses.

Format

display mac-limit [ interface-type interface-number | vlan vlan-id | vsi vsi-name | slot slot-id ]

Parameters

Parameter

Description

Value

interface-type interface-number

Displays the MAC address limiting rule on a specified interface.
  • interface-type specifies the type of the interface.
  • interface-number specifies the number of the interface.

-

vlan vlan-id

Displays the MAC address limiting rules in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

vsi vsi-name

Displays the MAC address limiting rules in a specified VSI. vsi-name specifies the name of a VSI.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

slot slot-id

Displays MAC address learning limit rules on a specified card.

The value is the slot ID of a running card.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To check whether MAC address limiting rules are configured correctly, run the display mac-limit command. If a rule is incorrect, run the mac-limit command to modify the rule or run the undo mac-limit all command to delete it.

Precautions

If no parameter is specified, MAC address learning limit rules of all interfaces, VSIs, and VLANs are displayed.

Example

# Display the MAC address limiting rule on GigabitEthernet1/0/1.

<HUAWEI> display mac-limit GigabitEthernet 1/0/1
GigabitEthernet1/0/1 MAC limit:
  Maximum MAC count 1000, used count 0 
  Action: forward, Alarm: enable 

# Display all the MAC address limiting rules.

<HUAWEI> display mac-limit
MAC Limit is enabled
Total MAC Limit rule count : 4

PORT                 VLAN/VSI/SI     SLOT Maximum Rate(ms) Action  Alarm
----------------------------------------------------------------------------
GE1/0/1             -                -    3000    -        forward enable
-                    3                -    100     -        discard enable
-                    5                -    5000    -        discard enable
-                    huawei           -    8000    -        discard enable
 
Table 5-14  Description of the display mac-limit command output

Item

Description

GigabitEthernet 1/0/1 MAC limit:

MAC address limiting rule for the interface.

To specify the parameters, run the mac-limit command.

Maximum MAC count

Maximum number of MAC addresses that can be learned.

used count

Number of MAC addresses that have been learned.

Total MAC Limit rule count

Number of configured MAC address limiting rules.

PORT

Name of an interface.

VLAN/VSI/SI

ID of a VLAN VSI name, or service instance (SI) name.

SLOT

Slot ID of the card where a MAC address limiting rule is configured.

Maximum

Maximum number of MAC addresses that can be learned. To set the maximum number of MAC addresses, run the mac-limit command.

Rate(ms)

Indicates the interval at which MAC addresses are learned.

Action

Action performed on packets when the number of learned MAC addresses exceeds the maximum number.
  • discard: discards packets with new source MAC addresses.
  • forward: forwards packets with new source MAC addresses.

Alarm

Whether an alarm is generated when the number of learned MAC addresses exceeds the maximum.
  • enable: indicates that an alarm is generated.
  • disable: indicates that an alarm is not generated.
Related Topics

display snmp-agent trap feature-name l2if all

Function

The display snmp-agent trap feature-name l2if all command displays all trap messages of the L2IF module.

Format

display snmp-agent trap feature-name l2if all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name l2if all command to check the status of all traps of l2if. You can use the snmp-agent trap enable feature-name l2if command to enable the trap function of l2if.

Prerequisites

SNMP has been enabled. See snmp-agent.

Example

# Display all trap messages of the L2IF module.

<HUAWEI> display snmp-agent trap feature-name l2if all
------------------------------------------------------------------------------
Feature name: L2IF
Trap number : 2
------------------------------------------------------------------------------
Trap name                           Default switch status   Current switch status
hwSlotMacLimitNumRaisingThreshold                                                                                                   
                                off                     off                                                                         
hwSlotMacLimitNumFallingThreshold                                                                                                   
                                off                     off                                                                         
Table 5-15  Description of the display snmp-agent trap feature-name l2if all command output

Item

Description

Feature name

Name of the module to which a trap message belongs.

Trap number

Number of trap messages.

Trap name

Name of a trap message of the L2IF module:
  • hwSlotMacLimitNumRaisingThreshold: A Huawei proprietary trap when the number of MAC addresses dynamically learnt through the Slot exceeds below the lower limit.
  • hwSlotMacLimitNumFallingThreshold: A Huawei proprietary trap when the number of MAC addresses dynamically learnt through the Slot falls the upper limit.

Default switch status

Status of the default trap function:

  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

Current switch status

Status of the current trap function:

  • on: indicates that the trap function is enabled.
  • off: indicates that the trap function is disabled.

To specify the parameter, run the snmp-agent trap enable feature-name l2if command.

display snmp-agent trap feature-name l2ifppi all

Function

The display snmp-agent trap feature-name l2ifppi all command displays the status of all traps on the l2ifppi module.

Format

display snmp-agent trap feature-name l2ifppi all

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After the trap function of a specified feature is enabled, you can run the display snmp-agent trap feature-name l2ifppi all command to check the status of all traps of l2ifppi. You can use the snmp-agent trap enable feature-name l2ifppi command to enable the trap function of l2ifppi.

Prerequisites

SNMP has been enabled. See snmp-agent.

Example

# Display all the traps of the l2ifppi module.

<HUAWEI>display snmp-agent trap feature-name l2ifppi all
------------------------------------------------------------------------------                                                      
Feature name: L2IFPPI                                                                                                               
Trap number : 14                                                                                                                    
------------------------------------------------------------------------------                                                      
Trap name                       Default switch status   Current switch status                                                       
hwPortSecRcvInsecurePktAlarm    on                      on                                                                          
hwMflpVlanAlarm                 on                      on                                                                          
hwMflpVsiAlarm                  on                      on                                                                          
hwMflpBdAlarm                   on                      on                                                                          
hwMacLimitOverThresholdAlarm    on                      on                                                                          
hwMacLimitOverThresholdAlarmResume                                                                                                  
                                on                      on                                                                          
hwRecIllegalMacPktAlarm         on                      on                                                                          
hwMflpQuitVlanAlarm             on                      on                                                                          
hwMflpQuitVlanResume            on                      on                                                                          
hwPortVlanSecureMacAlarm        on                      on                                                                          
hwMacTrapAlarm                  on                      on                                                                          
hwSlotMacUsageRaisingThreshold  on                      on                                                                          
hwSlotMacUsageFallingThreshold  on                      on                                                                          
hwBoardPowerOff                 on                      on                                                                          
hwMacTrapHashConflictAlarm      on                      on                  
Table 5-16  Description of the display snmp-agent trap feature-name l2ifppi all command output

Item

Specification

Feature name

Name of the module that the trap belongs to.

Trap number

Number of traps.

Trap name

Trap name. Traps of the l2ifppi module include:

  • hwPortSecRcvInsecurePktAlarm: The device sends a Huawei proprietary trap when the number of learned secure MAC addresses on an interface of the device reaches the limit and the device receives invalid packets.

  • hwMflpVlanAlarm: The device sends a Huawei proprietary trap when MAC address flapping occurs in a VLAN on the device.

  • hwMflpVsiAlarm: The device sends a Huawei proprietary trap when MAC address flapping occurs in a VSI on the device.

  • hwMflpBdAlarm: The device sends a Huawei proprietary trap when MAC address flapping occurs in a BD on the device.

  • hwMacLimitOverThresholdAlarm: The device sends a Huawei proprietary trap when the number of MAC addresses reaches the threshold.

  • hwMacLimitOverThresholdAlarmResume: The device sends a Huawei proprietary trap when the number of MAC addresses falls below the threshold.

  • hwRecIllegalMacPktAlarm: The device sends a Huawei proprietary trap when the device receives packets with the MAC address of all 0s.

  • hwMflpQuitVlanAlarm: The device sends a Huawei proprietary trap when an interface is removed from a VLAN due to MAC address flapping.

  • hwMflpQuitVlanResume: An interface is removed from a VLAN due to MAC address flapping. After the recovery time is reached, the interface joins the VLAN again. At this time, the device sends a Huawei proprietary trap.

  • hwPortVlanSecureMacAlarm: The device sends a Huawei proprietary trap when the number of learned secure MAC addresses on an interface of the device reaches the limit and the device receives invalid packets.

  • hwMacTrapAlarm: The device sends a Huawei proprietary trap when MAC addresses are added or deleted on the device.

  • hwSlotMacUsageRaisingThreshold: The device sends a Huawei proprietary trap when the MAC address usage in a specified slot reaches a configured threshold.

  • hwSlotMacUsageFallingThreshold: The device sends a Huawei proprietary trap when the MAC address usage in a specified slot is restored.

  • hwBoardPowerOff: The device sends a Huawei proprietary trap when a card is forcibly powered off because the card does not support the changed Eth-Trunk specifications.

  • hwMacTrapHashConflictAlarm: The device sends a Huawei proprietary trap when a MAC address hash conflict occurs.

Default switch status

Default status of the trap function:
  • on: indicates that the trap function is enabled by default.

  • off: indicates that the trap function is disabled by default.

Current switch status

Status of the trap function:

  • on: indicates that the trap function is enabled.

  • off: indicates that the trap function is disabled.

To specify the parameter, run the snmp-agent trap enable feature-name l2ifppi command.

drop illegal-mac alarm

Function

The drop illegal-mac alarm command configures the switch to send a trap to the network management system (NMS) when receiving a packet with an all-0 MAC address.

The undo drop illegal-mac alarm command deletes the configuration.

By default, the switch does not send a trap to the NMS when receiving a packet with an all-0 MAC address.

Format

drop illegal-mac alarm

undo drop illegal-mac alarm

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. The drop illegal-mac alarm command configures the switch to send a trap to the NMS when receiving a packet with an all-0 MAC address. You can locate the faulty network adapter according to the trap message.

Precautions

If the alarm function is disabled on the switch, the NMS cannot receive any trap message.

After you run the drop illegal-mac alarm command, the switch sends a trap only once after receiving packets with an all-0 MAC address. To configure the switch to send traps continuously, run the drop illegal-mac alarm command repeatedly.

Example

# Configure the switch to send a trap to the NMS when receiving a packet with an all-0 MAC address.

<HUAWEI> system-view
[HUAWEI] drop illegal-mac alarm

drop illegal-mac enable

Function

The drop illegal-mac enable command enables the switch to discard packets with an all-0 invalid MAC address.

The undo drop illegal-mac enable command disables the switch from discarding packets with an all-0 invalid MAC address.

By default, the switch does not discard packets with an all-0 MAC address.

Format

drop illegal-mac enable

undo drop illegal-mac enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. You can run the drop illegal-mac enable command to configure the switch to discard such packets. After receiving the packets with an all-0 source or destination MAC address, the switch discards the packets.

This command reduces incorrect MAC address entries on the device.

Precautions

If the alarm function is disabled on the device, the network management system cannot receive any alarm message.

Example

# Configure the switch to discard packets with an all-0 invalid MAC address.

<HUAWEI> system-view
[HUAWEI] drop illegal-mac enable

global-mac-learning enable

Function

The global-mac-learning enable command enables global MAC address learning on a board.

The undo global-mac-learning enable command disables global MAC address learning on a board.

By default, global MAC address learning is disabled on a board.

NOTE:
  • Only the SA-series, EA-series, and X series boards support this command.
  • The global-mac-learning enable command cannot be configured when the resource allocation mode is set to enhanced-mac using the assign resource-mode command.

Format

global-mac-learning enable slot slot-id

undo global-mac-learning enable slot slot-id

Parameters

Parameter

Description

Value

slot slot-id

Specifies the slot ID of an LPU.

The value is an integer and must specify an existing slot on the device.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, global MAC address learning is disabled on a board. The board saves only MAC address entries learned by itself, but does not synchronize MAC address entries with other boards. If a network fault such as a unidirectional connection fault occurs, enable global MAC address learning on the board so that the board can synchronize MAC address entries with other boards. This prevents MAC address loss caused by the network fault.

Example

# Enable global MAC address learning on the board in slot 3.

<HUAWEI> system-view
[HUAWEI] global-mac-learning enable slot 3 
Related Topics

mac-address aging-time

Function

The mac-address aging-time command sets the aging time of dynamic MAC address entries.

The undo mac-address aging-time command restores the default aging time of dynamic MAC address entries.

By default, the aging time of dynamic MAC address entries is 300 seconds.

Format

mac-address aging-time aging-time

undo mac-address aging-time

Parameters

Parameter

Description

Value

aging-time

Specifies the aging time of dynamic MAC address entries.

The value is 0 or an integer that ranges from 60 to 1000000, in seconds. The default value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The network topology changes frequently, and the switch will learn many MAC addresses. You can run the mac-address aging-time command to set a proper aging time for dynamic MAC address entries so that aged MAC address entries are deleted from the MAC address table. This reduces MAC address entries in the MAC address table.

The system starts an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated within a certain period (twice the aging time), the entry is deleted. If the entry is updated within this period, the aging timer of this entry is reset. If the aging time is short, the switch is sensitive to network changes.

When setting the aging time of dynamic MAC address entries, follow these rules:

  • Set a longer aging time on a stable network and a shorter aging time on an unstable network.
  • The capacity of the MAC address table on a low-end device is small; therefore, set a relatively short aging time on low end devices to save the MAC address table space.

Precautions

Dynamic MAC address entries are lost after system restart, LPU hot swap, or LPU resetting. Static MAC address entries and blackhole MAC address entries are not aged or lost.

If the aging time is 0, dynamic MAC address entries will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.

If you run the mac-address aging-time command multiple times, only the latest configuration takes effect.

Example

# Set the aging time of dynamic MAC address entries to 500 seconds.

<HUAWEI> system-view
[HUAWEI] mac-address aging-time 500

mac-address blackhole

Function

The mac-address blackhole command configures a blackhole MAC address entry.

The undo mac-address blackhole command deletes a blackhole MAC address entry.

By default, no blackhole MAC address entry is configured.

Format

mac-address blackhole mac-address [ vlan vlan-id | vsi vsi-name ]

undo mac-address blackhole [ mac-address ] [ vlan vlan-id | vsi vsi-name ]

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a blackhole MAC address entry.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

vlan vlan-id

Specifies the VLAN ID in a blackhole MAC address entry.

The value is an integer that ranges from 1 to 4094.

vsi vsi-name

Specifies the name of a VSI in a blackhole MAC address entry. The VSI must have been created.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To protect a device or network against MAC address attacks, configure MAC addresses of untrusted users as blackhole MAC addresses. The device then directly discards the received packets of which the source or destination MAC addresses match the blackhole MAC address entries.

Prerequisites

The network administrator is familiar with the MAC addresses of all devices on the network. If the MAC address of an authorized user is configured as a blackhole MAC address, the user's communications will be interrupted.

Configuration Impact

If the source or destination MAC address of a packet matches a blackhole MAC address entry, the packet will be discarded. After being configured and saved, blackhole MAC address entries are not lost after the system reset or hot swap of the LPU.

Precautions

  • Blackhole MAC address entries can be added or deleted, and they will not be aged.

    Unlike configuring a static MAC entry, you can configure a blackhole MAC entry without specifying an outbound interface.

  • If the specified VLAN is the control VLAN for Rapid Ring Protection Protocol (RRPP), the mac-address blackhole command cannot be run.

  • Blackhole MAC address entries fall into global and VLAN- or VSI-based blackhole MAC address entries. Global blackhole MAC address entries are configured using the mac-address blackhole command with only a MAC address specified. They do not occupy the MAC address table space.
  • If you configure a VLAN- or VSI-based blackhole MAC address entry when the MAC address table is full, the device processes the MAC address entry as follows:
    • If a dynamic MAC address entry with the same MAC address and VLAN ID or VSI name exists in the MAC address table, the blackhole MAC address entry replaces the dynamic MAC address entry.
    • If no dynamic MAC address entry with the same MAC address and VLAN ID or VSI name exists in the MAC address table, the blackhole MAC address entry cannot be added to the MAC address table.
  • You can run the mac-address blackhole command multiple times to configure multiple blackhole MAC address entries.

Example

# Add a blackhole MAC address entry to the MAC address table. In the blackhole MAC address entry, the MAC address is 0004-0004-0004 and the VLAN ID is VLAN 5.

<HUAWEI> system-view
[HUAWEI] vlan 5
[HUAWEI-vlan5] quit
[HUAWEI] mac-address blackhole 0004-0004-0004 vlan 5

# Configure a global blackhole MAC address entry in which the MAC address is 0005-0005-0005.

<HUAWEI> system-view
[HUAWEI] mac-address blackhole 0005-0005-0005

# Add a blackhole MAC address entry in which the MAC address is 0011-2233-4455 to VSI a2. The device directly discards the received frame in which the source or destination MAC address is 0011-2233-4455 and the VSI name is a2.

<HUAWEI> system-view
[HUAWEI] mac-address blackhole 0011-2233-4455 vsi a2

mac-address destination hit aging enable

Function

The mac-address destination hit aging enable command configures the device to age MAC address entries no matter whether the entries match destination MAC addresses of packets.

The undo mac-address destination hit aging enable command restores the default configuration.

By default, if MAC address entries match destination MAC addresses of packets, the system recalculates the aging time.

Format

mac-address destination hit aging enable

undo mac-address destination hit aging enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a user uses one-way services such as the video on demand service, packets are transmitted unidirectionally from the server to the user terminal. When the user terminal is shut down, the server still sends packets. Therefore, the dynamic MAC address entry with the destination MAC address of the packets remains in the MAC address table.

To delete MAC address entries matching one-way service packets after user terminals are shut down, run the mac-address destination hit aging enable command to enable the device to age dynamic MAC address entries matching dynamic MAC addresses of received packets.

Configuration Impact

This command is used only when one-way services are deployed on a network.

Precautions

This command only free up space in the MAC address table but cannot save system resources. If the device cannot find the matching entry in the MAC address table, it broadcasts the packets.

Example

# Configure the device to age MAC address entries no matter whether the entries match destination MAC addresses of packets.

<HUAWEI> system-view
[HUAWEI] mac-address destination hit aging enable

mac-address flapping action

Function

The mac-address flapping action command configures the action to perform on an interface when MAC address flapping is detected on the interface.

The undo mac-address flapping action command deletes the action.

By default, the system does not perform any action when detecting MAC address flapping on an interface.

Format

mac-address flapping action { error-down | quit-vlan }

undo mac-address flapping action { error-down | quit-vlan }

Parameters

Parameter

Description

Value

error-down

Shuts down an interface when MAC address flapping is detected on the interface.

-

quit-vlan

Removes an interface from the VLAN where MAC address flapping occurs when MAC address flapping is detected on the interface.

-

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the switch connects to a user network that does not support loop prevention protocols, configure a loop prevention action for the switch to perform when detecting MAC address flapping. This reduces the impact of MAC address flapping on the user network.

When MAC address flapping occurs on an interface with a loop prevention action configured, the switch performs the configured action. When the action is set to error-down, the switch shuts down the interface. When the action is set to quit-VLAN, the switch removes the interface from the VLAN where MAC address flapping occurs. Only one interface can be shut down during one aging time configured by the mac-address flapping aging-time command.

Follow-up Procedure

  • When the action is set to error-down, the interface cannot be automatically restored after it is shut down. You can only restore the interface by running the shutdown and undo shutdown commands or the restart command in the interface view.

    To enable the interface to go Up automatically, you must run the error-down auto-recovery cause mac-address-flapping command in the system view before the interface enters the error-down state. This command enables an interface in error-down state to go Up and sets a recovery time. The interface goes Up automatically after the time expires.

  • If the action is set to quit-vlan, the interface can be automatically restored after a specified time period after it is removed from the VLAN. The default recovery time is 10 minutes. The recovery delay time can be set using the mac-address flapping quit-vlan recover-time time-value command in the system view.

Precautions

Do not run the mac-address flapping action command on uplink interfaces.

MAC address flapping detection can only detect loops on interfaces, but cannot obtain the entire network topology. If the user network connected to the switch supports loop prevention protocols, use the loop prevention protocols instead of MAC address flapping detection.

If you run the mac-address flapping action command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Configure the switch to shut down GE1/0/1 when detecting MAC address flapping on the interface.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address flapping action error-down
Info: This command may shut down the interface after MAC address flapping is detected. 

# Configure the switch to remove GE1/0/1 from the VLAN where MAC address flapping occurs.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address flapping action quit-vlan 

mac-address flapping action priority

Function

The mac-address flapping action priority command sets the priority for the action against MAC address flapping on an interface.

The undo mac-address flapping action priority command restores the default configuration.

By default, the action against MAC address flapping on an interface is 127.

Format

mac-address flapping action priority priority

undo mac-address flapping action priority

Parameters

Parameter

Description

Value

priority

Specifies the priority of the action against MAC address flapping on an interface.

The value is an integer that ranges from 0 to 255. A larger value indicates a higher priority. The default value is 127.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the switch connects to a user network that does not support loop prevention protocols, configure a loop prevention action for the switch to perform when detecting MAC address flapping. This reduces the impact of MAC address flapping on the user network. The mac-address flapping action priority command sets the priority of the action.

When a MAC address flaps between two interfaces and both the interfaces have an action and priority configured, the switch performs the action (error-down or quit-VLAN) configured on the interface with lower priority. If the two interfaces have the same priority, the switch performs the action on the interface that learns the MAC address later. If the later interface has no action configured, the switch performs the action on the interface that learns the MAC address earlier.

NOTE:

The switch compares priorities of the interfaces only when the interfaces have the same action configured. If one interface is configured with the error-down action, and the other is configured with the quit-VLAN action, the switch performs the actions on both interfaces even if their priorities are same.

Precautions

If you run the mac-address flapping action priority command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the priority of the action against MAC address flapping on GE1/0/1 to 3.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address flapping action priority 3

mac-address flapping aging-time

Function

The mac-address flapping aging-time command sets the aging time of flapping MAC addresses.

The undo mac-address flapping aging-time command restores the default aging time of flapping MAC addresses.

By default, the aging time of flapping MAC addresses is 300 seconds.

Format

mac-address flapping aging-time aging-time

undo mac-address flapping aging-time

Parameters

Parameter

Description

Value

aging-time

Specifies the aging time of flapping MAC addresses.

The value is an integer that ranges from 60 to 900, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Increasing the aging time of flapping MAC addresses will cause MAC address flapping again and increase the error-down time. To ensure that the system performs MAC address flapping detection in a timely manner, run the mac-address flapping aging-time command to shorten the aging time of flapping MAC addresses.

Precautions

If you run the mac-address flapping aging-time command multiple times, only the latest configuration takes effect.

Example

# Set the aging time of flapping MAC addresses to 500 seconds.

<HUAWEI> system-view
[HUAWEI] mac-address flapping aging-time 500

mac-address flapping detection

Function

The mac-address flapping detection command enables global MAC address flapping detection.

The undo mac-address flapping detection command disables global MAC address flapping detection.

By default, global MAC address flapping detection is enabled.

Format

mac-address flapping detection

undo mac-address flapping detection

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN or VSI. The MAC address entry learned later replaces the earlier one.

MAC address flapping occurs in the following situations:

  • Network cables of switches are connected incorrectly or switches use incorrect configurations.
  • Unauthorized users simulate MAC address of valid network devices to attack the network.

Global MAC address flapping detection enables the Switch to check all MAC addresses. When MAC address flapping occurs, the Switch sends a trap message to the NMS. You can locate the fault according to the trap message. You can also run the display mac-address flapping record command to view MAC address flapping records.

Example

# Enable global MAC address flapping detection.

<HUAWEI> system-view
[HUAWEI] mac-address flapping detection

mac-address flapping detection exclude vlan

Function

The mac-address flapping detection exclude vlan command excludes a VLAN from MAC address flapping detection.

The undo mac-address flapping detection exclude vlan command restores MAC address flapping detection for a VLAN.

By default, the system performs MAC address flapping detection in all VLANs.

Format

mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo mac-address flapping detection exclude vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

Parameters

Parameter

Description

Value

vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN where MAC address flapping detection is not required.

  • vlan-id1 specifies the first VLAN ID.
  • to vlan-id2 specifies the last VLAN ID.

vlan-id2 must be greater than vlan-id1.

You can specify a maximum of 10 VLANs.

  • The value of vlan-id1 is an integer that ranges from 1 to 4094.
  • The value of vlan-id2 is an integer that ranges from 1 to 4094.

all

Indicates that all VLANs are excluded from MAC address flapping detection.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the system performs MAC address flapping detection in all VLANs. When a switch connected to a load balancing server with dual network adapters, the server's MAC address may be learned by two interfaces on the switch. This is a normal situation where MAC address flapping detection is not required.

You can run the mac-address flapping detection exclude vlan command to exclude a VLAN from MAC address flapping detection. If MAC address flapping occurs in this VLAN, the system does not send a trap message or record this event.

Precautions

If you run the mac-address flapping detection exclude vlan command multiple times, multiple VLANs are excluded from MAC address flapping detection.

Example

# Exclude VLAN 5 from MAC address flapping detection.

<HUAWEI> system-view
[HUAWEI] mac-address flapping detection exclude vlan 5

mac-address flapping detection vlan security-level

Function

The mac-address flapping detection vlan security-level command configures the security level of VLANs for MAC address flapping detection.

The undo mac-address flapping detection vlan security-level command restores the default security of VLANs for MAC address flapping detection.

By default, the security level of a VLAN for MAC address flapping detection is middle. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times.

Format

mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level { high | middle | low }

undo mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level [ high | middle | low ]

Parameters

Parameter

Description

Value

vlan-id1 [ to vlan-id2 ]

Specifies the VLANs of which the security level needs to be set for MAC address flapping detection.

  • vlan-id1 specifies the ID of the first VLAN.
  • to vlan-id2 specifies the ID of the last VLAN.

The value of vlan-id2 must be larger than the value of vlan-id1.

You can specify a maximum of 10 VLAN ID ranges in a command.

  • The value of vlan-id1 is an integer that ranges from 1 to 4094.
  • The value of vlan-id2 is an integer that ranges from 1 to 4094.
all

Configures security level of all VLANs for MAC address flapping detection.

-

high

Sets the security level of specified VLANs to high. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces three times.

-

middle

Sets the security level of specified VLANs to middle. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times.

-

low

Sets the security level of specified VLANs to low. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 50 times.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the switch considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times. On an unstable network, it may be a normal situation when a MAC address moves between interfaces 10 times. You can set the security level for VLANs according to the actual situation of your network. The switch reports a MAC address flapping when a MAC address moves between interfaces for the specified number of times.

Example

# Set the security level of VLAN 5 to high for MAC address flapping.

<HUAWEI> system-view
[HUAWEI] mac-address flapping detection vlan 5 security-level high

mac-address flapping mac-syn-suppress disable

Function

The mac-address flapping mac-syn-suppress disable command disables real-time MAC address synchronization suppression triggered by MAC address flapping.

The undo mac-address flapping mac-syn-suppress disable command enables real-time MAC address synchronization suppression triggered by MAC address flapping.

By default, MAC address synchronization suppression triggered by MAC address flapping is enabled.

Format

mac-address flapping mac-syn-suppress disable

undo mac-address flapping mac-syn-suppress disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, real-time MAC address synchronization suppression is enabled on a device. With this function enabled, if a large number of real-time MAC address synchronization packets are generated due to persistent MAC address flapping, real-time MAC address synchronization suppression will be triggered. This will result in problems such as delay in obtaining DHCP addresses in terminal roaming scenarios. To address such problems, run the mac-address flapping mac-syn-suppress disable command to disable real-time MAC address synchronization suppression triggered by MAC address flapping.

Example

# Disable real-time MAC address synchronization suppression triggered by MAC address flapping.

<HUAWEI> system-view
[HUAWEI] mac-address flapping mac-syn-suppress disable

mac-address flapping quit-vlan recover-time

Function

The mac-address flapping quit-vlan recover-time command sets the delay time an interface waits to join a VLAN again after it is removed from the VLAN due to MAC address flapping.

The undo mac-address flapping quit-vlan recover-time command restores the default delay time.

By default, the delay time is 10 minutes.

Format

mac-address flapping quit-vlan recover-time time-value

undo mac-address flapping quit-vlan recover-time

Parameters

Parameter

Description

Value

time-value

Specifies the delay time an interface waits to join a VLAN again after it is removed from the VLAN due to MAC address flapping.

The value is an integer ranging from 0 to 1440, in minutes. The default value is 10. The value 0 indicates that the interface cannot join a VLAN again after it is removed from the VLAN.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an interface is removed from a VLAN because MAC address flapping occurs in the VLAN, the interface can automatically join the VLAN again after a delay.

Precautions

If an interface is removed from multiple VLANs due to MAC address flapping, the system counts the delay time since the interface is removed from the last VLAN.

Example

# Set the delay time before an interface joins a VLAN again to 15 minutes.

<HUAWEI> system-view
[HUAWEI] mac-address flapping quit-vlan recover-time 15

# Restore the default delay time.

<HUAWEI> system-view
[HUAWEI] undo mac-address flapping quit-vlan recover-time

mac-address hash-mode

Function

The mac-address hash-mode command configures a MAC hash algorithm on a specified LPU on the device.

The undo mac-address hash-mode command restores the default MAC hash algorithm on a specified LPU on the device.

By default, the device uses crc32-lower.

NOTE:

The X series cards do not support this command.

Format

mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb | enhanced } slot slot-id

undo mac-address hash-mode [ crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb | enhanced ] slot slot-id

Parameters

Parameter

Description

Value

crc16-lower

Indicates the hash algorithm based on low order bits of CRC16.

-

crc16-upper

Indicates the hash algorithm based on high order bits of CRC16.

-

crc32-lower

Indicates the hash algorithm based on low order bits of CRC32.

-

crc32-upper

Indicates the hash algorithm based on high order bits of CRC32.

-

lsb

Indicates the hash algorithm based on the lowest bit of the key value.

-

enhanced

Indicates the enhanced mode.

-

slot slot-id

Specifies a slot ID.

The value depends on the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device uses a hash algorithm to improve MAC address forwarding performance. If multiple MAC addresses match a key value, a hash conflict occurs.

When a hash conflict occurs, the device may fail to learn many MAC addresses and some traffic can only be broadcast. This results in heavy broadcast traffic on the device. If such a problem occurs, use an appropriate hash algorithm to reduce the hash conflict.

Precautions

  • MAC addresses are distributed on a network randomly, so the system cannot determine the best hash algorithm. Generally, the default hash algorithm is the best one, so do not change the hash algorithm unless you have special requirement.

  • An appropriate hash algorithm can only reduce hash conflicts, but cannot prevent them.

  • After changing the hash algorithm and saving the configuration, restart the card for the configuration to take effect.

  • If you run the mac-address hash-mode command multiple times, only the latest configuration takes effect.

Example

# Set the hash algorithm on the LPU in slot 2 to crc16-lower.

<HUAWEI> system-view
[HUAWEI] mac-address hash-mode crc16-lower slot 2

mac-address learning disable (interface view and VLAN view)

Function

The mac-address learning disable command disables MAC address learning.

The undo mac-address learning disable command enables MAC address learning.

By default, MAC address learning is enabled.

Format

mac-address learning disable [ action { discard | forward } ] (Interface view)

mac-address learning disable (VLAN view)

undo mac-address learning disable

Parameters

Parameter

Description

Value

action

Indicates the action that the interface takes after MAC address learning is disabled.

  • This parameter takes effect only in the interface view and port group view, and the specified interface must be a Layer 2 interface.

  • You can use this parameter to determine whether packets are forwarded when the specified interface does not need to learn MAC addresses.

By default, an interface forwards the packets carrying new MAC addresses after MAC address learning is disabled.

-

discard

Discards the packets whose source MAC addresses do not match the MAC address table.

-

forward

Forwards the packets according to the MAC address table.

-

Views

VLAN view, 100GE interface view, GE interface view, XGE interface view, 40GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want an interface to forward only packets with certain MAC addresses, use this command. For example, if an interface is connected to a server, configure a static MAC address entry with the MAC address of the server, and then disable MAC address learning and set the action to discard on the interface. The configuration prevents other servers or terminals from accessing the interface and improves network stability and security.

When a switch with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the switch forwards the frames through the corresponding outbound interface according to the MAC address entry. MAC address learning reduces broadcast packets on a network.

You can use the mac-address learning disable command to disable MAC address learning on an interface. The action performed on received packets can be set to discard or forward.

By default, the switch takes the forward action after MAC address learning is disabled. That is, the switch forwards packets according to the MAC address table. When the action is set to discard, the switch looks up the source MAC address of the packet in the MAC address table. If the source MAC address is found in the MAC address table, the switch forwards the packet according to the matching MAC address entry. If the source MAC address is not found, the switch discards the packet.

Precautions

  • Before running the mac-address learning disable command on an Eth-Trunk interface, ensure that the Eth-Trunk interface works in Layer 2 mode; otherwise, the configuration fails. To switch an Eth-Trunk interface from the Layer 3 mode to the Layer 2 mode, you can run the portswitch command in the view of the Eth-Trunk interface.

  • This action cannot be configured in the VLAN view.

  • After MAC address learning is disabled on an interface, the device does not learn new MAC addresses on the interface. Untrusted terminals can still access the network.

Example

# Disable MAC address learning in VLAN 2.

<HUAWEI> system-view
[HUAWEI] vlan 2
[HUAWEI-vlan2] mac-address learning disable

mac-address learning disable (traffic behavior view)

Function

The mac-address learning disable command disables MAC address learning in a traffic behavior.

The undo mac-address learning disable command enables MAC address learning in a traffic behavior.

By default, MAC address learning is enabled in a traffic behavior.

Format

mac-address learning disable

undo mac-address learning disable

Parameters

None

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-address learning disable command is used in the following scenarios:

  • When a network is running stably and the MAC address of packets is fixed, a device does not need to learn MAC addresses of other packets. To save MAC addresses and improve device efficiency, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.
  • Some unauthorized users may change MAC addresses frequently to attack the network. To prevent MAC address overflow and protect device performance, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.

Follow-up Procedure

Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing the action of disabling MAC address learning.

Precautions

After the traffic behavior containing mac-address learning disable is bound to the specified traffic classifier, the source MAC addresses of packets matching the traffic classifier are not learned. The source MAC addresses of packets that do not match the traffic classifier are still learned by default.

NOTE:
SA cards of S series do not support the mac-address learning disable command in traffic behavior view.

The mac-address learning disable command is similar to the mac-address learning disable command in the interface view or VLAN view. The difference is that the mac-address learning disable command is valid for the packets matching the user-defined traffic classifier and is applied to the system, LPU, an interface, or a VLAN by using the traffic policy. The mac-address learning disable command is used in the interface view, port group view, or VLAN view and is valid for all the packets in the corresponding view.

To disable MAC address learning on an interface, in a port group, or in a VLAN, run the mac-address learning disable command in the corresponding view. To disable MAC address learning for a specified traffic classifier, run the mac-address learning disable command in the traffic behavior view.

Example

# Disable MAC address learning in the traffic behavior test.

<HUAWEI> system-view
[HUAWEI] traffic behavior test
[HUAWEI-behavior-test] mac-address learning disable

mac-address static vlan

Function

The mac-address static vlan command configures a static MAC address entry.

The undo mac-address static vlan command deletes a static MAC address entry.

By default, no static MAC address entry is configured.

Format

mac-address static mac-address interface-type interface-number vlan vlan-id

undo mac-address static [ interface-type interface-number | vlan vlan-id ] *

undo mac-address static mac-address interface-type interface-number vlan vlan-id

NOTE:

For details on how to configure a VSI-based static MAC address entry, see mac-address static vlanif and mac-address static vsi.

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a static MAC address entry.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

interface-type interface-number

Specifies the outbound interface in a static MAC address entry.

-

vlan vlan-id

Specifies the ID of the VLAN that the outbound interface belongs to.

The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Static MAC address entries are used for the following purposes:
  • Improve security. The device directly discards packets sent from unauthorized users using authorized users' MAC addresses.
  • Guide unicast forwarding and save bandwidth.

Precautions

  • The VLAN in a static MAC address entry must have been created and the outbound interface in the same static MAC address entry has been added to the VLAN.
  • If you configure a static MAC address entry when the MAC address table is full, the device processes the MAC address entry as follows:
    • If a dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the static MAC address entry replaces the dynamic MAC address entry.
    • If no dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the static MAC address entry cannot be added to the MAC address table.
  • You can run the mac-address static command multiple times to configure multiple static MAC address entries.

Example

# Add a static MAC address entry to the MAC address table. In the MAC address entry, the destination MAC address is 0003-0003-0003, the VLAN ID is 4, and the outbound interface is gigabitethernet1/0/2. That is, the device forwards packets with the destination MAC address of 0003-0003-0003 from VLAN 4 through gigabitethernet1/0/2.

<HUAWEI> system-view
[HUAWEI] vlan 4
[HUAWEI-vlan4] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] port link-type access
[HUAWEI-GigabitEthernet1/0/2] port default vlan 4
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] mac-address static 0003-0003-0003 gigabitethernet 1/0/2 vlan 4

mac-address threshold-alarm

Function

The mac-address threshold-alarm command configures upper and lower alarm thresholds for the MAC address usage.

The undo mac-address threshold-alarm command restores the default upper and lower alarm thresholds for the MAC address usage.

By default, the upper and lower alarm thresholds for the MAC address usage are 80% and 70% respectively. An alarm is sent when the MAC address usage is higher than 80% or lower than 70%.

Format

mac-address threshold-alarm upper-limit upper-limit-value lower-limit lower-limit-value

undo mac-address threshold-alarm

Parameters

Parameter

Description

Value

upper-limit upper-limit-value

Specifies the upper alarm threshold for the MAC address usage, in percentage.

The value is an integer that ranges from 1 to 100. The default value is 80.

lower-limit lower-limit-value

Specifies the lower alarm threshold for the MAC address usage, in percentage.

The value is an integer that ranges from 1 to 100. The default value is 70. lower-limit-value must be smaller than upper-limit-value.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address resources are core resources of the device and the device supports limited MAC addresses. The MAC address usage affects device running. You can run the mac-address threshold-alarm command to configure upper and lower alarm thresholds for the MAC address usage. When the MAC address usage is larger than the upper alarm threshold or smaller than the lower alarm threshold, an alarm is generated to notify the administrator. The administrator then can learn the MAC address usage in a timely manner.

Precautions

When you run the mac-address threshold-alarm command multiple times, only the latest configuration takes effect.

Example

# Set upper and lower alarm thresholds for the MAC address usage to 90% and 20% respectively.

<HUAWEI> system-view
[HUAWEI] mac-address threshold-alarm upper-limit 90 lower-limit 20

mac-address trap hash-conflict enable

Function

The mac-address trap hash-conflict enable command enables the trap function for the MAC address hash conflict.

The undo mac-address trap hash-conflict enable command disables the trap function for the MAC address hash conflict.

By default, the trap function for the MAC address hash conflict is enabled.

Format

mac-address trap hash-conflict enable

undo mac-address trap hash-conflict enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To improve the MAC address forwarding performance, the MAC address table of the device is saved using a hash link. When the same key value is obtained for multiple MAC addresses according to the hash algorithm, some MAC addresses may be not learned. That is, the MAC address hash conflict occurs.

In this situation, the MAC address table space is not full but the MAC address entry cannot be learned. When the MAC address hash conflict occurs, traffic with this destination MAC address can be only broadcast. This occupies device bandwidth and resources. You can replace the device or network adapter of the terminal.

After the trap function for the MAC address hash conflict is configured, the administrator can immediately discover MAC address hash conflicts.

Precautions

The command does not take effect on SA cards of S series.

Example

# Enable the trap function for the MAC address hash conflict.

<HUAWEI> system-view
[HUAWEI] mac-address trap hash-conflict enable

mac-address trap hash-conflict history

Function

The mac-address trap hash-conflict history command sets the number of alarms reported at an interval when the MAC address hash conflict occurs.

The undo mac-address trap hash-conflict history command restores the default number of alarms reported at an interval when the MAC address hash conflict occurs.

By default, 10 alarms are reported at an interval when the MAC address hash conflict occurs.

Format

mac-address trap hash-conflict history history-number

undo mac-address trap hash-conflict history

Parameters

Parameter

Description

Value

history-number

Specifies the number of alarms reported at an interval when the MAC address hash conflict occurs.

The value is an integer that ranges from 10 to 20. The default value is 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the trap function for the MAC address hash conflict is enabled, the device reports a maximum of 10 alarms every 60s. Each alarm carries a MAC address for which the hash conflict occurs.

If hash values of more than 10 MAC addresses conflict, reports about subsequent MAC address hash conflicts cannot be reported. You can run this command to set the number of alarms reported at an interval.

Precautions

When you run the mac-address trap hash-conflict history command multiple times, only the latest configuration takes effect.

The command does not take effect on SA cards of S series.

Example

# Set the number of alarms reported at an interval to 12 when the MAC address hash conflict occurs.

<HUAWEI> system-view
[HUAWEI] mac-address trap hash-conflict history 12

mac-address trap hash-conflict interval

Function

The mac-address trap hash-conflict interval command sets the interval at which alarms are reported when the MAC address hash conflict occurs.

The undo mac-address trap hash-conflict interval command restores the default interval at which alarms are reported when the MAC address hash conflict occurs.

By default, alarms are reported at intervals of 60s when the MAC address hash conflict occurs.

Format

mac-address trap hash-conflict interval interval-time

undo mac-address trap hash-conflict interval

Parameters

Parameter

Description

Value

interval-time

Specifies the interval at which alarms are reported when the MAC address hash conflict occurs.

The value is an integer that ranges from 60 to 3600, in seconds. The default value is 60.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the trap function for the MAC address hash conflict is enabled, the device reports a maximum of 10 alarms every 60s. Each alarm carries a MAC address for which the hash conflict occurs.

If a small interval is used, alarms about MAC address hash conflicts are reported immediately. When there are many MAC address hash conflicts, many alarms are reported.

If a long interval is used and many MAC address hash conflicts occur, alarms will be suppressed. You can adjust the interval according to the requirements.

Precautions

When you run the mac-address trap hash-conflict interval command multiple times, only the latest configuration takes effect.

The command does not take effect on SA cards of S series.

Example

# Set the interval at which alarms are reported to 90s when the MAC address hash conflict occurs.

<HUAWEI> system-view
[HUAWEI] mac-address trap hash-conflict interval 90

mac-address trap notification

Function

The mac-address trap notification command enables the trap function for MAC address learning or aging.

The undo mac-address trap notification command disables the trap function for MAC address learning or aging.

By default, the trap function for MAC address learning or aging is disabled.

Format

mac-address trap notification { aging | learn | all }

undo mac-address trap notification

Parameters

Parameter

Description

Value

aging

Enables the trap function for MAC address aging.

-

learn

Enables the trap function for MAC address learning.

-

all

Enables the trap function for MAC address learning and aging.

-

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To learn MAC address change in a timely manner, run the mac-address trap notification command to enable the trap function for MAC address learning or aging.

Precautions

When you run the mac-address trap notification command multiple times, only the latest configuration takes effect.

The trap function for MAC address learning or aging is not supported for the MAC address entries in a VSI.

Example

# Enable the trap function for MAC address learning on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address trap notification learn

mac-address trap notification interval

Function

The mac-address trap notification interval command sets the interval at which the device checks MAC address learning or aging.

The undo mac-address trap notification interval command restores the default interval at which the device checks MAC address learning or aging.

By default, the device checks MAC address learning or aging at intervals of 10s.

Format

mac-address trap notification interval interval-time

undo mac-address trap notification interval

Parameters

Parameter

Description

Value

interval-time

Specifies the interval at which the device checks MAC address learning or aging.

The value is an integer that ranges from 10 to 600, in seconds. The default value is 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the mac-address trap notification command is used to enable the trap function when the device learns MAC addresses or MAC addresses are aged, the device periodically checks whether MAC addresses are learned or aged. You can run the mac-address trap notification interval command to set the interval.

Example

# Set the interval at which the device checks MAC address learning or aging to 20s.

<HUAWEI> system-view
[HUAWEI] mac-address trap notification interval 20

mac-address update arp

Function

The mac-address update arp command enables the MAC address-triggered ARP entry update function. That is, the Switch is enabled to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.

The undo mac-address update arp command disables the MAC address-triggered ARP entry update function.

By default, the MAC address-triggered ARP entry update function is disabled.

Format

mac-address update arp

undo mac-address update arp

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding. The ARP entries that define the mapping between IP addresses and MAC addresses guide communication between devices on different network segments.

The outbound interface in a MAC address entry is updated by packets, whereas the outbound interface in an ARP entry is updated after the aging time is reached. In this case, the outbound interfaces in the MAC address entry and ARP entry may be different. To address this issue, run the mac-address update arp command to enable the Switch to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.

Precautions

This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when the corresponding MAC address entries change.

The mac-address update arp command does not take effect after ARP entry fixing is enabled by using the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable command.

After the mac-address update arp command is run, the Switch updates an ARP entry only if the outbound interface in the corresponding MAC address entry changes.

After this command is executed, the arp anti-attack gratuitous-arp drop command becomes invalid and the Switch cannot drop gratuitous ARP packets.

Example

# Enable the MAC address-triggered ARP entry update function.

<HUAWEI> system-view
[HUAWEI] mac-address update arp
Related Topics

mac-learning priority

Function

The mac-learning priority command sets the MAC address learning priority of an interface.

The undo mac-learning priority command restores the default MAC learning priority of an interface.

By default, the MAC address learning priority of an interface is 0.

Format

mac-learning priority priority-id

undo mac-learning priority

Parameters

Parameter

Description

Value

priority priority-id

Specifies the MAC address learning priority of an interface.

The value is an integer that ranges from 0 to 3. A larger value indicates a higher priority.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, run the mac-learning priority command to set the priority of the uplink interface to be higher than the user-side interfaces. When these interfaces learn the same MAC address, the MAC address entry learned by the uplink interface overrides MAC address entries learned by the user-side interfaces. Therefore, the switch will not learn MAC addresses of unauthorized users, and authorized users can access the server and use network resources.

You can run the undo mac-learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority.

Both the undo mac-learning priority allow-flapping command and the mac-learning priority command can prevent MAC address flapping. The difference between the two commands is as follows:

  • The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
  • The mac-learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.

Precautions

If you run the mac-learning priority command multiple times in the same interface view, only the latest configuration takes effect.

The function is not supported for the MAC address entries in a VSI.

Example

# Set the MAC address learning priority of GigabitEthernet1/0/2 to 3.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] mac-learning priority 3

mac-learning priority allow-flapping

Function

The mac-learning priority allow-flapping command allows MAC address flapping between interfaces with the same priority.

The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority.

By default, MAC address flapping between interfaces with the same priority is allowed.

Format

mac-learning priority priority-id allow-flapping

undo mac-learning priority priority-id allow-flapping

Parameters

Parameter

Description

Value

priority priority-id

Specifies the MAC address learning priority of an interface.

The value is an integer that ranges from 0 to 3. A larger value indicates a higher priority.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, you can run the undo mac-learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority. MAC address then will not be learned by multiple interfaces. This prevents attackers from using the MAC addresses of valid devices to attack the switch.

Both the mac-learning priority command and the undo mac-learning priority allow-flapping command can prevent MAC address flapping. The difference between the two commands is as follows:

  • The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
  • The mac-learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.

Precautions

The function is not supported for the MAC address entries in a VSI.

Example

# Forbid MAC address flapping between interfaces with priority 1.

<HUAWEI> system-view
[HUAWEI] undo mac-learning priority 1 allow-flapping
Related Topics

mac-learning priority flapping-defend action

Function

The mac-learning priority flapping-defend action command configures an action to be taken when the switch is configured to prohibit MAC address flapping.

The undo mac-learning priority flapping-defend action command restores the default action when the switch is configured to prohibit MAC address flapping.

By default, the action is forward when the switch is configured to prohibit MAC address flapping.

Format

mac-learning priority flapping-defend action { forward | discard }

undo mac-learning priority flapping-defend action

Parameters

Parameter

Description

Value

forward

Packets are forwarded when the switch is configured to prohibit MAC address flapping.

-

discard

Packets are discarded when the switch is configured to prohibit MAC address flapping.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and a downlink interface is connected to a user. To prevent a malicious user from using a forged server's MAC address to attack the switch, run the mac-learning priority command in the interface view or the undo mac-learning priority allow-flapping command in the system view to prohibit MAC address flapping. A MAC address then will not be learned by multiple interfaces, and the malicious user cannot use the MAC address of a valid device to attack the switch. However, packets of the malicious user are still forwarded. You can configure the discard action to discard packets from the malicious user when MAC address flapping is prohibited.

Precautions

Example

# Configure the switch to discard packets when the switch is configured to prohibit MAC address flapping.

<HUAWEI> system-view
[HUAWEI] mac-learning priority flapping-defend action discard

mac-limit

Function

The mac-limit command configures a rule to limit the number of MAC addresses that can be learned.

The undo mac-limit command deletes the rule.

By default, the number of learned MAC addresses is not limited.

Format

mac-limit { maximum max-num | action { discard | forward } | alarm { disable | enable } } *

undo mac-limit

Parameters

Parameter

Description

Value

action { discard | forward }

Indicates the action performed when the number of learned MAC address entries reaches the limit.
  • discard: discards packets with new source MAC addresses.
  • forward: forwards packets with new source MAC addresses but does not add the new MAC addresses to the MAC address table.

If no action is specified in the command, the default action discard is used.

alarm { disable | enable }

Indicates whether the system generates an alarm when the number of learned MAC address entries reaches the limit.
  • disable: indicates that no alarm is generated when the number of learned MAC addresses reaches the limit.
  • enable: indicates that an alarm is generated when the number of learned MAC addresses reaches the limit.

If you do not set this parameter in the command, the alarm function is enabled by default.

maximum max-num

Sets the maximum number of MAC addresses that can be learned.

NOTE:
If maximum is not set, you must run the mac-limit command with maximum specified. If you have run the mac-limit command to set the maximum number of MAC addresses that can be learned, you do not need to set maximum max-num when running this command again.

The value is a decimal integer ranging from 0 to 32767. The value 0 indicates that the highest rate of MAC address learning is not limited.

Views

VLAN view, GE interface view, XGE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-limit command limits the number of access users and prevents attacks to the MAC address tables. You can set the action to discard and enable the function to improve network security.

Precautions

  • The mac-limit command configuration takes effect only for dynamically learned MAC addresses. If some MAC addresses have been learned, run the undo mac-address dynamic command to delete the learned MAC address entries. If you do not delete them, less new MAC addresses can be learned than the value configured using the mac-limit command.

  • You cannot specify the discard action when running the mac-limit command in the VLAN view on SA boards of S series.

  • On SA cards of S series, when the number of MAC addresses learned in a VLAN reaches the maximum, the mac-address learning disable command does not take effect on interfaces in the VLAN.

  • After the port-security enable command is configured on an interface, mac-limit cannot take effect. Do not configure mac-limit and port-security enable simultaneously.

  • The MAC address limiting function and NAC conflict on an interface; therefore, the mac-limit and mac-authen, dot1x enable, web-auth-server or authentication-profile commands cannot be used on the same interface.

  • If the maximum number of MAC addresses that can be learned is set to N in the VLAN view and interfaces in a VLAN are on different cards, a maximum of N MAC addresses can be learned on each card.

Example

# Set the maximum number of MAC addresses that can be learned by GigabitEthernet1/0/2 to 30. Configure the device to generate an alarm when the number of learned MAC addresses exceeds the maximum.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] mac-limit maximum 30 alarm enable 

mac-limit slot

Function

The mac-limit slot command configures a rule to limit the number of MAC addresses that can be learned by interfaces in a specified slot.

The undo mac-limit slot command deletes the MAC address limiting rule in a specified slot.

By default, the number of MAC addresses learned by interfaces in a slot is not limited.

Format

mac-limit slot slot-id { maximum max-num | action { discard | forward } | alarm { disable | enable } }*

undo mac-limit slot slot-id

Parameters

Parameter Description Value
slot slot-id Specifies the slot ID. The value is an integer and must specify an existing slot on the device.
action { discard | forward } Indicates the action performed when the number of MAC address entries learned by interfaces in a slot reaches the limit.
  • discard: discards packets with new source MAC addresses.
  • forward: forwards packets with new source MAC addresses but does not add the source MAC addresses to the MAC address table.
The default action is discard.
alarm { disable | enable } Indicates whether the system generates an alarm when the number of MAC address entries learned by interfaces in a slot reaches the limit.
  • disable: indicates that no alarm is generated when the number of learned MAC addresses reaches the limit.
  • enable: indicates that an alarm is generated when the number of learned MAC addresses reaches the limit.
By default, the system does not generate an alarm when the number of MAC address entries learned by interfaces in a slot reaches the limit.
maximum max-num Specifies the maximum number of MAC addresses that can be learned by interfaces in a slot. The value is an integer that ranges from 0 to 32767. When the value is 0, the number of MAC addresses learned by interfaces in a slot is not limited.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-limit slot limits the number of MAC addresses that can be learned by interfaces in a slot, controlling the number of access users and protecting the MAC address table against attacks. You can configure the system to discard packets with new source MAC addresses and generates an alarm when the number of learned MAC addresses reaches the limit. This improves network security.

Prerequisites

If MAC addresses have been learned by interfaces in a slot, run the undo mac-address command in the system view to delete the MAC addresses before using the mac-limit slot command. Otherwise, the limit set the command cannot control the number of learned MAC addresses accurately.

Precautions

If the action is set to forward, illegal packets are still forwarded on the network, threatening network security.

If MAC address limiting rules are configured in a slot and on interfaces in this slot, one of the following situations occurs:
  • If the sum of maximum numbers in rules configured on all interfaces in a slot is greater than the maximum number in the rule configured in the slot, the number of MAC addresses learned by interfaces in the slot is restricted by the rule configured in the slot.

  • If the sum of maximum numbers in rules configured on all interfaces in a slot is smaller than the maximum number in the rule configured in the slot, the number of MAC addresses learned by interfaces in the slot is restricted by sum of maximum numbers in rules configured on all interfaces in the slot.

If you run the mac-limit slot command multiple times, only the latest configuration takes effect.

Example

# Set the maximum number of MAC addresses that can be learned by interfaces in slot 2 to 100. Configure the system to discard packets and send a trap to the NMS when the maximum number is exceeded.

<HUAWEI> system-view
[HUAWEI] mac-limit slot 2 maximum 100 action discard alarm enable

mac-miss action discard

Function

The mac-miss action discard command configures the system to discard the packets that do not match any MAC address entry in a VLAN.

The undo mac-miss action discard command restores the default configuration. That is, the system broadcasts the packets that do not match any MAC address entry in a VLAN.

By default, the system broadcasts the packets that do not match any MAC address entry in a VLAN.

This configuration is not supported on the SA cards of S series.

Format

mac-miss action discard

undo mac-miss action discard

Parameters

None

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

When a DHCP user goes offline, the MAC address entry of the user ages. If there are packets destined for this user, the system cannot find the MAC address entry, so it broadcasts the packets to all interfaces in the VLAN. In this case, all users can receive the packets. This affects packet security. The mac-miss action discard command can reduce workload on the device and improve packet security.

Example

# Configure the system to discard the packets that do not match any MAC address entry in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-miss action discard
Related Topics

port bridge enable

Function

The port bridge enable command enables the port bridge function on an interface. The interface then can forward packets whose source and destination MAC addresses are both learned by this interface.

The undo port bridge enable command disables the port bridge function.

By default, the port bridge function is disabled on an interface.

Format

port bridge enable

undo port bridge enable

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

The port bridge function enables an interface to forward packets whose source and destination MAC addresses are both learned on the interface. By default, an interface discards packets whose source and destination MAC addresses are both learned on the interface.

When enabled with the port bridge function, the interface forwards such packets if their destination MAC addresses are found in the MAC address table.

The port bridge function is used in the following scenarios:

  • The switch connects to devices that do not support Layer 2 forwarding. When users connected to the devices need to communicate, the devices send user packets to the switch for forwarding. Because source and destination MAC addresses of the packets are learned on the same interface, the port bridge function needs to be enabled on the interface so that the interface can forward such packets.
  • The switch is used as an access device in a data center and is connected to servers. For example, take multiple servers hosting multiple virtual machines that need to transmit data to each other. By enabling the port bridge function on the interfaces connected to the servers, you allow the switch to forward data packets between the virtual machines at higher speed than if the servers perform the switching operations.

Example

# Enable the port bridge function on GigabitEthernet1/0/1.

<HUAWEI> system-view
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port bridge enable
Related Topics

remark destination-mac

Function

The remark destination-mac command configures an action of re-marking the destination MAC address in packets in a traffic behavior.

The undo remark destination-mac command deletes the configuration.

By default, an action of re-marking the destination MAC address in packets is not configured in a traffic behavior.

Format

remark destination-mac mac-address

undo remark destination-mac

NOTE:

The X series cards do not support this command.

Parameters

Parameter

Description

Value

mac-address

Specifies the destination MAC address.

The value is in H-H-H format. An H is a hexadecimal number with 1 to 4 digits. The value must be a unicast MAC address.

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the remark destination-mac command to re-mark the destination MAC address in packets in a traffic behavior so that the downstream device can identify packets and provide differentiated services.

Follow-up Procedure

Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing destination MAC address re-marking.

Precautions

  • In a traffic behavior, the remark destination-mac command cannot be used with the redirect ip-nexthop or redirect ip-multihop command.
  • A traffic policy containing remark destination-mac cannot be applied to the outbound direction.
  • If you run the remark destination-mac command in the same traffic classifier view multiple times, only the latest configuration takes effect.

Example

# Configure the traffic behavior b1: The destination MAC address of packets is re-marked to 0050-b007-bed3.

<HUAWEI> system-view
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] remark destination-mac 0050-b007-bed3

reset mac-address flapping record

Function

The reset mac-address flapping record command clears MAC address flapping records.

Format

reset mac-address flapping record

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before collecting MAC address flapping statistics, run the reset mac-address flapping record command to clear the current statistics.

Precautions

The reset mac-address flapping record command deletes only historical MAC address flapping records, and does not delete records about ongoing MAC address flapping.

After clearing MAC address flapping records, you can run the display mac-address flapping record command to view current MAC address flapping records.

The cleared MAC address flapping records cannot be restored.

Example

# Clear MAC address flapping records.

<HUAWEI> reset mac-address flapping record

snmp-agent trap enable feature-name l2if

Function

The snmp-agent trap enable feature-name l2if command enables the trap function for the L2IF module.

The undo snmp-agent trap enable feature-name l2if command disables the trap function for the L2IF module.

By default, the trap function is disabled for the L2IF module.

Format

snmp-agent trap enable feature-name l2if [ trap-name { hwslotmaclimitnumfallingthreshold | hwslotmaclimitnumraisingthreshold } ]

undo snmp-agent trap enable feature-name l2if [ trap-name { hwslotmaclimitnumfallingthreshold | hwslotmaclimitnumraisingthreshold } ]

Parameters

Parameter

Description

Value

trap-name

Enables or disables the trap function for the specified event.

-

hwslotmaclimitnumfallingthreshold

Sends a Huawei proprietary trap when the number of MAC addresses dynamically learnt through the Slot falls below the lower limit.

-

hwslotmaclimitnumraisingthreshold

Sends a Huawei proprietary trap when the number of MAC addresses dynamically learnt through the Slot exceeds the upper limit.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example

# Enable the device to send traps when the number of MAC entries on a card falls below the lower limit.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name l2if trap-name hwslotmaclimitnumfallingthreshold

snmp-agent trap enable feature-name l2ifppi

Function

The snmp-agent trap enable feature-name l2ifppi command enables the trap function for the l2ifppi module.

The undo snmp-agent trap enable feature-name l2ifppi command disables the trap function for the l2ifppi module.

By default, the trap function is enabled for the l2ifppi module.

Format

snmp-agent trap enable feature-name l2ifppi [ trap-name { hwportsecrcvinsecurepktalarm | hwmflpvlanalarm | hwmflpvsialarm | hwmaclimitoverthresholdalarm | hwmaclimitoverthresholdalarmresume | hwrecillegalmacpktalarm | hwmflpquitvlanalarm | hwmflpquitvlanresume | hwportvlansecuremacalarm | hwmactrapalarm | hwslotmacusageraisingthreshold | hwslotmacusagefallingthreshold | hwboardpoweroff | hwmactraphashconflictalarm | hwmflpbdalarm } ]

undo snmp-agent trap enable feature-name l2ifppi [ trap-name { hwportsecrcvinsecurepktalarm | hwmflpvlanalarm | hwmflpvsialarm | hwmaclimitoverthresholdalarm | hwmaclimitoverthresholdalarmresume | hwrecillegalmacpktalarm | hwmflpquitvlanalarm | hwmflpquitvlanresume | hwportvlansecuremacalarm | hwmactrapalarm | hwslotmacusageraisingthreshold | hwslotmacusagefallingthreshold | hwboardpoweroff | hwmactraphashconflictalarm | hwmflpbdalarm } ]

Parameters

Parameter

Description

Value

trap-name

Enables or disables the trap function for the specified event.

-

hwportsecrcvinsecurepktalarm

Enables the device to send a Huawei proprietary trap when the number of learned secure MAC addresses on an interface of the device reaches the limit and the device receives invalid packets.

-

hwmflpvlanalarm

Enables the device to send a Huawei proprietary trap when MAC address flapping occurs in a VLAN on the device.

-

hwmflpvsialarm

Enables the device to send a Huawei proprietary trap when MAC address flapping occurs in a VSI on the device.

-

hwmaclimitoverthresholdalarm

Enables the device to send a Huawei proprietary trap when the number of MAC addresses reaches the threshold.

-

hwmaclimitoverthresholdalarmresume

Enables the device to send a Huawei proprietary trap when the number of MAC addresses falls below the threshold.

-

hwrecillegalmacpktalarm

Enables the device to send a Huawei proprietary trap when the device receives packets with the MAC address of all 0s.

-

hwmflpquitvlanalarm

Enables the device to send a trap when an interface is removed from a VLAN due to MAC address flapping.

-

hwmflpquitvlanresume

Enables the device to send a trap in the following situation: An interface is removed from a VLAN due to MAC address flapping. After the recovery time is reached, the interface joins the VLAN again.

-

hwportvlansecuremacalarm

Enables the device to send a Huawei proprietary trap when the number of learned secure MAC addresses on an interface of the device reaches the limit and the device receives invalid packets.

-

hwmactrapalarm

Enables the device to send a Huawei proprietary trap when MAC addresses are added or deleted on the device.

-

hwslotmacusageraisingthreshold

Enables the device to send a Huawei proprietary trap when the MAC address usage in a specified slot reaches a configured threshold.

-

hwslotmacusagefallingthreshold

Enables the device to send a Huawei proprietary trap when the MAC address usage in a specified slot is restored.

-

hwboardpoweroff

Enables the device to send a Huawei proprietary trap when a card is forcibly powered off because the card does not support the changed Eth-Trunk specifications.

-

hwmactraphashconflictalarm

Enables the device to send a Huawei proprietary trap when a MAC address hash conflict occurs.

-

hwmflpbdalarm

Enables the device to send a Huawei proprietary trap when MAC address flapping occurs in a BD on the device.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the trap function is enabled, the device generates traps during running and sends traps to the NMS through SNMP. When the trap function is not enabled, the device does not generate traps and the SNMP module does not send traps to the NMS.

You can specify trap-name to enable the trap function for one or more events.

Example

# Enable the trap function for MAC address entry change.

<HUAWEI> system-view
[HUAWEI] snmp-agent trap enable feature-name l2ifppi trap-name hwmactrapalarm

undo mac-address

Function

The undo mac-address command deletes one or more MAC address entries.

Format

undo mac-address [ all | dynamic ] [ interface-type interface-number | vlan vlan-id ] *

undo mac-address { all | dynamic } [ vsi vsi-name ]

undo mac-address mac-address [ vlan vlan-id | vsi vsi-name ]

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a MAC address entry to be deleted.

The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

interface-type interface-number

Specifies the interface in a MAC address entry to be deleted.

-

vlan vlan-id

Specifies the VLAN ID in a MAC address entry to be deleted.

The value is an integer that ranges from 1 to 4094.

all

Specifies that all MAC address entries excluding DHCP sticky MAC address entries and NAC MAC address entries are deleted.

-

vsi vsi-name

Specifies the name of a VSI. The VSI must have been created.

-

dynamic

Deletes dynamic MAC address entries, that is, MAC address entries learned by an interface.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

A MAC address table saves a limited number of MAC addresses. If the MAC address table is full, the device cannot learn new MAC address entries until old MAC addresses are aged out. Packets matching no MAC address entry are broadcast, wasting bandwidth resources. This command can delete useless MAC address entries to release the MAC address table space.

You can delete some of MAC address entries as required. For example:
  • If you do not specify interface-type interface-number, the command deletes MAC address entries of the specified type on all interfaces.
  • If you do not specify vlan vlan-id, the command deletes MAC address entries of the specified type in all VLANs.

Example

# Delete all MAC address entries.

<HUAWEI> system-view
[HUAWEI] undo mac-address all

# Delete all dynamic MAC address entries.

<HUAWEI> system-view
[HUAWEI] undo mac-address dynamic

# Delete all MAC address entries on gigabitethernet1/0/1.

<HUAWEI> system-view
[HUAWEI] undo mac-address gigabitethernet 1/0/1

# Delete all MAC address entries in VLAN 5.

<HUAWEI> system-view
[HUAWEI] undo mac-address vlan 5

# Delete all dynamic MAC address entries in the VSI a2.

<HUAWEI> system-view
[HUAWEI] undo mac-address dynamic vsi a2

# Delete all MAC address entries in which the MAC address is 0004-0004-0004.

<HUAWEI> system-view
[HUAWEI] undo mac-address 0004-0004-0004

undo mac-address temporary

Function

The undo mac-address temporary command deletes all the temporary MAC address entries in the system.

Format

undo mac-address temporary

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the LPU is pulled out, the static MAC address entries configured on the interfaces are reserved as temporary MAC address entries. After the LPU is plugged again, the static MAC address entries are restored.

If the LPU is not plugged after being pulled out, the temporary MAC address entries become unnecessary and occupy the system resources. In this case, you can run the undo mac-address temporary command to delete all the temporary MAC address entries in the system.

Example

# Delete all the temporary MAC address entries in the system.

<HUAWEI> system-view
[HUAWEI] undo mac-address temporary

undo mac-limit all

Function

The undo mac-limit all command deletes all MAC address limiting rules.

Format

undo mac-limit all

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command deletes all the rules configured by the mac-limit command.

Precautions

Before using this command, run the display mac-limit command to check the MAC address limiting rules and confirm your operation.

Example

# Delete all MAC address limiting rules.

<HUAWEI> system-view
[HUAWEI] undo mac-limit all
Related Topics
Translation
Download
Updated: 2019-04-09

Document ID: EDOC1100065659

Views: 114040

Downloads: 83

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next