S12700 and S12700E V200R023C10 Command Reference

MAC Address Table Configuration Commands

Command Support
display bridge mac-address
display mac-address
display mac-address aging-time
display mac-address blackhole
display mac-address dynamic
display mac-address flapping
display mac-address flapping record
display mac-address hash-conflict record
display mac-address hash-mode
display mac-address mux
display mac-address oam
display mac-address static
display mac-address summary
display mac-address total-number
display mac-limit
drop illegal-mac alarm
drop illegal-mac enable
global-mac-learning enable
mac-address aging-time
mac-address blackhole
mac-address destination hit aging enable
mac-address flapping action
mac-address flapping action priority
mac-address flapping aging-time
mac-address flapping detection
mac-address flapping detection exclude vlan
mac-address flapping detection vlan security-level
mac-address flapping mac-syn-suppress disable
mac-address flapping quit-vlan recover-time
mac-address flapping unicast-suppress all disable
mac-address flapping unicast-suppress disable
mac-address hash-conflict learning-preference enable
mac-address hash-mode
mac-address learning disable (interface view and VLAN view)
mac-address learning disable (traffic behavior view)
mac-address learning self-healing enable
mac-address static vlan
mac-address threshold-alarm
mac-address trap hash-conflict enable
mac-address trap hash-conflict history
mac-address trap hash-conflict interval
mac-address trap hash-conflict threshold
mac-address trap notification
mac-address trap notification interval
mac-address update arp
mac-learning priority
mac-learning priority allow-flapping
mac-learning priority flapping-defend action
mac-limit
mac-limit slot
mac-miss action discard
mac-syn fast-send enable
port bridge enable
remark destination-mac
reset mac-address flapping record
undo mac-address
undo mac-address temporary
undo mac-limit all

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models, unless otherwise specified. For details, see specific commands.

display bridge mac-address

Function

The display bridge mac-address command displays the bridge MAC address of a device.

Format

display bridge mac-address

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When you need to view the bridge MAC address of a device, run the display bridge mac-address command.

Example

# Display the bridge MAC address of a device.

<HUAWEI> display bridge mac-address

System bridge MAC address: 00e0-fc4b-6d00

Table 5-1 Description of the display bridge mac-address command output

Item	Description
System bridge MAC address	Indicates the bridge MAC address of a device.

display mac-address

Function

The display mac-address command displays the MAC address table of the switch. A MAC address entry contains the destination MAC address, VLAN ID/VSI/BD, outbound interface, and entry type.

Format

display mac-address [ mac-address ] [ vlan vlan-id | vsi vsi-name ] [ verbose ]

display mac-address [ vlan vlan-id | interface-type interface-number ] ^* [ verbose ]

Parameters

Parameter	Description	Value
mac-address	Specifies the destination MAC address in an entry.	The value is in H-H-H format. H is a hexadecimal number of 4 digits, for example, 00e0 and fc01. If you enter less than four digits, 0s are prefixed to the input digits. For example, if you enter e0, the system changes e0 to 00e0. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.
vlan vlan-id	Displays MAC address entries in a specified VLAN.	The value is an integer that ranges from 1 to 4094.
vsi vsi-name	Displays MAC address entries in a specified VSI.	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
interface-type interface-number	Displays the MAC address entries with a specified outbound interface. interface-type specifies the type of the outbound interface. interface-number specifies the number of the outbound interface. NOTE: The management interface is not supported.	-
verbose	Displays detailed information about MAC address entries.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

The display mac-address command displays all MAC address entries, such as dynamic MAC address entries, static MAC address entries, and blackhole MAC address entries. A MAC address entry contains the destination MAC address, VLAN ID/VSI/BD, outbound interface, and entry type.

Follow-up Procedure

If any MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address static command to add a correct one.

Precautions

If you run the display mac-address command without parameters, all MAC address entries are displayed.

When the switch has a large number of MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:

The displayed information is repeatedly refreshed, so you cannot find the required information.
The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all MAC address entries.

<HUAWEI> display mac-address
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
00e0-fc12-3456       100/-//-                     GE1/0/1             dynamic 
00e0-fc12-3457       -/HUAWEI/-                  GE1/0/2             static 
-------------------------------------------------------------------------------
Total items displayed = 2

# Display detailed information about all MAC address entries in VLAN 10.

<HUAWEI> display mac-address vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 00e0-fc12-3457            VLAN : 10                            
Learned-From: GE1/0/2                 Type : dynamic                       
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 1

Table 5-2 Description of the display mac-address command output

Item	Description
MAC Address	Destination MAC address in a MAC address entry.
VLAN/VSI/BD	ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to.
Learned-From	Interface that learns a MAC address.
Type	Type of a MAC address entry. static: indicates a static MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address static vlan, mac-address static vlanif, mac-address static vsi, mac-address static bridge-domain, or mac-address static bridge-domain vni command. blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address blackhole command. dynamic: indicates a MAC address entry learned by the switch, which will be aged out when the aging time expires. OAM-PU: indicates a MAC address entry configured by using the mac-purge command. OAM-PO: indicates a MAC address entry configured by using the mac-populate command. security: indicates a MAC address entry that an interface learns after port security is enabled. sec-config: indicates a static secure MAC address entry configured by using the port-security mac-address command. sticky: indicates a MAC address entry that an interface learns after the sticky MAC function is enabled. mux: indicates a MAC address entry learned by a MUX VLAN enabled interface. snooping: indicates a static MAC address entry generated based on the dynamic DHCP snooping binding table. authen: indicates a MAC address entry corresponding to the NAC authentication user that obtains an IP address (excluding the Layer 3 authentication user of which the MAC address cannot be generated and wireless user in direct forwarding mode). evpn: indicates a MAC address entry of EVPN.

display mac-address aging-time

Function

The display mac-address aging-time command displays the aging time of dynamic MAC address entries in the MAC address table.

Format

display mac-address aging-time

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

This command displays the aging time of dynamic MAC address entries on the switch. You can check whether the aging time is suitable for network requirements and device performance.

Follow-up Procedure

If the aging time is unsuitable for requirements or device performance, run the mac-address aging-time command to set the aging time properly.

Precautions

If the aging time is 0, dynamic MAC addresses will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.

Example

# Display the aging time of dynamic MAC address entries.

<HUAWEI> display mac-address aging-time
  Aging time: 300 second(s)

Table 5-3 Description of the display mac-address aging-time command output

Item	Description
Aging time	Aging time of dynamic MAC address entries, in seconds. To set the aging time, run the mac-address aging-time command.

display mac-address blackhole

Function

The display mac-address blackhole command displays blackhole MAC address entries.

Format

display mac-address blackhole [ vlan vlan-id | vsi vsi-name ] [ verbose ]

Parameters

Parameter	Description	Value
vlan vlan-id	Displays blackhole MAC address entries in a specified VLAN.	The value is an integer that ranges from 1 to 4094.
vsi vsi-name	Displays blackhole MAC address entries of a specified virtual switch instance (VSI).	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
verbose	Displays detailed information about blackhole MAC address entries.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table contains the following MAC address entries:

Blackhole MAC address entries that are used to discard packets with the specified MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
Static MAC entries that are manually configured and will not be aged out.
Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.

To check whether blackhole MAC address entries are configured correctly, run this command. These entries ensure communication between authorized users.

Follow-up Procedure

If any blackhole MAC address entry in the command output is incorrect, run the undo mac-address command to delete the entry or run the mac-address blackhole command to add a correct one.

Precautions

If you run the display mac-address blackhole command without parameters, all blackhole MAC address entries are displayed.
If the MAC address table does not contain any blackhole MAC address, no information is displayed.

Example

# Display all blackhole MAC address entries.

<HUAWEI> display mac-address blackhole
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
00e0-fc22-0033       100/-/-                      -                  blackhole 
00e0-fc00-0001       -/HUAWEI/-                   -                  blackhole 


-------------------------------------------------------------------------------
Total items displayed = 2

# Display blackhole MAC address entries in VLAN 100.

<HUAWEI> display mac-address blackhole vlan 100
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
00e0-fc22-0033       100/-/-                      -                  blackhole 
00e0-fc00-0001       100/-/-                      -                  blackhole 

-------------------------------------------------------------------------------
Total items displayed = 2

Table 5-4 Description of the display mac-address blackhole command output

Item	Description
MAC Address	Destination MAC address in a blackhole MAC address entry.
VLAN/VSI/BD	ID of the VLAN, name of the VSI, or ID of the BD that a MAC address belongs to.
Learned-From	When the type of a MAC address entry is blackhole, "-" is displayed.
Type	Type of a MAC address entry. blackhole: indicates a blackhole MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address blackhole command.

display mac-address dynamic

Function

The display mac-address dynamic command displays dynamic MAC address entries.

Format

display mac-address dynamic [ [ slot ] slot-id ] [ vlan vlan-id | interface-type interface-number ] ^* [ verbose ]

display mac-address dynamic [ [ slot ] slot-id ] [ vsi vsi-name [ peer ip-address ] ] [ verbose ]

Parameters

Parameter	Description	Value
slot slot-id	Displays dynamic MAC address entries on a specified card.	The value is an integer and must be the slot ID of a running card.
vlan vlan-id	Displays dynamic MAC address entries in a specified VLAN.	The value is an integer that ranges from 1 to 4094.
vsi vsi-name	Displays dynamic MAC address entries of a specified virtual switch instance (VSI). vsi-name specifies the name of a VSI.	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
peer ip-address	Displays the dynamic MAC address entry mapped to a specified peer IPv4 address.	-
interface-type interface-number	Displays dynamic MAC address entries with a specified outbound interface. interface-type specifies the type of the outbound interface. interface-number specifies the number of the outbound interface.	-
verbose	Displays detailed information about dynamic MAC address entries.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table needs to be updated constantly because the network topology always changes. You can use this command to view learned MAC addresses in real time.

Follow-up Procedure

If the displayed dynamic MAC address entries are invalid, run the undo mac-address command to delete dynamic MAC address entries.

Precautions

If you run the display mac-address dynamic command without parameters, all dynamic MAC address entries are displayed.

If the MAC address table does not contain any dynamic MAC address entry, no information is displayed.

When the switch has a large number of dynamic MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:

The displayed information is repeatedly refreshed, so you cannot find the required information.
The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all dynamic MAC address entries.

<HUAWEI> display mac-address dynamic
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
00e0-fc22-0033       100/-/-                     GE1/0/1             dynamic 
00e0-fc00-0001       -/HUAWEI/-                  GE1/0/2             dynamic 

-------------------------------------------------------------------------------
Total items displayed = 2

# Display all dynamic MAC address entries in VLAN 9 on the card in slot 1.

<HUAWEI> display mac-address dynamic slot 1 vlan 9
------------------------------------------------------------------------------- 
MAC Address     VLAN/VSI/BD                       Learned-From        Type       
-------------------------------------------------------------------------------
00e0-fc07-0122  9/-/-                             GE1/0/1             dynamic    
00e0-fc07-0106  9/-/-                             GE1/0/1             dynamic    
00e0-fc07-0114  9/-/-                             GE1/0/1             dynamic    
                                                                                
------------------------------------------------------------------------------- 
Total items on slot 1 displayed = 3

# Display detailed information about all dynamic MAC address entries in VLAN 9 on the card in slot 1.

<HUAWEI> display mac-address dynamic slot 1 vlan 9 verbose
------------------------------------------------------------------------------- 
MAC Address : 00e0-fc07-0117             VLAN: 9                                
Learned-From: GE1/0/1                    Type: dynamic                          
                                                                                
MAC Address : 00e0-fc07-0133             VLAN: 9                                
Learned-From: GE1/0/2                    Type: dynamic                          
                                                                                
MAC Address : 00e0-fc07-0121             VLAN: 9                                
Learned-From: GE1/0/3                    Type: dynamic                          
                                                                                
------------------------------------------------------------------------------- 
Total items on slot 1 displayed = 3

# Display the dynamic MAC address entry mapped to peer IP address 10.1.1.2 in VSI 10.

<HUAWEI> display mac-address dynamic vsi 10 peer 10.1.1.2 verbose
------------------------------------------------------------------------------- 
MAC Address : 00e0-fc07-0117             VSI  : 10                             
Learned-From: GE1/0/1                    Type: dynamic                          
Peer-Ip     : 10.1.1.2                   Pw-Id: 1                           
Total items  displayed = 1

Table 5-5 Description of the display mac-address dynamic command output

Item	Description
MAC Address	Destination MAC address in a dynamic MAC address entry.
VLAN/VSI/BD	ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to.
Learned-From	Interface that learns a MAC address.
Type	Type of a MAC address entry. dynamic: indicates a MAC address entry learned by the switch, which will be aged out when the aging time expires.
Peer-Ip	IPv4 address of the remote device.
Pw-Id	PW name.

display mac-address flapping

Function

The display mac-address flapping command displays the configuration of MAC address flapping detection.

Format

display mac-address flapping

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After MAC address flapping detection is configured, you can run the display mac-address flapping command to check the configuration.

The command output includes the following information:

Whether MAC address flapping detection is configured.
Aging time of flapping MAC addresses.
Delay time before the interface joins a VLAN again after it is removed from the VLAN.
VLAN that does not require MAC address flapping detection.
List of VLANs of three security levels defined for MAC address flapping detection

Example

# Display the configuration of MAC address flapping detection.

<HUAWEI> display mac-address flapping
MAC address Flapping Configurations :                                                                                               
----------------------------------------------------------------------------                                                        
  Flapping detection          : Enable                                                                                              
  Aging time(sec)             : 300                                                                                                 
  Quit VLAN Recover time(min) : 10                                                                                                  
  Exclude VLAN list           : -                                                                                                   
  Low level VLAN list         : -                                                                                                   
  Middle level VLAN list      : 1 to 4094                                                                                           
  High level VLAN list        : -                                                                                                  
----------------------------------------------------------------------------

Table 5-6 Description of the display mac-address flapping command output

Item	Description
Flapping detection	MAC address flapping detection status: Enable: MAC address flapping detection is enabled. Disable: MAC address flapping detection is disabled. To specify the parameter, run the mac-address flapping detection command.
Aging time(sec)	Aging time of flapping MAC addresses. To specify the parameter, run the mac-address flapping aging-time command.
Quit VLAN Recover time(min)	Delay time before the interface joins a VLAN again after it is removed from the VLAN. To specify the parameter, run the mac-address flapping quit-vlan recover-time command. The default value is 10. If the value is 0, the interface cannot join a VLAN again after it is removed from the VLAN.
Exclude VLAN list	VLAN that does not require MAC address flapping detection. To specify the parameter, run the mac-address flapping detection exclude vlan command. If such a VLAN is specified, the VLAN ID is displayed. If the VLAN is not specified, this field is displayed as -.
Low level VLAN list	List of VLANs of low security level defined for MAC address flapping detection. To specify the parameter, run the mac-address flapping detection vlan security-level command.
Middle level VLAN list	List of VLANs of middle security level defined for MAC address flapping detection. To specify the parameter, run the mac-address flapping detection vlan security-level command.
High level VLAN list	List of VLANs of high security level defined for MAC address flapping detection. To specify the parameter, run the mac-address flapping detection vlan security-level command.

display mac-address flapping record

Function

The display mac-address flapping record command displays MAC address flapping records.

Format

display mac-address flapping record [ slot slot-id ] [ begin YYYY/MM/DD HH:MM:SS ]

Parameters

Parameter	Description	Value
slot slot-id	Specifies a slot ID.	The value depends on the device configuration.
begin YYYY/MM/DD HH:MM:SS	Displays MAC address flapping records generated from the specified time to the current time. YYYY/MM/DD indicates year/month/date. HH:MM:SS indicates hour:minute:second.	YYYY/MM/DD ranges from 2000/01/01 to 2099/12/31. HH:MM:SS ranges from 00:00:00 to 23:59:59.

Parameter

Description

Value

slot slot-id

Specifies a slot ID.

The value depends on the device configuration.

begin YYYY/MM/DD HH:MM:SS

Displays MAC address flapping records generated from the specified time to the current time.

YYYY/MM/DD indicates year/month/date.

HH:MM:SS indicates hour:minute:second.

YYYY/MM/DD ranges from 2000/01/01 to 2099/12/31.
HH:MM:SS ranges from 00:00:00 to 23:59:59.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The display mac-address flapping record command output helps locate the position where MAC address flapping occurs.

Precautions

The command output is displayed only when MAC address flapping has occurred.

Example

# Display all MAC address flapping records.

<HUAWEI> display mac-address flapping record
 S  : start time                                                                
 E  : end time                                                                  
(Q) : quit VLAN 
(D) : error down 
------------------------------------------------------------------------------
Move-Time             VLAN  MAC-Address   Original-Port Move-Ports   MoveNum
-------------------------------------------------------------------------------
S:2011-08-31 17:22:36 300  00e0-fc12-3456 Eth-Trunk1   Eth-Trunk2   81
E:2011-08-31 17:22:44

-------------------------------------------------------------------------------
Total items on slot 2: 1

# Display MAC address flapping records generated from 2012/06/04 09:00:00 to the current time.

<HUAWEI> display mac-address flapping record begin 2012/06/04 09:00:00
 S  : start time                                                                
 E  : end time                                                                  
(Q) : quit VLAN                                                                 
(D) : error down   
-------------------------------------------------------------------------------
Move-Time                 VLAN MAC-Address   Original-Port Move-Ports   MoveNum
-------------------------------------------------------------------------------
S:2012-06-04 17:22:38 300  00e0-fc12-3456 Eth-Trunk2   Eth-Trunk1   5
E:2012-06-04 17:22:42

-------------------------------------------------------------------------------
Total items on slot 2: 1

Table 5-7 Description of the display mac-address flapping record command output

Item	Description
Move-Time	Start time and end time MAC address flapping occurs. If the DST is configured, the DST plus the flapping start time or end time is displayed, for example: StartTime: 2012-02-02 15:54:10 DST.
VLAN	VLAN where MAC address flapping occurs.
MAC-Address	Flapping MAC address. NOTE: Only one MAC address that flaps is displayed for the same VLAN in the same slot.
Original-Port	Port that learns the MAC address first.
Move-Ports	Ports that learn the MAC address later.
MoveNum	Number of times the MAC address has flapped. The maximum value is 65535. When the number of times the MAC address has flapped exceeds 65535, the MoveNum field still displays 65535.

display mac-address hash-conflict record

Function

The display mac-address hash-conflict record command displays records of MAC address hash conflicts.

Format

display mac-address hash-conflict record [ slot slot-id ]

Parameters

Parameter	Description	Value
slot slot-id	Specifies a slot ID.	Set this parameter based on the actual device configuration.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Application Scenarios

When MAC address hash conflicts occur on the network, you can run this command to view conflict records.

Precautions

A maximum of 100 MAC address hash conflict records can be displayed. The latest 100 records are retained in time sequence.

Example

# Display MAC address hash conflict records of slot 1.

<HUAWEI> display mac-address hash-conflict record slot 1
-------------------------------------------------------------------------------
 Time                    MAC Address         VLAN/VSI/BD    InterfaceName
-------------------------------------------------------------------------------
 2019-11-21 09:25:38     00e0-fc00-0004      4011/-/-       XGE0/0/5    
 2019-11-21 09:25:38     00e0-fc00-0009      4011/-/-       XGE0/0/5    
 2019-11-21 09:26:40     00e0-fc00-0003      -/-/10         XGE0/0/5    
 2019-11-21 09:26:40     00e0-fc00-0008      -/-/10         XGE0/0/5    
 2019-11-21 09:26:40     00e0-fc00-0001      -/-/10         XGE0/0/5    
------------------------------------------------------------------------------- 
Total items on slot 1: 5

Table 5-8 Description of the display mac-address hash-conflict record command output

Item	Description
Time	Time when a MAC address hash conflict occurs.
MAC Address	MAC address.
VLAN/VSI/BD	ID of the VLAN or name of the VSIor ID of the BD to which the MAC address belongs.
InterfaceName	Interface name.

display mac-address hash-mode

Function

The display mac-address hash-mode command displays the running hash mode and configured hash mode on the device.

The X series cards do not support this command.

Format

display mac-address hash-mode

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After a hash mode is configured, you can run the display mac-address hash-mode command to check the configuration.

Precautions

After the hash algorithm is changed, restart the board for the configuration to take effect.

Example

# Display the running hash mode and configured hash mode on the device.

<HUAWEI> display mac-address hash-mode
  MAC address hash mode status:                                                 
--------------------------------------------                                    
 Slot       CurMode         CfgMode                                             
--------------------------------------------                                    
 1         crc16-lower     crc32-lower                                         
--------------------------------------------

Table 5-9 Description of the display mac-address hash-mode command output

Item	Description
Slot	Slot ID.
CurMode	Running hash mode in the specified slot. After changing the hash algorithm and saving the configuration, restart the device for the configuration to take effect.
CfgMode	Configured hash mode in the specified slot. To specify the parameter, run the mac-address hash-mode command.

Item

Description

Slot

Slot ID.

CurMode

Running hash mode in the specified slot.

After changing the hash algorithm and saving the configuration, restart the device for the configuration to take effect.

CfgMode

Configured hash mode in the specified slot.

To specify the parameter, run the mac-address hash-mode command.

display mac-address mux

Function

The display mac-address mux command displays MUX MAC address entries.

Format

display mac-address mux [ vlan vlan-id | interface-type interface-number ] ^* [ verbose ]

Parameters

Parameter	Description	Value
vlan vlan-id	Displays MUX MAC address entries in a specified VLAN.	The value is an integer that ranges from 1 to 4094.
interface-type interface-number	Displays MUX MAC address entries with a specified outbound interface. interface-type specifies the type of the outbound interface. interface-number specifies the number of the outbound interface.	-
verbose	Displays detailed information about MUX MAC address entries. If this parameter is not specified, brief information about MUX MAC address entries is displayed.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MUX VLAN function isolates Layer 2 traffic between interfaces in a VLAN. A MUX MAC address entry is learned by a MUX VLAN enabled interface. The learned MUX MAC address entries are deleted after the switch restarts.

After configuring the MUX VLAN function, you can run the display mac-address mux command to check whether the learned MUX MAC address entries are correct.

Follow-up Procedure

If the displayed MUX MAC address entries are invalid, run the undo mac-address command to delete MUX MAC address entries.

Precautions

If you run the display mac-address mux command without parameters, all MUX MAC address entries are displayed.

If the MAC address table does not contain any MUX MAC address entry, no information is displayed.

When the switch has a large number of MUX MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:

The displayed information is repeatedly refreshed, so you cannot find the required information.
The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all MUX MAC address entries.

<HUAWEI> display mac-address mux
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
00e0-fc12-3456       100/-/-                     GE1/0/2           mux       

-------------------------------------------------------------------------------
Total items displayed = 1

# Display detailed information about all MUX MAC address entries in VLAN 10.

<HUAWEI> display mac-address mux vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 00e0-fc12-3457            VLAN : 10                            
Learned-From: GE1/0/2                 Type : mux                        
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 1

Table 5-10 Description of the display mac-address mux command output

Item	Description
MAC Address	Destination MAC address in a MUX MAC address entry.
VLAN/VSI/BD	ID of the VLAN, or name of the virtual switch instance (VSI), or ID of the BD that a MAC address belongs to.
Learned-From	Interface that learns a MAC address.
Type	Type of a MAC address entry. mux: indicates a MAC address entry learned by a MUX VLAN enabled interface.

display mac-address oam

Function

The display mac-address oam command displays information about MAC address entries of the OAM type.

Format

display mac-address oam

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

VPLS data forwarding depends on MAC address learning. Data packets in a VPLS domain can be correctly forwarded only when the MAC addresses of the data packets are correctly learned by PEs.

VPLS MAC diagnostic tools can be used to check whether MAC address learning works properly on the devices in a VPLS domain. VPLS MAC diagnostic tools include MAC populate and MAC purge.

MAC populate is used to check whether MAC addresses can be learned by devices in a VSI by populating an OAM MAC address into the VPLS domain.

If the devices in a specified VSI in the VPLS domain have learned the populated MAC address, running the display mac-address oam command can display detailed information about the populated OAM MAC address.
MAC purge is used to purge the populated OAM MAC address.

If the learned OAM MAC address is purged on the device, running the display mac-address oam command can show that the learned OAM MAC address has been purged.

Prerequisites

Configuring the diagnosis of the OAM MAC address learning capacity is completed before you check detailed information about the populated OAM MAC address.
Purging the OAM MAC address learned by the devices on the VPLS network is completed before you check whether the OAM MAC has been purged.

Example

# Display MAC address entries of the OAM type in the MAC address table.

<HUAWEI> display mac-address oam

------------------------------------------------------------------------------------------
MAC Address     VLAN/VSI/BD             Learned-From          Type       
------------------------------------------------------------------------------------------
00e0-fc00-0010  -/vsi1/-                GigabitEthernet1/0/1  OAM-PU     
00e0-fc00-0020  -/vsi1/-                GigabitEthernet1/0/1  OAM-PO     

------------------------------------------------------------------------------------------
Total items displayed = 2

Table 5-11 Description of the display mac-address oam command output

Item	Description
MAC Address	Indicates the MAC address of the OAM type.
VLAN/VSI/BD	VLAN: the value is always displayed as "-". VSI: indicates the VSI to which the MAC addresses of the OAM type belong. BD: the value is always displayed as "-".
Learned-From	Indicates an interface on which the MAC addresses of the OAM type are configured.
Type	Indicates the OAM type of the MAC address. OAM-PU: indicates the OAM MAC address entry that is used to discard data frames containing a specified destination MAC address, configured by using the mac-purge command. OAM-PO: indicates the OAM MAC address entry that is used to test whether the function of learning dynamic MAC addresses is normal on the interface board. The entry is displayed as the dynamic MAC address on the interface board. In addition, the entry, the same as a common dynamic MAC address, supports VPLS forwarding, configured by using the mac-populate command.

display mac-address static

Function

The display mac-address static command displays static MAC address entries.

Format

display mac-address static [ vsi vsi-name ] [ verbose ]

display mac-address static [ vlan vlan-id | interface-type interface-number ] ^* [ verbose ]

Parameters

Parameter	Description	Value
vlan vlan-id	Displays static MAC address entries in a specified VLAN.	The value is an integer that ranges from 1 to 4094.
vsi vsi-name	Displays static MAC address entries in a specified VSI. vsi-name specifies the name of a VSI.	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
interface-type interface-number	Displays the static MAC address entries on a specified interface.	-
verbose	Displays detailed information about static MAC address entries.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table contains the following MAC address entries:

Static MAC entries that are manually configured and will not be aged out.
Blackhole MAC address entries that are used to discard packets with the specified source MAC addresses or destination MAC addresses. Blackhole MAC address entries are manually configured and will not be aged out.
Dynamic MAC address entries that are learned by the switch and will be aged out when the aging time expires.

To improve network security, configure static MAC address entries to ensure that packets destined for specified MAC addresses are forwarded by the specified interfaces. This prevents attack packets with bogus MAC addresses and guarantees communication between the switch and the upstream device or server. After configuring static MAC address entries, you can run the display mac-address static command to verify the configuration.

Follow-up Procedure

If any static MAC address entry is incorrect, run the undo mac-address command to delete it.

Precautions

If you run the display mac-address static command without parameters, all static MAC address entries are displayed.

If the MAC address table does not contain any static MAC address entry, no information is displayed.

Example

# Display all static MAC address entries.

<HUAWEI> display mac-address static
------------------------------------------------------------------------------- 
MAC Address          VLAN/VSI/BD                 Learned-From        Type       
-------------------------------------------------------------------------------
00e0-fc22-0033       100/-/-                     GE1/0/1             static 
00e0-fc00-0001       -/HUAWEI/-                  GE1/0/2             static 

-------------------------------------------------------------------------------
Total items displayed = 2

# Display detailed information about all static MAC address entries in VLAN 10.

<HUAWEI> display mac-address static vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 00e0-fc00-0001            VLAN : 10                            
Learned-From: GE1/0/2                   Type : static                       
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 1

Table 5-12 Description of the display mac-address static command output

Item	Description
MAC Address	Destination MAC address in a static MAC address entry.
VLAN/VSI/BD	ID of the VLAN, or name of the VSI, or ID of the BD that a MAC address belongs to.
Learned-From	Interface that learns a MAC address.
Type	Type of a MAC address entry. static: indicates a static MAC address entry, which is manually configured and will not be aged out, configured by using the mac-address static vlan, mac-address static vlanif, mac-address static vsi, mac-address static bridge-domain, or mac-address static bridge-domain vni command.

display mac-address summary

Function

The display mac-address summary command displays statistics on MAC address entries.

Format

display mac-address summary [ slot slot-id ]

Parameters

Parameter	Description	Value
slot slot-id	Displays statistics on MAC address entries on a specified card.	The value is an integer and must be the slot ID of a running card.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the device stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

When the switch has many MAC address entries of different types, you can use the display mac-address summary command to view the summary of MAC address entries in the system. In the command output, Local and Remote identify the MAC address entries learned by the local card and MAC address entries synchronized from other cards.

Precautions

If slot slot-id is specified, this command displays statistics on MAC address entries on the specified card. If this parameter is not specified, this command displays statistics on MAC address entries on all cards.
If no static or blackhole MAC addresses are configured on the device, statistics about the two types of MAC address entries are 0.
Blackhole MAC address entries fall into global and VLAN- or VSI-based blackhole MAC address entries. Global blackhole MAC address entries are configured using the mac-address blackhole command with only a MAC address specified. They do not occupy the MAC address table space.
If MAC address learning is disabled on the device, statistics about dynamic MAC address entries are 0.

Using the undo mac-address learning disable command in the Ethernet interface view can enable MAC address learning.

Example

# View statistics on all MAC address entries in the system.

<HUAWEI> display mac-address summary
Summary information of slot 1:
-----------------------------------                                             
Static     :               1 
Blackhole  :               1 
Dyn-Local  :               3 
Dyn-Remote :               5 
Dyn-Trunk  :               0 
OAM        :               0 
Sticky     :               0 
Security   :               0 
Sec-config :               0 
Authen     :               0 
Guest      :               0 
Mux        :               0 
Snooping   :               0 
Pre-Mac    :               0 
Evpn       :               0 
In-used    :               10 
Capacity   :               524288                                                
-----------------------------------

Table 5-13 Description of the display mac-address summary command output

Item	Description
Static	Number of static MAC address entries.
Blackhole	Number of blackhole MAC address entries.
Dyn-Local	Number of MAC address entries learned by the local card.
Dyn-Remote	Number of MAC address entries synchronized from other cards.
Dyn-Trunk	Total number of MAC address entries learned by all trunk interfaces. NOTE: If the interfaces of other cards (not the cards on which the Eth-Trunk member interfaces reside) are added to the VLAN corresponding to the MAC addresses learned by an Eth-Trunk, the MAC addresses learned by the Eth-Trunk will be synchronized to the cards. Otherwise, the MAC addresses will not be synchronized to the other cards.
OAM	Number of MAC address entries related to the OAM function.
Sticky	Number of sticky MAC address entries.
Security	Number of secure dynamic MAC address entries.
Sec-config	Number of secure static MAC address entries.
Authen	Number of MAC address entries corresponding to authentication users.
Guest	Number of MAC address entries learned by interfaces in the guest VLAN.
Mux	Number of MAC address entries learned by interfaces enabled with the MUX VLAN function.
Snooping	Number of Snooping MAC address entries.
Pre-Mac	Number of Pre-authen MAC address entries.
Evpn	Number of EVPN MAC address entries.
In-used	Total number of existing MAC address entries. NOTE: Global blackhole MAC address entries do not occupy the MAC address table space. If these MAC address entries are configured on the device, the In-used value may be greater than the Capacity value.
Capacity	Capacity of the MAC address table. The actual value varies according to device models.

display mac-address total-number

Function

The display mac-address total-number command displays the number of MAC address entries of a specified type.

Format

display mac-address total-number [ slot slot-id ]

display mac-address total-number [ vsi vsi-name ]

display mac-address total-number [ vlan vlan-id | interface-type interface-number ] ^*

display mac-address total-number vlan all

display mac-address total-number { mux | security | sticky | sec-config | snooping | pre-authen | authen } [ vlan vlan-id | interface-type interface-number ] ^*

display mac-address total-number blackhole [ vlan vlan-id | vsi vsi-name ]

display mac-address total-number dynamic [ slot slot-id ] [ vlan vlan-id | interface-type interface-number ] ^*

display mac-address total-number dynamic [ slot slot-id ] [ vsi vsi-name ]

display mac-address total-number static [ vlan vlan-id | interface-type interface-number ] ^*

display mac-address total-number static vsi vsi-name

Parameters

Parameter	Description	Value
slot slot-id	Displays the number of MAC address entries on a specified card.	The value is an integer and must be the slot ID of a running card.
mux	Displays the number of MUX MAC address entries.	-
dynamic	Displays the number of dynamic MAC address entries.	-
security	Displays the number of secure dynamic MAC address entries.	-
sec-config	Displays the number of secure static MAC address entries.	-
snooping	Displays the number of static MAC address entries generated based on the dynamic DHCP snooping binding table.	-
pre-authen	Displays the number of static MAC address entries corresponding to a user in pre-connection state after NAC authentication is enabled.	-
authen	Displays the number of static MAC address entries that is generated after a user passes NAC authentication.	-
sticky	Displays the number of sticky MAC address entries.	-
blackhole	Displays the number of blackhole MAC address entries.	-
static	Displays the number of static MAC address entries.	-
vlan vlan-id	Displays the number of MAC address entries in a specified VLAN.	The value is an integer that ranges from 1 to 4094.
vlan all	Displays the number of MAC address entries in all VLANs.	-
interface-type interface-number	Displays the number of MAC address entries learned by a specified interface.	-
vsi vsi-name	Displays the number of MAC address entries in a specified VSI.	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

When the switch has many MAC address entries of different types, you can use the display mac-address total-number command to view statistics on MAC address entries of a specified type.

Precautions

If no parameter is specified, the total number of MAC address entries in the system is displayed.

If no interface is specified in the display mac-address total-number command, the total number of MAC address entries learned by all interfaces is displayed.

If an interface is specified in the display mac-address total-number command, the total number of MAC address entries in the VLAN where the interface resides is displayed.

If no VLAN is specified in the display mac-address total-number command, the total number of MAC address entries in all VLANs is displayed.

Example

# Display the number of dynamic MAC address entries.

<HUAWEI> display mac-address total-number dynamic
Total number of MAC address : 20

Table 5-14 Description of the display mac-address total-number command output

Item	Description
Total number of MAC address	Total number of MAC address entries in the system.

display mac-limit

Function

The display mac-limit command displays the configured MAC address learning limit rule.

Format

display mac-limit [ interface-type interface-number | vlan vlan-id | vsi vsi-name | slot slot-id | bridge-domain [ bd-id ] ]

Parameters

Parameter	Description	Value
interface-type interface-number	Displays the MAC address learning limit rule on a specified interface. interface-type specifies the interface type. interface-number specifies the interface number.	-
vlan vlan-id	Displays the MAC address learning limit rule in a specified VLAN.	The value is an integer that ranges from 1 to 4094.
vsi vsi-name	Displays the MAC address learning limit rule in a specified VSI. vsi-name specifies the VSI name.	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string.
slot slot-id	Displays the MAC address learning limit rule in a specified slot.	The slot ID depends on the device hardware.
bridge-domain [ bd-id ]	Displays the MAC address learning limit rule in a specified BD or all BDs.	The value is an integer that ranges from 1 to 16777215.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run this command to check whether the configured MAC address learning limit rule is correct. If the rule is incorrect, run the mac-limit command to modify the rule or run the undo mac-limit all command to delete the rule.

Precautions

If no parameter is specified when this command is run, MAC address learning limit rules of all interfaces, VSIs, and VLANs are displayed.

Example

# Display the MAC address learning limit rule on GigabitEthernet1/0/1.

<HUAWEI> display mac-limit GigabitEthernet 1/0/1
GigabitEthernet1/0/1 MAC limit:
  Maximum MAC count 1000, used count 0 
  Action: forward, Alarm: enable

# Display all configured MAC address learning limit rules.

<HUAWEI> display mac-limit
MAC Limit is enabled
Total MAC Limit rule count : 4

PORT                 VLAN/VSI     SLOT Maximum Rate(ms) Action  Alarm
----------------------------------------------------------------------------
GE1/0/1              -             -    3000    -        forward enable
-                    3             -    100     -        discard enable
-                    5             -    5000    -        discard enable
-                    HUAWEI         -    8000    -        discard enable

# Display the MAC address learning limit rule in BD 20.

<HUAWEI> display mac-limit bridge-domain 1 
Bridge-domain 1 MAC limit:  
  Maximum MAC count 222, used count 0  
  Action: forward, Alarm: enable

# Display MAC address learning limit rules in all BDs.

<HUAWEI> display mac-limit bridge-domain   
-------------------------------------    
    BDID  Maximum  Action   Alarm  
------------------------------------- 
      11       10  forward  enable 
16777215      200  discard  enable 
-------------------------------------

Table 5-15 Description of the display mac-limit command output

Item	Description
GigabitEthernet 1/0/1 MAC limit:	MAC address learning limit rule on an interface. To configure this parameter, run the mac-limit command.
Bridge-domain 1 MAC limit:	MAC address learning limit rule in a BD. To configure this parameter, run the mac-limit (BD view) command.
BD	BD ID.
Maximum MAC count	Maximum number of MAC addresses that can be learned.
used count	Number of dynamically learned MAC addresses.
Total MAC Limit rule count	Limit on the number of MAC addresses that can be learned.
PORT	Interface name.
VLAN/VSI	VLAN ID or VSI name.
SLOT	ID of the slot where MAC address learning is limited.
Maximum	Maximum number of MAC addresses that can be learned. To configure this parameter, run the mac-limit command for an interface, a VLAN, or a VSI, and run the mac-limit (BD view) command for a BD.
Rate(ms)	Interval at which MAC addresses are learned.
Action	Action to be taken on packets when the number of learned MAC addresses exceeds the upper limit. discard indicates that the packets that do not match any MAC address entry are discarded. forward indicates that packets that do not match any MAC address entry are forwarded.
Alarm	Whether an alarm is generated when the number of learned MAC addresses exceeds the upper limit. enable indicates that an alarm is generated. disable indicates that no alarm is generated.

drop illegal-mac alarm

Function

The drop illegal-mac alarm command configures the switch to send a trap to the network management system (NMS) when receiving a packet with an all-0 MAC address.

The undo drop illegal-mac alarm command deletes the configuration.

By default, the switch does not send a trap to the NMS when receiving a packet with an all-0 MAC address.

Format

drop illegal-mac alarm

undo drop illegal-mac alarm

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. The drop illegal-mac alarm command configures the switch to send a trap to the NMS when receiving a packet with an all-0 MAC address. You can locate the faulty network adapter according to the trap message.

Precautions

If the alarm function is disabled on the switch, the NMS cannot receive any trap message.

After you run the drop illegal-mac alarm command, the switch sends a trap only once after receiving packets with an all-0 MAC address. To configure the switch to send traps continuously, run the drop illegal-mac alarm command repeatedly.

Example

# Configure the switch to send a trap to the NMS when receiving a packet with an all-0 MAC address.

<HUAWEI> system-view
[HUAWEI] drop illegal-mac alarm

drop illegal-mac enable

Function

The drop illegal-mac enable command enables the switch to discard packets with an all-0 invalid MAC address.

The undo drop illegal-mac enable command disables the switch from discarding packets with an all-0 invalid MAC address.

By default, the switch does not discard packets with an all-0 MAC address.

Format

drop illegal-mac enable

undo drop illegal-mac enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Some legacy computers or network devices may send packets with an all-0 source or destination MAC address when their network adapters fail. You can run the drop illegal-mac enable command to configure the switch to discard such packets. After receiving the packets with an all-0 source or destination MAC address, the switch discards the packets.

This command reduces incorrect MAC address entries on the device.

Precautions

If the alarm function is disabled on the device, the network management system cannot receive any alarm message.

Example

# Configure the switch to discard packets with an all-0 invalid MAC address.

<HUAWEI> system-view
[HUAWEI] drop illegal-mac enable

global-mac-learning enable

Function

The global-mac-learning enable command enables global MAC address learning on a board.

The undo global-mac-learning enable command disables global MAC address learning on a board.

By default, global MAC address learning is disabled on a board.

Only the SA-series, EA-series, EA1-series, and X series boards support this command.
The global-mac-learning enable command cannot be configured when the resource allocation mode is set to enhanced-mac using the assign resource-mode command.

Format

global-mac-learning enable slot slot-id

undo global-mac-learning enable slot slot-id

Parameters

Parameter	Description	Value
slot slot-id	Specifies the slot ID of an LPU.	The value is an integer and must specify an existing slot on the device.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, global MAC address learning is disabled on a board. The board saves only MAC address entries learned by itself, but does not synchronize MAC address entries with other boards. If a network fault such as a unidirectional connection fault occurs, enable global MAC address learning on the board so that the board can synchronize MAC address entries with other boards. This prevents MAC address loss caused by the network fault.

Example

# Enable global MAC address learning on the board in slot 3.

<HUAWEI> system-view
[HUAWEI] global-mac-learning enable slot 3

mac-address aging-time

Function

The mac-address aging-time command sets the aging time of dynamic MAC address entries.

The undo mac-address aging-time command restores the default aging time of dynamic MAC address entries.

By default, the aging time of dynamic MAC address entries is 300 seconds.

Format

mac-address aging-time aging-time

undo mac-address aging-time

Parameters

Parameter	Description	Value
aging-time	Specifies the aging time of dynamic MAC address entries.	The value is 0 or an integer that ranges from 60 to 1000000, in seconds. The default value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The network topology changes frequently, and the switch will learn many MAC addresses. You can run the mac-address aging-time command to set a proper aging time for dynamic MAC address entries so that aged MAC address entries are deleted from the MAC address table. This reduces MAC address entries in the MAC address table.

The system starts an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated within a certain period (twice the aging time), the entry is deleted. If the entry is updated within this period, the aging timer of this entry is reset. If the aging time is short, the switch is sensitive to network changes.

When setting the aging time of dynamic MAC address entries, follow these rules:

Set a longer aging time on a stable network and a shorter aging time on an unstable network.
The capacity of the MAC address table on a low-end device is small; therefore, set a relatively short aging time on low end devices to save the MAC address table space.

Precautions

Dynamic MAC address entries are lost after system restart, LPU hot swap, or LPU resetting. Static MAC address entries and blackhole MAC address entries are not aged or lost.
If the aging time is 0, dynamic MAC address entries will not be aged out. In this case, MAC address entries increase sharply and the MAC address table will be full quickly.
If you run the mac-address aging-time command multiple times, only the latest configuration takes effect.
If a MAC address entry is always matched to direct traffic forwarding, this entry will not be aged out.

Example

# Set the aging time of dynamic MAC address entries to 500 seconds.

<HUAWEI> system-view
[HUAWEI] mac-address aging-time 500

mac-address blackhole

Function

The mac-address blackhole command configures a blackhole MAC address entry.

The undo mac-address blackhole command deletes a blackhole MAC address entry.

By default, no blackhole MAC address entry is configured.

Format

mac-address blackhole mac-address [ vlan vlan-id | vsi vsi-name ]

undo mac-address blackhole [ mac-address ] [ vlan vlan-id | vsi vsi-name ]

Parameters

Parameter	Description	Value
mac-address	Specifies the MAC address in a blackhole MAC address entry.	The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.
vlan vlan-id	Specifies the VLAN ID in a blackhole MAC address entry.	The value is an integer that ranges from 1 to 4094.
vsi vsi-name	Specifies the name of a VSI in a blackhole MAC address entry. The VSI must have been created.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To protect a device or network against MAC address attacks, configure MAC addresses of untrusted users as blackhole MAC addresses. The device then directly discards the received packets of which the source or destination MAC addresses match the blackhole MAC address entries.

Prerequisites

The network administrator is familiar with the MAC addresses of all devices on the network. If the MAC address of an authorized user is configured as a blackhole MAC address, the user's communications will be interrupted.

Configuration Impact

If the source or destination MAC address of a packet matches a blackhole MAC address entry, the packet will be discarded. After being configured and saved, blackhole MAC address entries are not lost after the system reset or hot swap of the LPU.

Precautions

Blackhole MAC address entries can be added or deleted, and they will not be aged.
Unlike configuring a static MAC entry, you can configure a blackhole MAC entry without specifying an outbound interface.
If the specified VLAN is the control VLAN for Rapid Ring Protection Protocol (RRPP), the mac-address blackhole command cannot be run.
Blackhole MAC address entries fall into global and VLAN- or VSI-based blackhole MAC address entries. Global blackhole MAC address entries are configured using the mac-address blackhole command with only a MAC address specified. They do not occupy the MAC address table space.
If you configure a VLAN- or VSI-based blackhole MAC address entry when the MAC address table is full, the device processes the MAC address entry as follows:
- If a dynamic MAC address entry with the same MAC address and VLAN ID or VSI name exists in the MAC address table, the blackhole MAC address entry replaces the dynamic MAC address entry.
- If no dynamic MAC address entry with the same MAC address exists in the MAC address table, the system deletes one dynamic MAC address entry and adds the blackhole MAC address entry to the MAC address table.
You can run the mac-address blackhole command multiple times to configure multiple blackhole MAC address entries.
An existing MAC address entry whose MAC address type is authen, pre-authen, security, sticky, static, or static-con mac cannot be configured as a blackhole MAC address entry.
In a Layer 3 forwarding scenario, if a device has learned an ARP entry and the MAC address in the ARP entry is configured as a VLAN-based blackhole MAC address, the device discards packets with this source MAC address only after the ARP entry ages out.

Example

# Add a blackhole MAC address entry to the MAC address table. In the blackhole MAC address entry, the MAC address is 00e0-fc04-0004 and the VLAN ID is VLAN 5.

<HUAWEI> system-view
[HUAWEI] vlan 5
[HUAWEI-vlan5] quit
[HUAWEI] mac-address blackhole 00e0-fc04-0004 vlan 5

# Configure a global blackhole MAC address entry in which the MAC address is 00e0-fc05-0005.

<HUAWEI> system-view
[HUAWEI] mac-address blackhole 00e0-fc05-0005

# Add a blackhole MAC address entry in which the MAC address is 00e0-fc33-4455 to VSI a2. The device directly discards the received frame in which the source or destination MAC address is 00e0-fc33-4455 and the VSI name is a2.

<HUAWEI> system-view
[HUAWEI] mac-address blackhole 00e0-fc33-4455 vsi a2

mac-address destination hit aging enable

Function

The mac-address destination hit aging enable command configures the device to age MAC address entries no matter whether the entries match destination MAC addresses of packets.

The undo mac-address destination hit aging enable command restores the default configuration.

By default, if MAC address entries match destination MAC addresses of packets, the system recalculates the aging time.

Format

mac-address destination hit aging enable

undo mac-address destination hit aging enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a user uses one-way services such as the video on demand service, packets are transmitted unidirectionally from the server to the user terminal. When the user terminal is shut down, the server still sends packets. Therefore, the dynamic MAC address entry with the destination MAC address of the packets remains in the MAC address table.

To delete MAC address entries matching one-way service packets after user terminals are shut down, run the mac-address destination hit aging enable command to enable the device to age dynamic MAC address entries matching dynamic MAC addresses of received packets.

Configuration Impact

This command is used only when one-way services are deployed on a network.

Precautions

This command only free up space in the MAC address table but cannot save system resources. If the device cannot find the matching entry in the MAC address table, it broadcasts the packets.

Example

# Configure the device to age MAC address entries no matter whether the entries match destination MAC addresses of packets.

<HUAWEI> system-view
[HUAWEI] mac-address destination hit aging enable

mac-address flapping action

Function

The mac-address flapping action command configures the action to perform on an interface when MAC address flapping is detected on the interface.

The undo mac-address flapping action command deletes the action.

By default, the system does not perform any action when detecting MAC address flapping on an interface.

Format

mac-address flapping action { error-down | quit-vlan }

undo mac-address flapping action { error-down | quit-vlan }

Parameters

Parameter	Description	Value
error-down	Shuts down an interface when MAC address flapping is detected on the interface.	-
quit-vlan	Removes an interface from the VLAN where MAC address flapping occurs when MAC address flapping is detected on the interface.	-

Parameter

Description

Value

error-down

Shuts down an interface when MAC address flapping is detected on the interface.

quit-vlan

Removes an interface from the VLAN where MAC address flapping occurs when MAC address flapping is detected on the interface.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view, 25GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the switch connects to a user network that does not support loop prevention protocols, configure a loop prevention action for the switch to perform when detecting MAC address flapping. This reduces the impact of MAC address flapping on the user network.

When MAC address flapping occurs on an interface with a loop prevention action configured, the switch performs the configured action. When the action is set to error-down, the switch shuts down the interface. When the action is set to quit-VLAN, the switch removes the interface from the VLAN where MAC address flapping occurs. Only one interface can be shut down during one aging time configured by the mac-address flapping aging-time command.

Follow-up Procedure

When the action is set to error-down, the interface cannot be automatically restored after it is shut down. You can only restore the interface by running the shutdown and undo shutdown commands or the restart command in the interface view.

To enable the interface to go Up automatically, you must run the error-down auto-recovery cause mac-address-flapping command in the system view before the interface enters the error-down state. This command enables an interface in error-down state to go Up and sets a recovery time. The interface goes Up automatically after the time expires.
If the action is set to quit-vlan, the interface can be automatically restored after a specified time period after it is removed from the VLAN. The default recovery time is 10 minutes. The recovery delay time can be set using the mac-address flapping quit-vlan recover-time time-value command in the system view.

Precautions

Do not run the mac-address flapping action command on uplink interfaces.

MAC address flapping detection can only detect loops on interfaces, but cannot obtain the entire network topology. If the user network connected to the switch supports loop prevention protocols, use the loop prevention protocols instead of MAC address flapping detection.

If you run the mac-address flapping action command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Configure the switch to shut down GE1/0/1 when detecting MAC address flapping on the interface.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address flapping action error-down
Info: This command may shut down the interface after MAC address flapping is detected.

# Configure the switch to remove GE1/0/1 from the VLAN where MAC address flapping occurs.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address flapping action quit-vlan

mac-address flapping action priority

Function

The mac-address flapping action priority command sets the priority for the action against MAC address flapping on an interface.

The undo mac-address flapping action priority command restores the default configuration.

By default, the action against MAC address flapping on an interface is 127.

Format

mac-address flapping action priority priority

undo mac-address flapping action priority

Parameters

Parameter	Description	Value
priority	Specifies the priority of the action against MAC address flapping on an interface.	The value is an integer that ranges from 0 to 255. A larger value indicates a higher priority. The default value is 127.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view, 25GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a MAC address flaps between two interfaces and both the interfaces have an action and priority configured, the switch performs the action (error-down or quit-VLAN) configured on the interface with lower priority. If the two interfaces have the same priority, the switch performs the action on the interface that learns the MAC address later. If the later interface has no action configured, the switch performs the action on the interface that learns the MAC address earlier.

The switch compares priorities of the interfaces only when the interfaces have the same action configured. If one interface is configured with the error-down action, and the other is configured with the quit-VLAN action, the switch performs the actions on both interfaces even if their priorities are same.

Precautions

If you run the mac-address flapping action priority command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the priority of the action against MAC address flapping on GE1/0/1 to 3.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address flapping action priority 3

mac-address flapping aging-time

Function

The mac-address flapping aging-time command sets the aging time of flapping MAC addresses.

The undo mac-address flapping aging-time command restores the default aging time of flapping MAC addresses.

By default, the aging time of flapping MAC addresses is 300 seconds.

Format

mac-address flapping aging-time aging-time

undo mac-address flapping aging-time

Parameters

Parameter	Description	Value
aging-time	Specifies the aging time of flapping MAC addresses.	The value is an integer that ranges from 60 to 900, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Increasing the aging time of flapping MAC addresses will cause MAC address flapping again and increase the error-down time. To ensure that the system performs MAC address flapping detection in a timely manner, run the mac-address flapping aging-time command to shorten the aging time of flapping MAC addresses.

Precautions

If you run the mac-address flapping aging-time command multiple times, only the latest configuration takes effect.

Example

# Set the aging time of flapping MAC addresses to 500 seconds.

<HUAWEI> system-view
[HUAWEI] mac-address flapping aging-time 500

mac-address flapping detection

Function

The mac-address flapping detection command enables global MAC address flapping detection.

The undo mac-address flapping detection command disables global MAC address flapping detection.

By default, global MAC address flapping detection is enabled.

Format

mac-address flapping detection

undo mac-address flapping detection

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN or VSI. The MAC address entry learned later replaces the earlier one.

MAC address flapping occurs in the following situations:

Network cables of switches are connected incorrectly or switches use incorrect configurations.
Unauthorized users simulate MAC address of valid network devices to attack the network.

Global MAC address flapping detection enables the Switch to check all MAC addresses. When MAC address flapping occurs, the Switch sends a trap message to the NMS. You can locate the fault according to the trap message. You can also run the display mac-address flapping record command to view MAC address flapping records.

Example

# Enable global MAC address flapping detection.

<HUAWEI> system-view
[HUAWEI] mac-address flapping detection

mac-address flapping detection exclude vlan

Function

The mac-address flapping detection exclude vlan command excludes a VLAN from MAC address flapping detection.

The undo mac-address flapping detection exclude vlan command restores MAC address flapping detection for a VLAN.

By default, the system performs MAC address flapping detection in all VLANs.

Format

mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

undo mac-address flapping detection exclude vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all }

Parameters

Parameter	Description	Value
vlan-id1 [ to vlan-id2 ]	Specifies the ID of a VLAN where MAC address flapping detection is not required. vlan-id1 specifies the first VLAN ID. to vlan-id2 specifies the last VLAN ID. vlan-id2 must be greater than vlan-id1. You can specify a maximum of 10 VLANs.	The value of vlan-id1 is an integer that ranges from 1 to 4094. The value of vlan-id2 is an integer that ranges from 1 to 4094.
all	Indicates that all VLANs are excluded from MAC address flapping detection.	-

Parameter

Description

Value

vlan-id1 [ to vlan-id2 ]

Specifies the ID of a VLAN where MAC address flapping detection is not required.

vlan-id1 specifies the first VLAN ID.
to vlan-id2 specifies the last VLAN ID.

vlan-id2 must be greater than vlan-id1.

You can specify a maximum of 10 VLANs.

The value of vlan-id1 is an integer that ranges from 1 to 4094.
The value of vlan-id2 is an integer that ranges from 1 to 4094.

all

Indicates that all VLANs are excluded from MAC address flapping detection.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the system performs MAC address flapping detection in all VLANs. When a switch connected to a load balancing server with dual network adapters, the server's MAC address may be learned by two interfaces on the switch. This is a normal situation where MAC address flapping detection is not required.

You can run the mac-address flapping detection exclude vlan command to exclude a VLAN from MAC address flapping detection. If MAC address flapping occurs in this VLAN, the system does not send a trap message or record this event.

Precautions

If you run the mac-address flapping detection exclude vlan command multiple times, multiple VLANs are excluded from MAC address flapping detection.

Example

# Exclude VLAN 5 from MAC address flapping detection.

<HUAWEI> system-view
[HUAWEI] mac-address flapping detection exclude vlan 5

mac-address flapping detection vlan security-level

Function

The mac-address flapping detection vlan security-level command configures the security level of VLANs for MAC address flapping detection.

The undo mac-address flapping detection vlan security-level command restores the default security of VLANs for MAC address flapping detection.

By default, the security level of a VLAN for MAC address flapping detection is middle. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times.

Format

mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level { high | middle | low }

undo mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } security-level [ high | middle | low ]

Parameters

Parameter	Description	Value
vlan-id1 [ to vlan-id2 ]	Specifies the VLANs of which the security level needs to be set for MAC address flapping detection. vlan-id1 specifies the ID of the first VLAN. to vlan-id2 specifies the ID of the last VLAN. The value of vlan-id2 must be larger than the value of vlan-id1. You can specify a maximum of 10 VLAN ID ranges in a command.	The value of vlan-id1 is an integer that ranges from 1 to 4094. The value of vlan-id2 is an integer that ranges from 1 to 4094.
all	Configures security level of all VLANs for MAC address flapping detection.	-
high	Sets the security level of specified VLANs to high. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces three times.	-
middle	Sets the security level of specified VLANs to middle. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times.	-
low	Sets the security level of specified VLANs to low. At this security level, the system considers that a MAC address flapping occurs when a MAC address moves between interfaces 50 times.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the switch considers that a MAC address flapping occurs when a MAC address moves between interfaces 10 times. On an unstable network, it may be a normal situation when a MAC address moves between interfaces 10 times. You can set the security level for VLANs according to the actual situation of your network. The switch reports a MAC address flapping when a MAC address moves between interfaces for the specified number of times.

Example

# Set the security level of VLAN 5 to high for MAC address flapping.

<HUAWEI> system-view
[HUAWEI] mac-address flapping detection vlan 5 security-level high

mac-address flapping mac-syn-suppress disable

Function

The mac-address flapping mac-syn-suppress disable command disables real-time MAC address synchronization suppression triggered by MAC address flapping.

The undo mac-address flapping mac-syn-suppress disable command enables real-time MAC address synchronization suppression triggered by MAC address flapping.

By default, MAC address synchronization suppression triggered by MAC address flapping is enabled.

Format

mac-address flapping mac-syn-suppress disable

undo mac-address flapping mac-syn-suppress disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, real-time MAC address synchronization suppression is enabled on a device. With this function enabled, if a large number of real-time MAC address synchronization packets are generated due to persistent MAC address flapping, real-time MAC address synchronization suppression will be triggered. This will result in problems such as delay in obtaining DHCP addresses in terminal roaming scenarios. To address such problems, run the mac-address flapping mac-syn-suppress disable command to disable real-time MAC address synchronization suppression triggered by MAC address flapping.

Example

# Disable real-time MAC address synchronization suppression triggered by MAC address flapping.

<HUAWEI> system-view
[HUAWEI] mac-address flapping mac-syn-suppress disable

mac-address flapping quit-vlan recover-time

Function

The mac-address flapping quit-vlan recover-time command sets the delay time an interface waits to join a VLAN again after it is removed from the VLAN due to MAC address flapping.

The undo mac-address flapping quit-vlan recover-time command restores the default delay time.

By default, the delay time is 10 minutes.

Format

mac-address flapping quit-vlan recover-time time-value

undo mac-address flapping quit-vlan recover-time

Parameters

Parameter	Description	Value
time-value	Specifies the delay time an interface waits to join a VLAN again after it is removed from the VLAN due to MAC address flapping.	The value is an integer ranging from 0 to 1440, in minutes. The default value is 10. The value 0 indicates that the interface cannot join a VLAN again after it is removed from the VLAN.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an interface is removed from a VLAN because MAC address flapping occurs in the VLAN, the interface can automatically join the VLAN again after a delay.

Precautions

If an interface is removed from multiple VLANs due to MAC address flapping, the system counts the delay time since the interface is removed from the last VLAN.

Example

# Set the delay time before an interface joins a VLAN again to 15 minutes.

<HUAWEI> system-view
[HUAWEI] mac-address flapping quit-vlan recover-time 15

# Restore the default delay time.

<HUAWEI> system-view
[HUAWEI] undo mac-address flapping quit-vlan recover-time

mac-address flapping unicast-suppress all disable

Function

The mac-address flapping unicast-suppress all disable command globally disables MAC address flapping suppression.

The undo mac-address flapping unicast-suppress all disable command cancels the configuration.

By default, unknown unicast traffic suppression is enabled globally.

Format

mac-address flapping unicast-suppress all disable

undo mac-address flapping unicast-suppress all disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, if MAC address flapping detection is enabled on a device and MAC address flapping is detected, traffic suppression is triggered on the corresponding interface. As a result, excess traffic is discarded, resulting in packet loss.

To prevent this, disable unknown unicast traffic suppression.

Example

# Globally disable unknown unicast traffic suppression.

<HUAWEI> system-view
[HUAWEI] mac-address flapping unicast-suppress all disable

mac-address flapping unicast-suppress disable

Function

The mac-address flapping unicast-suppress disable command disables MAC address flapping suppression on an interface.

The undo mac-address flapping unicast-suppress disable command cancels the configuration.

By default, unknown unicast traffic suppression is enabled on an interface.

Format

mac-address flapping unicast-suppress disable

undo mac-address flapping unicast-suppress disable

Parameters

None

Views

Interface view

GE interface view, XGE interface view, 25GE interface view, 40GE interface view, 100GE interface view, MultiGE interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To prevent this, disable unknown unicast traffic suppression.

Precautions

Unknown unicast traffic suppression takes effect on an interface only when the following conditions are met:

Global MAC address flapping detection is configured.
MAC address flapping occurs on the interface.
Unknown unicast traffic suppression is enabled globally.
Unknown unicast traffic suppression is enabled on the interface.

Example

# Disable unknown unicast traffic suppression on GE1/0/1.

<HUAWEI> system-view
<HUAWEI> interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address flapping unicast-suppress disable

mac-address hash-conflict learning-preference enable

Function

The mac-address hash-conflict learning-preference enable command increases the MAC address learning priority of an interface.

The undo mac-address hash-conflict learning-preference enable command deletes the configuration.

By default, the MAC address learning priority of an interface is not increased.

This command is not supported on X series cards.

Format

mac-address hash-conflict learning-preference enable

undo mac-address hash-conflict learning-preference enable

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, 25GE interface view, and Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If a MAC address hash conflict occurs on an interface configured with this function, dynamic MAC address entries are deleted from interfaces with low MAC address learning priorities. Subsequently, this interface preferentially learns MAC addresses.

Precautions

This command does not take effect on SA cards of S series devices.

This command may delete dynamic MAC address entries from other interfaces if a MAC address hash conflict occurs on the local interface.

This command solves MAC address hash conflicts only in VLANs, and deletes dynamic MAC address entries of VLANs, VSIs and BDs from interfaces with low MAC address learning priorities.

Example

# Increase the MAC address learning priority of GigabitEthernet 1/0/0.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/0
[HUAWEI-GigabitEthernet1/0/0] mac-address hash-conflict learning-preference enable

mac-address hash-mode

Function

The mac-address hash-mode command configures a MAC hash algorithm on a specified LPU on the device.

The undo mac-address hash-mode command restores the default MAC hash algorithm on a specified LPU on the device.

By default, the device uses crc32-lower.

The X series cards do not support this command.

Format

mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper | lsb | enhanced } slot slot-id

Parameters

Parameter	Description	Value
crc16-lower	Indicates the hash algorithm based on low order bits of CRC16.	-
crc16-upper	Indicates the hash algorithm based on high order bits of CRC16.	-
crc32-lower	Indicates the hash algorithm based on low order bits of CRC32.	-
crc32-upper	Indicates the hash algorithm based on high order bits of CRC32.	-
lsb	Indicates the hash algorithm based on the lowest bit of the key value.	-
enhanced	Indicates the enhanced mode.	-
slot slot-id	Specifies a slot ID.	The value depends on the device configuration.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device uses a hash algorithm to improve MAC address forwarding performance. If multiple MAC addresses match a key value, a hash conflict occurs.

When a hash conflict occurs, the device may fail to learn many MAC addresses and some traffic can only be broadcast. This results in heavy broadcast traffic on the device. If such a problem occurs, use an appropriate hash algorithm to reduce the hash conflict.

Precautions

MAC addresses are distributed on a network randomly, so the system cannot determine the best hash algorithm. Generally, the default hash algorithm is the best one, so do not change the hash algorithm unless you have special requirement.
An appropriate hash algorithm can only reduce hash conflicts, but cannot prevent them.
After changing the hash algorithm and saving the configuration, restart the card for the configuration to take effect.
If you run the mac-address hash-mode command multiple times, only the latest configuration takes effect.

Example

# Set the hash algorithm on the LPU in slot 2 to crc16-lower.

<HUAWEI> system-view
[HUAWEI] mac-address hash-mode crc16-lower slot 2

mac-address learning disable (interface view and VLAN view)

Function

The mac-address learning disable command disables MAC address learning.

The undo mac-address learning disable command enables MAC address learning.

By default, MAC address learning is enabled.

Format

mac-address learning disable [ action { discard | forward } ] (Interface view)

mac-address learning disable (VLAN view)

undo mac-address learning disable

Parameters

Parameter	Description	Value
action	Indicates the action that the interface takes after MAC address learning is disabled. This parameter takes effect only in the interface view and port group view, and the specified interface must be a Layer 2 interface. You can use this parameter to determine whether packets are forwarded when the specified interface does not need to learn MAC addresses. By default, an interface forwards the packets carrying new MAC addresses after MAC address learning is disabled.	-
discard	Discards the packets whose source MAC addresses do not match the MAC address table.	-
forward	Forwards the packets according to the MAC address table.	-

Parameter

Description

Value

action

Indicates the action that the interface takes after MAC address learning is disabled.

This parameter takes effect only in the interface view and port group view, and the specified interface must be a Layer 2 interface.
You can use this parameter to determine whether packets are forwarded when the specified interface does not need to learn MAC addresses.

By default, an interface forwards the packets carrying new MAC addresses after MAC address learning is disabled.

discard

Discards the packets whose source MAC addresses do not match the MAC address table.

forward

Forwards the packets according to the MAC address table.

Views

VLAN view, 100GE interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view, 25GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If you want an interface to forward only packets with certain MAC addresses, use this command. For example, if an interface is connected to a server, configure a static MAC address entry with the MAC address of the server, and then disable MAC address learning and set the action to discard on the interface. The configuration prevents other servers or terminals from accessing the interface and improves network stability and security.

When a switch with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the switch forwards the frames through the corresponding outbound interface according to the MAC address entry. MAC address learning reduces broadcast packets on a network.

You can use the mac-address learning disable command to disable MAC address learning on an interface. The action performed on received packets can be set to discard or forward.

By default, the switch takes the forward action after MAC address learning is disabled. That is, the switch forwards packets according to the MAC address table. When the action is set to discard, the switch looks up the source MAC address of the packet in the MAC address table. If the source MAC address is found in the MAC address table, the switch forwards the packet according to the matching MAC address entry. If the source MAC address is not found, the switch discards the packet.

Precautions

Before running the mac-address learning disable command on an Eth-Trunk interface, ensure that the Eth-Trunk interface works in Layer 2 mode; otherwise, the configuration fails. To switch an Eth-Trunk interface from the Layer 3 mode to the Layer 2 mode, you can run the portswitch command in the view of the Eth-Trunk interface.
After MAC address learning is disabled on an interface, the device does not learn new MAC addresses on the interface. Untrusted terminals can still access the network.
After MAC address learning is disabled on an interface, dynamic MAC address entries learned on the interface are not immediately deleted. These entries will be deleted after the aging time elapses or after you run a command to manually delete the entries. If a MAC address entry is always matched to direct traffic forwarding, this entry will not be aged out.

Example

# Disable MAC address learning in VLAN 2.

<HUAWEI> system-view
[HUAWEI] vlan 2
[HUAWEI-vlan2] mac-address learning disable

mac-address learning disable (traffic behavior view)

Function

The mac-address learning disable command disables MAC address learning in a traffic behavior.

The undo mac-address learning disable command enables MAC address learning in a traffic behavior.

By default, MAC address learning is enabled in a traffic behavior.

Format

mac-address learning disable

undo mac-address learning disable

Parameters

None

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-address learning disable command is used in the following scenarios:

When a network is running stably and the MAC address of packets is fixed, a device does not need to learn MAC addresses of other packets. To save MAC addresses and improve device efficiency, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.
Some unauthorized users may change MAC addresses frequently to attack the network. To prevent MAC address overflow and protect device performance, apply a traffic policy and disable MAC address learning in all the traffic classifiers bound to the traffic policy.

Follow-up Procedure

Run the traffic policy command to create a traffic policy and run the classifier behavior command in the traffic policy view to bind the traffic classifier to the traffic behavior containing the action of disabling MAC address learning.

Precautions

After the traffic behavior containing mac-address learning disable is bound to the specified traffic classifier, the source MAC addresses of packets matching the traffic classifier are not learned. The source MAC addresses of packets that do not match the traffic classifier are still learned by default.

SA cards of S series do not support the mac-address learning disable command in traffic behavior view.

The mac-address learning disable command is similar to the mac-address learning disable command in the interface view or VLAN view. The difference is that the mac-address learning disable command is valid for the packets matching the user-defined traffic classifier and is applied to the system, LPU, an interface, or a VLAN by using the traffic policy. The mac-address learning disable command is used in the interface view, port group view, or VLAN view and is valid for all the packets in the corresponding view.

To disable MAC address learning on an interface, in a port group, or in a VLAN, run the mac-address learning disable command in the corresponding view. To disable MAC address learning for a specified traffic classifier, run the mac-address learning disable command in the traffic behavior view.

Example

# Disable MAC address learning in the traffic behavior test.

<HUAWEI> system-view
[HUAWEI] traffic behavior test
[HUAWEI-behavior-test] mac-address learning disable

mac-address learning self-healing enable

Function

The mac-address learning self-healing enable command enables self-healing for MAC address learning.

The undo mac-address learning self-healing enable command disables self-healing for MAC address learning.

By default, self-healing is enabled for MAC address learning.

Format

mac-address learning self-healing enable

undo mac-address learning self-healing enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

If the SAID node is enabled, the switch periodically checks whether MAC address learning of the Eth-Trunk, port security, and MAC address management modules is normal. You can run the mac-address learning self-healing enable command to enable self-healing for MAC address learning. After this function is enabled, self-healing is automatically performed upon detection of service status inconsistencies. This ensures that packets are forwarded correctly.

Example

# Enable self-healing for MAC address learning.

<HUAWEI> system-view
[HUAWEI] mac-address learning self-healing enable

mac-address static vlan

Function

The mac-address static vlan command configures a static MAC address entry.

The undo mac-address static vlan command deletes a static MAC address entry.

By default, no static MAC address entry is configured.

Format

mac-address static mac-address interface-type interface-number vlan vlan-id

undo mac-address static [ interface-type interface-number | vlan vlan-id ] ^*

undo mac-address static mac-address interface-type interface-number vlan vlan-id

For details on how to configure a VSI-based static MAC address entry, see mac-address static vlanif and mac-address static vsi.

Parameters

Parameter	Description	Value
mac-address	Specifies the MAC address in a static MAC address entry.	The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.
interface-type interface-number	Specifies the outbound interface in a static MAC address entry.	-
vlan vlan-id	Specifies the ID of the VLAN that the outbound interface belongs to.	The value is an integer that ranges from 1 to 4094.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Static MAC address entries are used for the following purposes:

Improve security. The device directly discards packets sent from unauthorized users using authorized users' MAC addresses.
Guide unicast forwarding and save bandwidth.

Precautions

The VLAN in a static MAC address entry must have been created and the outbound interface in the same static MAC address entry has been added to the VLAN.
If you configure a static MAC address entry when the MAC address table is full, the device processes the MAC address entry as follows:
- If a dynamic MAC address entry with the same MAC address and VLAN ID exists in the MAC address table, the static MAC address entry replaces the dynamic MAC address entry.
- If no dynamic MAC address entry with the same MAC address exists in the MAC address table, the system deletes one dynamic MAC address entry and adds the static MAC address entry to the MAC address table.
You can run the mac-address static command multiple times to configure multiple static MAC address entries.
An existing MAC address entry of the authen, pre-authen, security, or sticky type cannot be configured as a static MAC address entry.

Example

# Add a static MAC address entry to the MAC address table. In the MAC address entry, the destination MAC address is 00e0-fc12-3456, the VLAN ID is 4, and the outbound interface is gigabitethernet1/0/2. That is, the device forwards packets with the destination MAC address of 00e0-fc12-3456 from VLAN 4 through gigabitethernet1/0/2.

<HUAWEI> system-view
[HUAWEI] vlan 4
[HUAWEI-vlan4] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] port link-type access
[HUAWEI-GigabitEthernet1/0/2] port default vlan 4
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] mac-address static 00e0-fc12-3456 gigabitethernet 1/0/2 vlan 4

mac-address threshold-alarm

Function

The mac-address threshold-alarm command configures upper and lower alarm thresholds for the MAC address usage.

The undo mac-address threshold-alarm command restores the default upper and lower alarm thresholds for the MAC address usage.

By default, the upper and lower alarm thresholds for the MAC address usage are 80% and 70% respectively. An alarm is sent when the MAC address usage is higher than 80% or lower than 70%.

Format

mac-address threshold-alarm upper-limit upper-limit-value lower-limit lower-limit-value

undo mac-address threshold-alarm

Parameters

Parameter	Description	Value
upper-limit upper-limit-value	Specifies the upper alarm threshold for the MAC address usage, in percentage.	The value is an integer that ranges from 1 to 100. The default value is 80.
lower-limit lower-limit-value	Specifies the lower alarm threshold for the MAC address usage, in percentage.	The value is an integer that ranges from 1 to 100. The default value is 70. lower-limit-value must be smaller than or equal to upper-limit-value.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

MAC address resources are core resources of the device and the device supports limited MAC addresses. The MAC address usage affects device running. You can run the mac-address threshold-alarm command to configure upper and lower alarm thresholds for the MAC address usage. When the MAC address usage is larger than the upper alarm threshold or smaller than the lower alarm threshold, an alarm is generated to notify the administrator. The administrator then can learn the MAC address usage in a timely manner.

Precautions

When you run the mac-address threshold-alarm command multiple times, only the latest configuration takes effect.

Example

# Set upper and lower alarm thresholds for the MAC address usage to 90% and 20% respectively.

<HUAWEI> system-view
[HUAWEI] mac-address threshold-alarm upper-limit 90 lower-limit 20

mac-address trap hash-conflict enable

Function

The mac-address trap hash-conflict enable command enables the trap function for the MAC address hash conflict.

The undo mac-address trap hash-conflict enable command disables the trap function for the MAC address hash conflict.

By default, the trap function for the MAC address hash conflict is enabled.

Format

mac-address trap hash-conflict enable

undo mac-address trap hash-conflict enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To improve the MAC address forwarding performance, the MAC address table of the device is saved using a hash link. When the same key value is obtained for multiple MAC addresses according to the hash algorithm, some MAC addresses may be not learned. That is, the MAC address hash conflict occurs.

In this situation, the MAC address table space is not full but the MAC address entry cannot be learned. When the MAC address hash conflict occurs, traffic with this destination MAC address can be only broadcast. This occupies device bandwidth and resources. You can replace the device or network adapter of the terminal.

After the trap function for the MAC address hash conflict is configured, the administrator can immediately discover MAC address hash conflicts.

Precautions

The command does not take effect on SA cards of S series.

Example

# Enable the trap function for the MAC address hash conflict.

<HUAWEI> system-view
[HUAWEI] mac-address trap hash-conflict enable

mac-address trap hash-conflict history

Function

The mac-address trap hash-conflict history command sets the number of alarms reported at an interval when the MAC address hash conflict occurs.

The undo mac-address trap hash-conflict history command restores the default number of alarms reported at an interval when the MAC address hash conflict occurs.

By default, one alarm is reported at an interval when the MAC address hash conflict occurs.

Format

mac-address trap hash-conflict history history-number

undo mac-address trap hash-conflict history

Parameters

Parameter	Description	Value
history-number	Specifies the number of alarms reported at an interval when the MAC address hash conflict occurs.	The value is an integer that ranges from 1 to 20.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the trap function for the MAC address hash conflict is enabled, the device reports a maximum of 1 alarms every 60s. Each alarm carries a MAC address for which the hash conflict occurs.

If hash values of more than 1 MAC addresses conflict, reports about subsequent MAC address hash conflicts cannot be reported. You can run this command to set the number of alarms reported at an interval.

Precautions

When you run the mac-address trap hash-conflict history command multiple times, only the latest configuration takes effect.

The command does not take effect on SA cards of S series.

On a device running a version earlier than V200R023C00, the default number of alarms reported at each interval for MAC address hash conflicts is 10. After the system software of the device is upgraded to V200R023C00 or a later version, the default number of alarms reported at each interval for MAC address hash conflicts is changed to 1.

Example

# Set the number of alarms reported at an interval to 12 when the MAC address hash conflict occurs.

<HUAWEI> system-view
[HUAWEI] mac-address trap hash-conflict history 12

mac-address trap hash-conflict interval

Function

The mac-address trap hash-conflict interval command sets the interval at which alarms are reported when the MAC address hash conflict occurs.

The undo mac-address trap hash-conflict interval command restores the default interval at which alarms are reported when the MAC address hash conflict occurs.

By default, alarms are reported at intervals of 600s when the MAC address hash conflict occurs.

Format

mac-address trap hash-conflict interval interval-time

undo mac-address trap hash-conflict interval

Parameters

Parameter	Description	Value
interval-time	Specifies the interval at which alarms are reported when the MAC address hash conflict occurs.	The value is an integer that ranges from 60 to 3600, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the trap function for the MAC address hash conflict is enabled, the device reports a maximum of 1 alarms every 600s. Each alarm carries a MAC address for which the hash conflict occurs.

If a small interval is used, alarms about MAC address hash conflicts are reported immediately. When there are many MAC address hash conflicts, many alarms are reported.

If a long interval is used and many MAC address hash conflicts occur, alarms will be suppressed. You can adjust the interval according to the requirements.

Precautions

When you run the mac-address trap hash-conflict interval command multiple times, only the latest configuration takes effect.

The command does not take effect on SA cards of S series.

On a device running a version earlier than V200R023C00, the default interval for reporting alarms about MAC address hash conflicts is 60. After the system software of the device is upgraded to V200R023C00 or a later version, the default interval for reporting alarms about MAC address hash conflicts is changed to 600.

Example

# Set the interval at which alarms are reported to 90s when the MAC address hash conflict occurs.

<HUAWEI> system-view
[HUAWEI] mac-address trap hash-conflict interval 90

mac-address trap hash-conflict threshold

Function

The mac-address trap hash-conflict threshold command sets the lower alarm threshold for MAC address hash conflicts.

The mac-address trap hash-conflict threshold command restores the default value of the lower alarm threshold for MAC address hash conflicts.

By default, the lower alarm threshold for MAC address hash conflicts is 0.

Format

mac-address trap hash-conflict threshold threshold-value

undo mac-address trap hash-conflict threshold

Parameters

Parameter	Description	Value
threshold-value	Specifies the lower alarm threshold for MAC address hash conflicts.	The value is an integer that ranges from 0 to 20. The default value is 0.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the trap function for MAC address hash conflicts is configured on a switch, the switch sends an alarm if a MAC address hash conflict occurs. This helps you detect and rectify the fault in time.

If a small number of MAC address hash conflicts occur on the network and users do not need to be aware of the conflicts, you can run the mac-address trap hash-conflict threshold command on a switch to set the lower alarm threshold for MAC address hash conflicts. The switch sends an alarm only if the number of MAC address hash conflicts exceeds the lower alarm threshold.

Precautions

If you run this command multiple times, only the latest configuration takes effect.

If the lower alarm threshold for MAC address hash conflict is set to 20 on a device, the device does not report MAC address hash conflict alarms regardless of the number of MAC address hash conflict alarms generated during each period.

The command does not take effect on SA cards of S series.

Example

# Set the lower alarm threshold for MAC address hash conflicts to 10.

<HUAWEI> system-view
[HUAWEI] mac-address trap hash-conflict threshold 10

mac-address trap notification

Function

The mac-address trap notification command enables the trap function for MAC address learning or aging.

The undo mac-address trap notification command disables the trap function for MAC address learning or aging.

By default, the trap function for MAC address learning or aging is disabled.

Format

mac-address trap notification { aging | learn | all }

undo mac-address trap notification

Parameters

Parameter	Description	Value
aging	Enables the trap function for MAC address aging.	-
learn	Enables the trap function for MAC address learning.	-
all	Enables the trap function for MAC address learning and aging.	-

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view, 25GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To learn MAC address change in a timely manner, run the mac-address trap notification command to enable the trap function for MAC address learning or aging.

Precautions

When you run the mac-address trap notification command multiple times, only the latest configuration takes effect.

The trap function for MAC address learning or aging is not supported for the MAC address entries in a VSI.

Example

# Enable the trap function for MAC address learning on GE1/0/1.

<HUAWEI> system-view
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] mac-address trap notification learn

mac-address trap notification interval

Function

The mac-address trap notification interval command sets the interval at which the device checks MAC address learning or aging.

The undo mac-address trap notification interval command restores the default interval at which the device checks MAC address learning or aging.

By default, the device checks MAC address learning or aging at intervals of 10s.

Format

mac-address trap notification interval interval-time

undo mac-address trap notification interval

Parameters

Parameter	Description	Value
interval-time	Specifies the interval at which the device checks MAC address learning or aging.	The value is an integer that ranges from 10 to 600, in seconds. The default value is 10.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After the mac-address trap notification command is used to enable the trap function when the device learns MAC addresses or MAC addresses are aged, the device periodically checks whether MAC addresses are learned or aged. You can run the mac-address trap notification interval command to set the interval.

Example

# Set the interval at which the device checks MAC address learning or aging to 20s.

<HUAWEI> system-view
[HUAWEI] mac-address trap notification interval 20

mac-address update arp

Function

The mac-address update arp command enables the MAC address-triggered ARP entry update function. That is, the Switch is enabled to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.

The undo mac-address update arp command disables the MAC address-triggered ARP entry update function.

By default, the MAC address-triggered ARP entry update function is disabled.

Format

mac-address update arp

undo mac-address update arp

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding. The ARP entries that define the mapping between IP addresses and MAC addresses guide communication between devices on different network segments.

The outbound interface in a MAC address entry is updated by packets, whereas the outbound interface in an ARP entry is updated after the aging time is reached. In this case, the outbound interfaces in the MAC address entry and ARP entry may be different. To address this issue, run the mac-address update arp command to enable the Switch to update outbound interfaces in ARP entries when outbound interfaces in MAC address entries change.

Precautions

This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when the corresponding MAC address entries change.

The mac-address update arp command does not take effect after ARP entry fixing is enabled by using the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable command.

After the mac-address update arp command is run, the Switch updates an ARP entry only if the outbound interface in the corresponding MAC address entry changes.

After this command is executed, the arp anti-attack gratuitous-arp drop command becomes invalid and the Switch cannot drop gratuitous ARP packets.

Example

# Enable the MAC address-triggered ARP entry update function.

<HUAWEI> system-view
[HUAWEI] mac-address update arp

mac-learning priority

Function

The mac-learning priority command sets the MAC address learning priority of an interface.

The undo mac-learning priority command restores the default MAC learning priority of an interface.

By default, the MAC address learning priority of an interface is 0.

Format

mac-learning priority priority-id

undo mac-learning priority

Parameters

Parameter	Description	Value
priority priority-id	Specifies the MAC address learning priority of an interface.	The value is an integer that ranges from 0 to 3. A larger value indicates a higher priority.

Views

GE interface view, XGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view, 25GE interface view, MultiGE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, run the mac-learning priority command to set the priority of the uplink interface to be higher than the user-side interfaces. When these interfaces learn the same MAC address, the MAC address entry learned by the uplink interface overrides MAC address entries learned by the user-side interfaces. Therefore, the switch will not learn MAC addresses of unauthorized users, and authorized users can access the server and use network resources.

You can run the undo mac-learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority.

Both the undo mac-learning priority allow-flapping command and the mac-learning priority command can prevent MAC address flapping. The difference between the two commands is as follows:

The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
The mac-learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.

Precautions

If you run the mac-learning priority command multiple times in the same interface view, only the latest configuration takes effect.

The function is not supported for the MAC address entries in a VSI.

Example

# Set the MAC address learning priority of GigabitEthernet1/0/2 to 3.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] mac-learning priority 3

mac-learning priority allow-flapping

Function

The mac-learning priority allow-flapping command allows MAC address flapping between interfaces with the same priority.

The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority.

By default, MAC address flapping between interfaces with the same priority is allowed.

Format

mac-learning priority priority-id allow-flapping

undo mac-learning priority priority-id allow-flapping

Parameters

Parameter	Description	Value
priority priority-id	Specifies the MAC address learning priority of an interface.	The value is an integer that ranges from 0 to 3. A larger value indicates a higher priority.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and downlink interfaces are connected to users. To prevent unauthorized users from using the server MAC address to connect to the switch, you can run the undo mac-learning priority allow-flapping command to forbid MAC address flapping between interfaces with the same priority. MAC address then will not be learned by multiple interfaces. This prevents attackers from using the MAC addresses of valid devices to attack the switch.

Both the mac-learning priority command and the undo mac-learning priority allow-flapping command can prevent MAC address flapping. The difference between the two commands is as follows:

The undo mac-learning priority allow-flapping command prevents MAC address flapping between interfaces with the same priority. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch cannot learn the correct server MAC address.
The mac-learning priority command prevents MAC address flapping between interfaces with different priorities. If an attacker uses the server MAC address to connect to the switch after the server is powered off, the switch learns the MAC address of the forged server. After the real server is powered on, the switch can learn the correct server MAC address.

Precautions

The function is not supported for the MAC address entries in a VSI.

Example

# Forbid MAC address flapping between interfaces with priority 1.

<HUAWEI> system-view
[HUAWEI] undo mac-learning priority 1 allow-flapping

mac-learning priority flapping-defend action

Function

The mac-learning priority flapping-defend action command configures an action to be taken when the switch is configured to prohibit MAC address flapping.

The undo mac-learning priority flapping-defend action command restores the default action when the switch is configured to prohibit MAC address flapping.

By default, the action is forward when the switch is configured to prohibit MAC address flapping.

Format

mac-learning priority flapping-defend action { forward | discard }

undo mac-learning priority flapping-defend action

Parameters

Parameter	Description	Value
forward	Packets are forwarded when the switch is configured to prohibit MAC address flapping.	-
discard	Packets are discarded when the switch is configured to prohibit MAC address flapping.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An uplink interface of the switch is connected to a server, and a downlink interface is connected to a user. To prevent a malicious user from using a forged server's MAC address to attack the switch, run the mac-learning priority command in the interface view or the undo mac-learning priority allow-flapping command in the system view to prohibit MAC address flapping. A MAC address then will not be learned by multiple interfaces, and the malicious user cannot use the MAC address of a valid device to attack the switch. However, packets of the malicious user are still forwarded. You can configure the discard action to discard packets from the malicious user when MAC address flapping is prohibited.

Precautions

If the mac-learning priority or undo mac-learning priority allow-flapping command is not used, the action specified using this command is invalid.
This command is invalid for MAC addresses in a VSI.

Example

# Configure the switch to discard packets when the switch is configured to prohibit MAC address flapping.

<HUAWEI> system-view
[HUAWEI] mac-learning priority flapping-defend action discard

mac-limit

Function

The mac-limit command configures a rule to limit the number of MAC addresses that can be learned.

The undo mac-limit command deletes the rule.

By default, the number of learned MAC addresses is not limited.

Format

mac-limit { maximum max-num | action { discard | forward } | alarm { disable | enable } } ^*

undo mac-limit

Parameters

Parameter	Description	Value
action { discard \| forward }	Indicates the action performed when the number of learned MAC address entries reaches the limit. discard: discards packets with new source MAC addresses. forward: forwards packets with new source MAC addresses but does not add the new MAC addresses to the MAC address table.	If no action is specified in the command, the default action discard is used.
alarm { disable \| enable }	Indicates whether the system generates an alarm when the number of learned MAC address entries reaches the limit. disable: indicates that no alarm is generated when the number of learned MAC addresses reaches the limit. enable: indicates that an alarm is generated when the number of learned MAC addresses reaches the limit.	If you do not set this parameter in the command, the alarm function is enabled by default.
maximum max-num	Sets the maximum number of MAC addresses that can be learned. NOTE: If maximum is not set, you must run the mac-limit command with maximum specified. If you have run the mac-limit command to set the maximum number of MAC addresses that can be learned, you do not need to set maximum max-num when running this command again.	The value is a decimal integer ranging from 0 to 32767. The value 0 indicates that the highest rate of MAC address learning is not limited.

Parameter

Description

Value

action { discard | forward }

Indicates the action performed when the number of learned MAC address entries reaches the limit.

discard: discards packets with new source MAC addresses.
forward: forwards packets with new source MAC addresses but does not add the new MAC addresses to the MAC address table.

If no action is specified in the command, the default action discard is used.

alarm { disable | enable }

Indicates whether the system generates an alarm when the number of learned MAC address entries reaches the limit.

disable: indicates that no alarm is generated when the number of learned MAC addresses reaches the limit.
enable: indicates that an alarm is generated when the number of learned MAC addresses reaches the limit.

If you do not set this parameter in the command, the alarm function is enabled by default.

maximum max-num

Sets the maximum number of MAC addresses that can be learned.

NOTE:

If maximum is not set, you must run the mac-limit command with maximum specified. If you have run the mac-limit command to set the maximum number of MAC addresses that can be learned, you do not need to set maximum max-num when running this command again.

The value is a decimal integer ranging from 0 to 32767. The value 0 indicates that the highest rate of MAC address learning is not limited.

Views

VLAN view, GE interface view, XGE interface view, MultiGE interface view, Eth-Trunk interface view, port group view, 25GE interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-limit command limits the number of access users and prevents attacks to the MAC address tables. You can set the action to discard and enable the function to improve network security.

Precautions

The mac-limit command configuration takes effect only for dynamically learned MAC addresses. If some MAC addresses have been learned, run the undo mac-address dynamic command to delete the learned MAC address entries. If you do not delete them, less new MAC addresses can be learned than the value configured using the mac-limit command.
You cannot specify the discard action when running the mac-limit command in the VLAN view on SA boards of S series.
On SA cards of S series, when the number of MAC addresses learned in a VLAN reaches the maximum, the mac-address learning disable command does not take effect on interfaces in the VLAN.
After the port-security enable command is configured on an interface, mac-limit cannot take effect. Do not configure mac-limit and port-security enable simultaneously.
The MAC address limiting function and NAC conflict on an interface; therefore, the mac-limit and mac-authen, dot1x enable, web-auth-server or authentication-profile commands cannot be used on the same interface.
If the maximum number of MAC addresses that can be learned is set to N in the VLAN view and interfaces in a VLAN are on different cards, a maximum of N MAC addresses can be learned on each card.
If you run the mac-limit command in the interface view, the command takes effect only for MAC addresses learned from VLANs.

Example

# Set the maximum number of MAC addresses that can be learned by GigabitEthernet1/0/2 to 30. Configure the device to generate an alarm when the number of learned MAC addresses exceeds the maximum.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] mac-limit maximum 30 alarm enable

mac-limit slot

Function

The mac-limit slot command configures a rule to limit the number of MAC addresses that can be learned by interfaces in a specified slot.

The undo mac-limit slot command deletes the MAC address limiting rule in a specified slot.

By default, the number of MAC addresses learned by interfaces in a slot is not limited.

Format

mac-limit slot slot-id { maximum max-num | action { discard | forward } | alarm { disable | enable } }^*

undo mac-limit slot slot-id

Parameters

Parameter	Description	Value
slot slot-id	Specifies the slot ID.	The value is an integer and must specify an existing slot on the device.
action { discard \| forward }	Indicates the action performed when the number of MAC address entries learned by interfaces in a slot reaches the limit. discard: discards packets with new source MAC addresses. forward: forwards packets with new source MAC addresses but does not add the source MAC addresses to the MAC address table.	The default action is discard.
alarm { disable \| enable }	Indicates whether the system generates an alarm when the number of MAC address entries learned by interfaces in a slot reaches the limit. disable: indicates that no alarm is generated when the number of learned MAC addresses reaches the limit. enable: indicates that an alarm is generated when the number of learned MAC addresses reaches the limit.	By default, the system does not generate an alarm when the number of MAC address entries learned by interfaces in a slot reaches the limit.
maximum max-num	Specifies the maximum number of MAC addresses that can be learned by interfaces in a slot.	The value is an integer that ranges from 0 to 32767. When the value is 0, the number of MAC addresses learned by interfaces in a slot is not limited.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The mac-limit slot limits the number of MAC addresses that can be learned by interfaces in a slot, controlling the number of access users and protecting the MAC address table against attacks. You can configure the system to discard packets with new source MAC addresses and generates an alarm when the number of learned MAC addresses reaches the limit. This improves network security.

Precautions

If the action is set to forward, illegal packets are still forwarded on the network, threatening network security.

The mac-limit slot command configuration takes effect only for dynamically learned MAC addresses. If MAC addresses have been learned by interfaces in a slot, run the undo mac-address command in the system view to delete the MAC addresses before using the mac-limit slot command. Otherwise, the limit set the command cannot control the number of learned MAC addresses accurately.

If MAC address limiting rules are configured in a slot and on interfaces in this slot, one of the following situations occurs:

If the sum of maximum numbers in rules configured on all interfaces in a slot is greater than the maximum number in the rule configured in the slot, the number of MAC addresses learned by interfaces in the slot is restricted by the rule configured in the slot.
If the sum of maximum numbers in rules configured on all interfaces in a slot is smaller than the maximum number in the rule configured in the slot, the number of MAC addresses learned by interfaces in the slot is restricted by sum of maximum numbers in rules configured on all interfaces in the slot.

If you run the mac-limit slot command multiple times, only the latest configuration takes effect.

Example

# Set the maximum number of MAC addresses that can be learned by interfaces in slot 2 to 100. Configure the system to discard packets and send a trap to the NMS when the maximum number is exceeded.

<HUAWEI> system-view

[HUAWEI] mac-limit slot 2 maximum 100 action discard alarm enable

mac-miss action discard

Function

The mac-miss action discard command configures the system to discard the packets that do not match any MAC address entry in a VLAN.

The undo mac-miss action discard command restores the default configuration. That is, the system broadcasts the packets that do not match any MAC address entry in a VLAN.

By default, the system broadcasts the packets that do not match any MAC address entry in a VLAN.

This configuration is not supported on the SA cards of S series.

Format

mac-miss action discard

undo mac-miss action discard

Parameters

None

Views

VLAN view

Default Level

2: Configuration level

Usage Guidelines

When a DHCP user goes offline, the MAC address entry of the user ages. If there are packets destined for this user, the system cannot find the MAC address entry, so it broadcasts the packets to all interfaces in the VLAN. In this case, all users can receive the packets. This affects packet security. The mac-miss action discard command can reduce workload on the device and improve packet security.

Example

# Configure the system to discard the packets that do not match any MAC address entry in VLAN 100.

<HUAWEI> system-view
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-miss action discard

mac-syn fast-send enable

Function

The mac-syn fast-send enable command enables hardware-based MAC address entry synchronization.

The undo mac-syn fast-send enable command disables hardware-based MAC address entry synchronization.

By default, hardware-based MAC address entry synchronization is disabled.

Only the X series cards (except X1E series cards) support this command.

Format

mac-syn fast-send enable { all | slot slot-id }

undo mac-syn fast-send enable { all | slot slot-id }

Parameters

Parameter	Description	Value
all	Enables hardware-based MAC address entry synchronization in all slots.	-
slot slot-id	Enables hardware-based MAC address entry synchronization in the specified slot.	The value is an integer and must be the slot ID of a running card.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If software-based MAC address entry synchronization between LPUs cannot meet your requirements, you can run the mac-syn fast-send enable command to enable hardware-based MAC address entry synchronization to shorten the synchronization time and improve the synchronization performance.

Precautions

Hardware-based and software-based MAC address entry synchronization functions depend on each other. When you configure the mac-syn fast-send enable command for a device slot, the device delivers the mac-syn enable command to the slot to enable software-based MAC address entry synchronization at the same time. Before disabling software-based MAC address entry synchronization (by running the undo mac-syn enable command) on a device enabled with hardware-based MAC address entry synchronization (by running the mac-syn fast-send enable command), you need to run the undo mac-syn fast-send enable command to disable hardware-based MAC address entry synchronization.

If you run the mac-syn fast-send enable all command to enable hardware-based MAC address entry synchronization in all slots, this command takes effect only on the cards that support this command.

Example

# Enable hardware-based MAC address entry synchronization in all slots.

<HUAWEI> system-view
[HUAWEI] mac-syn fast-send enable all

port bridge enable

Function

The port bridge enable command enables the port bridge function on an interface. The interface then can forward packets whose source and destination MAC addresses are both learned by this interface.

The undo port bridge enable command disables the port bridge function.

By default, the port bridge function is disabled on an interface.

Format

port bridge enable

undo port bridge enable

Parameters

None

Views

GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, 100GE interface view, Eth-Trunk interface view, port group view, 25GE interface view

Default Level

2: Configuration level

Usage Guidelines

The port bridge function enables an interface to forward packets whose source and destination MAC addresses are both learned on the interface. By default, an interface discards packets whose source and destination MAC addresses are both learned on the interface.

When enabled with the port bridge function, the interface forwards such packets if their destination MAC addresses are found in the MAC address table.

The port bridge function is used in the following scenarios:

The switch connects to devices that do not support Layer 2 forwarding. When users connected to the devices need to communicate, the devices send user packets to the switch for forwarding. Because source and destination MAC addresses of the packets are learned on the same interface, the port bridge function needs to be enabled on the interface so that the interface can forward such packets.
The switch is used as an access device in a data center and is connected to servers. For example, take multiple servers hosting multiple virtual machines that need to transmit data to each other. By enabling the port bridge function on the interfaces connected to the servers, you allow the switch to forward data packets between the virtual machines at a higher speed than if the servers perform the switching operations.

Example

# Enable the port bridge function on GigabitEthernet1/0/1.

<HUAWEI> system-view
[HUAWEI] interface GigabitEthernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port bridge enable

remark destination-mac

Function

The remark destination-mac command configures an action of re-marking the destination MAC address in packets in a traffic behavior.

The undo remark destination-mac command deletes the configuration.

By default, an action of re-marking the destination MAC address in packets is not configured in a traffic behavior.

Format

remark destination-mac mac-address

undo remark destination-mac

The X series cards do not support this command.

Parameters

Parameter	Description	Value
mac-address	Specifies the destination MAC address.	The value is in H-H-H format. An H is a hexadecimal number with 1 to 4 digits. The value must be a unicast MAC address.

Views

Traffic behavior view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can use the remark destination-mac command to re-mark the destination MAC address in packets in a traffic behavior so that the downstream device can identify packets and provide differentiated services.

Follow-up Procedure

Precautions

In a traffic behavior, the remark destination-mac command cannot be used with the redirect ip-nexthop or redirect ip-multihop command.
A traffic policy containing remark destination-mac cannot be applied to the outbound direction.
If you run the remark destination-mac command in the same traffic classifier view multiple times, only the latest configuration takes effect.

Example

# Configure the traffic behavior b1: The destination MAC address of packets is re-marked to 00e0-fc07-bed3.

<HUAWEI> system-view
[HUAWEI] traffic behavior b1
[HUAWEI-behavior-b1] remark destination-mac 00e0-fc07-bed3

reset mac-address flapping record

Function

The reset mac-address flapping record command clears MAC address flapping records.

Format

reset mac-address flapping record

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Before collecting MAC address flapping statistics, run the reset mac-address flapping record command to clear the current statistics.

Precautions

This command deletes only the historical MAC address flapping records that have been aged.

After clearing MAC address flapping records, you can run the display mac-address flapping record command to view current MAC address flapping records.

The cleared MAC address flapping records cannot be restored.

Example

# Clear MAC address flapping records.

<HUAWEI> reset mac-address flapping record

undo mac-address

Function

The undo mac-address command deletes one or more MAC address entries.

Format

undo mac-address [ all | dynamic ] [ interface-type interface-number | vlan vlan-id ] ^*

undo mac-address { all | dynamic } [ vsi vsi-name ]

undo mac-address mac-address [ vlan vlan-id | vsi vsi-name ]

Parameters

Parameter	Description	Value
mac-address	Specifies the MAC address in a MAC address entry to be deleted.	The value is in H-H-H format. An H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.
interface-type interface-number	Specifies the interface in a MAC address entry to be deleted.	-
vlan vlan-id	Specifies the VLAN ID in a MAC address entry to be deleted.	The value is an integer that ranges from 1 to 4094.
all	Specifies that all MAC address entries excluding DHCP sticky MAC address entries and NAC MAC address entries are deleted.	-
vsi vsi-name	Specifies the name of a VSI. The VSI must have been created.	-
dynamic	Deletes dynamic MAC address entries, that is, MAC address entries learned by an interface.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A MAC address table saves a limited number of MAC addresses. If the MAC address table is full, the device cannot learn new MAC address entries until old MAC addresses are aged out. Packets matching no MAC address entry are broadcast, wasting bandwidth resources. This command can delete useless MAC address entries to release the MAC address table space.

You can delete some of MAC address entries as required. For example:

If you do not specify interface-type interface-number, the command deletes MAC address entries of the specified type on all interfaces.
If you do not specify vlan vlan-id, the command deletes MAC address entries of the specified type in all VLANs.

Precautions

If port security and NAC authentication are enabled on an interface and a user is successfully authenticated on the interface and connects to the network, the undo mac-address command cannot delete MAC address entries of the user. If authentication mode is used to set the user access mode to multi-share, the undo mac-address command can delete MAC address entries of the user.

Example

# Delete all MAC address entries.

<HUAWEI> system-view
[HUAWEI] undo mac-address all

# Delete all dynamic MAC address entries.

<HUAWEI> system-view
[HUAWEI] undo mac-address dynamic

# Delete all MAC address entries on gigabitethernet1/0/1.

<HUAWEI> system-view
[HUAWEI] undo mac-address gigabitethernet 1/0/1

# Delete all MAC address entries in VLAN 5.

<HUAWEI> system-view
[HUAWEI] undo mac-address vlan 5

# Delete all dynamic MAC address entries in the VSI a2.

<HUAWEI> system-view
[HUAWEI] undo mac-address dynamic vsi a2

# Delete all MAC address entries in which the MAC address is 00e0-fc04-0004.

<HUAWEI> system-view
[HUAWEI] undo mac-address 00e0-fc04-0004

undo mac-address temporary

Function

The undo mac-address temporary command deletes all the temporary MAC address entries in the system.

Format

undo mac-address temporary

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the LPU is pulled out, the static MAC address entries configured on the interfaces are reserved as temporary MAC address entries. After the LPU is plugged again, the static MAC address entries are restored.

If the LPU is not plugged after being pulled out, the temporary MAC address entries become unnecessary and occupy the system resources. In this case, you can run the undo mac-address temporary command to delete all the temporary MAC address entries in the system.

Example

# Delete all the temporary MAC address entries in the system.

<HUAWEI> system-view

[HUAWEI] undo mac-address temporary

undo mac-limit all

Function

The undo mac-limit all command deletes all MAC address limiting rules.

Format

undo mac-limit all

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

This command deletes all the rules configured by the mac-limit command.

Precautions

Before using this command, run the display mac-limit command to check the MAC address limiting rules and confirm your operation.

Example

# Delete all MAC address limiting rules.

<HUAWEI> system-view
[HUAWEI] undo mac-limit all

Command Support
display bridge mac-address
display mac-address
display mac-address aging-time
display mac-address blackhole
display mac-address dynamic
display mac-address flapping
display mac-address flapping record
display mac-address hash-conflict record
display mac-address hash-mode
display mac-address mux
display mac-address oam
display mac-address static
display mac-address summary
display mac-address total-number
display mac-limit
drop illegal-mac alarm
drop illegal-mac enable
global-mac-learning enable
mac-address aging-time
mac-address blackhole
mac-address destination hit aging enable
mac-address flapping action
mac-address flapping action priority
mac-address flapping aging-time
mac-address flapping detection
mac-address flapping detection exclude vlan
mac-address flapping detection vlan security-level
mac-address flapping mac-syn-suppress disable
mac-address flapping quit-vlan recover-time
mac-address flapping unicast-suppress all disable
mac-address flapping unicast-suppress disable
mac-address hash-conflict learning-preference enable
mac-address hash-mode
mac-address learning disable (interface view and VLAN view)
mac-address learning disable (traffic behavior view)
mac-address learning self-healing enable
mac-address static vlan
mac-address threshold-alarm
mac-address trap hash-conflict enable
mac-address trap hash-conflict history
mac-address trap hash-conflict interval
mac-address trap hash-conflict threshold
mac-address trap notification
mac-address trap notification interval
mac-address update arp
mac-learning priority
mac-learning priority allow-flapping
mac-learning priority flapping-defend action
mac-limit
mac-limit slot
mac-miss action discard
mac-syn fast-send enable
port bridge enable
remark destination-mac
reset mac-address flapping record
undo mac-address
undo mac-address temporary
undo mac-limit all

Translation

Favorite

Download

Update Date：2024-04-10

Document ID：EDOC1100365397

Downloads：88

Average rating：0.0Points

Digital Signature File

digtal sigature tool