This chapter describes how to configure the MAC address table. Each station or server has a
unique Medium Access Control (MAC) address. When a device exchanges data with
connected stations or servers, the device records their MAC addresses, access interfaces, and
VLAN IDs for unicast forwarding.
2.1 Introduction to the MAC Address
This section describes the concept of the Media Access Control (MAC) address.
2.2 Principles
2.3 Application Environment
This section describes the applicable environment of MAC address flapping.
2.4 Configuration Task Summary
2.5 Configuration Notes
2.6 Default Configuration
2.7 Configuring a MAC Address Table
You can configure functions and parameters for a MAC address table to implement secure
communication between authorized users. The following configurations are optional and can
be performed in any sequence.
2.8 Configuring MAC Address Anti-flapping
2.9 Configuring MAC Address Flapping Detection
MAC address flapping detection detects all MAC addresses on the device. If MAC address
flapping occurs, the device sends an alarm to the NMS.
2.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
2.11 Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry
2.12 Disabling the Device from Discarding Packets in Which the Destination MAC Address
and the Configured Static MAC Address Conflict
2.13 Enabling MAC Address-triggered ARP Entry Update
2.2 Principles
A MAC address table is a Layer 2 forwarding table that stores MAC addresses learned from
other devices.
MUX MAC, authen MAC, and guest MAC. They are maintained by service modules and are
converted from dynamic MAC address entries.
Dynamic MAC address l Dynamic MAC address l You can check whether
entry entries are obtained by data is forwarded
learning source MAC between two connected
addresses of packets on devices by checking
an interface, and can be dynamic MAC address
aged. entries.
l Dynamic MAC address l You can obtain the
entries are lost after a number of
system restart, LPU hot communicating users
swap, or LPU reset. connected to an
interface by checking
the number of specified
dynamic MAC address
entries.
Static MAC address entry l Static MAC address When static MAC address
entries are manually entries are configured,
configured and delivered authorized users can use
to each LPU. Static MAC network resources and
address entries never age. other users are prevented
l The static MAC address from using the bound MAC
entries saved in the addresses to initiate attacks.
system are not lost after a
system restart, LPU hot
swap, or LPU reset.
l After an interface is
statically bound to a
MAC address, other
interfaces discard packets
from this source MAC
address.
l Each static MAC address
entry can have only one
outbound interface.
l Statically binding an
interface to a MAC
address does not affect the
learning of dynamic MAC
address entries on the
interface.
0011-0022-0034 10 GE3/0/1
0011-0022-0034 20 GE2/0/4
0011-0022-0035 30 Eth-Trunk20
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 2-1, when packets
sent from PC1 to PC3 reach the switch, the switch searches its MAC address table for the
destination MAC address MAC3 and VLAN 10 in the packets to obtain outbound interface
Port3. The switch then forwards packets to PC3 from Port3.
Port3 PC3
MAC3 MAC1 VLAN10 Type Data MAC
3 M
AC1
VLAN
10 T
ype
Data
PortA
As shown in Figure 2-2, HostA sends a data frame to SwitchA. When receiving the data
frame, SwitchA obtains the source MAC address (HostA's MAC address) and VLAN ID of
the frame.
l If the MAC address entry does not exist in the MAC address table, SwitchA adds an
entry with the new MAC address, PortA, and VLAN ID to the MAC address table.
l If the MAC address entry exists in the MAC address table, SwitchA resets the aging
timer of the MAC address entry and updates the entry.
NOTE
l If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC address entry is
Eth-TrunkA.
l All interfaces of a switch belong to VLAN 1 by default. If the default VLAN is not changed, the
VLAN ID of all MAC address entries is VLAN 1.
l The switch does not learn the BPDU MAC address similar to 0180-c200-xxxx.
MAC address entry learning and update are triggered on a device only when the device
receives data frames.
1 2 3 4
0 T T T T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
As shown in Figure 2-3, the aging time of MAC address entries is set to T. At t1, packets with
source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an interface, which has joined
VLAN 1. If no entry with MAC address 0e0-fc00-0001 and VLAN 1 exists in the MAC
address table, the MAC address is learned as a dynamic MAC address entry in the MAC
address table, and the hit flag of the entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC address entry
with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device sets the hit flag to 0 but
does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the device
between t2 and t3, the hit flag of the matching MAC address entry is always 0.
3. At t3, the device finds that the hit flag of the matching MAC address entry is 0. The
device considers that the aging time of the MAC address entry has expired and deletes
the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on the device.
You can set the aging time of MAC address entries to control the life cycle of dynamic MAC
address entries in a MAC address table.
The device provides the following MAC address learning control methods to address the
preceding issue:
Disabling MAC After MAC address learning is l In most cases, attack packets
address learning disabled on a VLAN or an sent by a hacker enter the
on a VLAN or an interface, the device does not device through the same
interface learn new dynamic MAC address interface. Therefore, you can
entries on the VLAN or interface. use either of the two methods
The dynamic MAC address to prevent attack packets from
entries learned before are aged using up MAC address entry
out when the aging time expires. resources on the device.
They can also be manually l The method of limiting the
deleted using commands. number of learned MAC
Limiting the The device can only learn a address entries on a VLAN or
number of learned specified number of MAC an interface can also be used
MAC address address entries on a VLAN or an to limit the number of access
entries on a VLAN interface. users.
or an interface When the number of learned
MAC address entries reaches the
limit, the device reports an alarm
to notify the network
administrator.
After that, the device cannot
learn new MAC address entries
on the VLAN or interface and
discards the packets with source
MAC addresses out of the MAC
address table.
MAC address flapping does not occur frequently on a network unless a network loop occurs.
If MAC address flapping frequently occurs on your network, you can quickly locate the fault
and eliminate the loops according to alarms and MAC address flapping records.
After MAC address flapping detection is enabled, the device can report an alarm when MAC
address flapping occurs. The alarm contains the flapping MAC address, VLAN ID, and
outbound interfaces between which the MAC address flaps. A loop may exist between the
outbound interfaces. You can locate the cause of the loop based on the alarm. Alternatively,
the device can perform the action specified in the configuration of MAC address flapping
detection to remove the loop automatically. The action can be quit-vlan (remove the interface
from the VLAN) or error-down (shut down the interface).
Network
Port1
MAC:11-22-33
SwitchA
Port2 Access port
MAC:11-22-33
Users
SwitchB
SwitchC SwitchD
Broadcast
storm
Incorrect
Data flow
connection
receives a broadcast packet, SwitchA forwards the packet to SwitchB. The packet is then sent
to Port2 of SwitchA. After MAC address flapping detection is configured on SwitchA,
SwitchA can detect that the source MAC address of the packet flaps from Port1 to Port2. If
the MAC address flaps between Port1 and Port2 frequently, SwitchA reports an alarm about
MAC address flapping to alert the network administrator.
NOTE
MAC address flapping detection allows a device to detect changes in traffic transmission paths based on
learned MAC addresses, but the device cannot obtain the entire network topology. It is recommended
that this function be used on the interface connected to a user network where loops may occur.
During network planning, you can use the following methods to prevent MAC address
flapping:
l Increase the MAC address learning priority of an interface: When the same MAC
address is learned on interfaces of different priorities, the MAC address entry on the
interface with the highest priority overrides the MAC address entries on the other
interfaces.
l Prevent MAC address entries from being overridden on interfaces with the same priority:
If the interface connected to a bogus network device has the same priority as the
interface connected to an authorized device, the MAC address entry of the bogus device
learned later does not override the original correct MAC address entry. If the authorized
device is powered off, the MAC address entry of the bogus device is learned. After the
authorized device is powered on again, its MAC address cannot be learned.
As shown in Figure 2-6, Port1 of the switch is connected to a server. To prevent unauthorized
users from connecting to the switch using the server's MAC address, you can set a high MAC
address learning priority for Port1.
Port1
Switch
On an Ethernet network, a host sends and receives Ethernet data frames based on MAC
addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses.
When two devices on different network segments communicate with each other, they need to
map IP addresses to MAC addresses and outbound interfaces according to ARP entries.
Generally, the outbound interfaces in the matching MAC address entries and ARP entries are
consistent. As shown in Figure 2-7, the outbound interface in both the MAC address entry
and ARP entry is GE1/0/1. The interface is then changed. At T2, after a packet is received
from the peer device, the outbound interface in the MAC address entry is immediately
changed to GE1/0/2. However, the outbound interface in the ARP entry is still GE1/0/1. At
T3, the aging time of the ARP entry expires, and the outbound interface in the ARP entry is
changed to GE1/0/2 through ARP aging probe. Between T2 and T3, the outbound interface in
the ARP entry is unavailable, interrupting communication between devices on different
network segments.
MAC address-triggered ARP entry update enables a device to update the outbound interface
in an ARP entry immediately after the outbound interface in the corresponding MAC address
entry changes. As shown in Figure 2-8, MAC address-triggered ARP entry update is enabled.
At T2, after the outbound interface in the MAC address entry is changed to GE1/0/2, the
outbound interface in the ARP entry is immediately changed to GE1/0/2. This function
prevents communication interruption between T2 and T3 due to the incorrect outbound
interface in the ARP entry.
In data center virtualization scenarios, when the location of a virtual machine (VM) changes,
user traffic on the network may be interrupted if the VM cannot send gratuitous ARP
messages promptly to update ARP entries on the gateway. In this case, the device relearns
ARP entries by exchanging ARP messages only after ARP entries on the gateway age.
When the VM location is changed after MAC-ARP association is enabled and a gateway's
MAC entries are updated upon receipt of Layer 2 user traffic, ARP entries and outbound
interface information are updated as follows to accelerate Layer 3 traffic convergence:
l If ARP entries exist and the outbound interface of MAC entries is inconsistent with that
of ARP entries, ARP entries are updated based on MAC entries, and outbound interface
information is updated.
l If ARP entries do not exist, a broadcast suppression table is searched based on MAC
entries and ARP probe is re-initiated to update ARP entries and outbound interface
information.
Port1
Switch
You can enable MAC address flapping detection on the Switch to detect MAC address
flapping and discover loops.
Network
Switch
LSW1 LSW2
Incorrect connection
MAC addresses and Configure static MAC address entries 2.7.1 Configuring a
interfaces need to be to bind MAC addresses and interfaces, Static MAC Address
bound statically. improving security of authorized users. Entry
Aging of dynamic Set the aging time according to your 2.7.3 Setting the Aging
MAC address entries needs. Set the aging time to a large Time of Dynamic
needs to be flexibly value or 0 (not to age dynamic MAC MAC Address Entries
controlled. address entries) on a stable network;
set a short aging time in other
situations.
MAC address MAC address flapping occurs when a 2.9 Configuring MAC
flapping needs to be MAC address is learned by two Address Flapping
detected. interfaces in the same VLAN and the Detection
MAC address entry learned later
overrides the earlier one.
MAC address flapping detection
enables a switch to check whether any
MAC address flaps between interfaces
and determine whether a loop occurs.
When MAC address flapping occurs,
the switch sends an alarm to the NMS.
The network maintenance personnel
can locate the loop based on the alarm
information and historical records for
MAC address flapping. This greatly
improves network maintainability. If
the network connected to the switch
does not support loop prevention
protocols, configure the switch to shut
down the interfaces where MAC
address flapping occurs to reduce the
impact of MAC address flapping on
the network.
The switch needs to A faulty host or device may send 2.10 Configuring the
discard packets with packets with an all-0 source or Switch to Discard
an all-0 source or destination MAC address to a switch. Packets with an All-0
destination MAC Configure the switch to discard such MAC Address
address. packets and send an alarm to the NMS
so that the network administrator can
locate the faulty host or device based
on the alarm information.
The switch needs to After a DHCP user goes offline, the 2.11 Configuring the
discard packets in MAC address entry of the user ages Switch to Discard
which destination out. If there are packets destined for Packets That Do Not
MAC addresses do this user, the system cannot find the Match Any MAC
not match the MAC MAC address entry. The system then Address Entry
address table. broadcasts the packets to all interfaces
in the VLAN. In this case, all users
receive the packets, which brings
security risks. After the switch is
configured to discard packets that do
not match any MAC address entry, the
switch discards such packets. This
function mitigates the burden on the
switch and enhances security.
License Support
The MAC address table is a basic feature of a switch and is not under license control.
Version Support
Table 2-5 Products and minimum version supporting the MAC address table
CE7855EI V200R001C00
CE6810-48S4Q-LI/ V100R003C10
CE6810-48S-LI
CE6810-32T16S4Q-LI/ V100R005C10
CE6810-24S2Q-LI
CE6850-48S6Q-HI V100R005C00
CE6850-48T6Q-HI/ V100R005C10
CE6850U-HI/
CE6851HI
CE6855HI V200R001C00
CE6870-48T6CQ-EI V200R002C50
CE5850HI V100R003C00
MAC address l Dynamic MAC address entries can be learned on an interface only
entry after the interface is added to an existing VLAN.
l Each static MAC address entry can have only one outbound interface.
l If there is a MAC address that is generated based on DHCP snooping
binding entries, the MAC address cannot be configured as a static
MAC address.
l The blackhole MAC address can be used as the source or destination
MAC address. For the CE6870EI, the device forwards Layer 3
packets with the source MAC address as the blackhole MAC address.
l Deleting MAC address entries may cause the reset of the aging time
of MAC address entries.
l After EVN is configured, the aging time of MAC address entries is
30 minutes and cannot be modified.
l By default, MAC addresses of VBDIF and VLANIF interfaces are
dynamically allocated from the MAC address range of the system.
You can also run the mac-address command to configure a static
MAC address. When the device is connected to the load balancer or
firewall or the if-match source-mac command is used on the device,
Layer 3 traffic may fail to be forwarded. To address this issue, delete
the configured MAC address of the interface.
l For the CE6870EI and CE6880EI, VBDIF interfaces, VLANIF
interfaces, and VRR share eight virtual MAC addresses.
Feature Description
MAC address l MAC address learning limiting rules are invalid for existing online
learning users and valid for only new online users.
l If the VLANIF interface is not configured, the device can learn the
local system MAC address.
l Disabling MAC address learning and limiting the number of learned
MAC addresses are valid for a Layer 2 main interface and its sub-
interfaces for the CE6870EI.
l The hardware learns MAC address entries at line speed for the
CE6870EI. When many MAC address entries are learned in a short
period of time, the number of MAC address entries in the hardware
table is larger than the number of MAC address entries in the
software table. When many MAC address entries are aged in a short
period of time, the number of MAC address entries in the software
table is larger than the number of MAC address entries in the
hardware table. MAC address entries in the software and hardware
tables keep consistent through synchronization.
l Port security and MAC address limiting cannot be configured on an
interface.
l In the SVF, disabling MAC address learning cannot be configured in
the traffic behavior view.
l After MAC address limiting is configured on an interface, the
VXLAN packets received by an interface on a switch model
excluding theCE6870EI and CE6880EI are not affected by this
function.
Feature Description
MAC address l To prevent uplink traffic interruption, you are not advised to
flapping configure the action performed when MAC address flapping is
detection detected on upstream interfaces.
l In earlier versions of V100R006C00, MAC address flapping
detection is inapplicable to TRILL, VPLS, VXLAN, and EVN
networks. In V100R006C00 and later versions, MAC address
flapping detection is inapplicable to only the VPLS network.
l The MAC address flapping detection function can only detect a single
ring. When there are multiple rings, the MAC address flapping
detection function detects only the first ring. That is, if two or more
rings exist in a VLAN, the system reports only alarms about
interfaces in the first ring, regardless of whether the port status in the
first ring is Up or Down.
l The MAC address flapping detection function can only detect the first
ring in a VLAN within the configurable aging time (5 minutes by
default). For example, MAC address flapping between PortA and
PortB. After PortA or Port B goes Down and MAC address flapping
between PortC and PortD within the same aging time, the flapping
interfaces in the alarm are still PortA and PortB.
l By default, MAC address triggered ARP entry update is enabled. If
MAC address flapping occurs for more than 10 times, MAC address
triggered ARP entry update is disabled. After MAC address flapping
is eliminated, MAC address triggered ARP entry update is enabled
automatically.
l For V200R002C50 and later versions, on models excluding the
CE6880EI, when MAC address flapping occurs on an interface, the
system suppresses packets. In this case, the forwarding rate of the
outbound interface is 1% of the bandwidth of the inbound interface.
Packets are not suppressed in the following two situations:
– The interface is configured with storm control and storm
suppression.
– Multicast is enabled globally.
Feature Description
Context
MAC addresses and interfaces are bound statically in static MAC address entries.
A device cannot distinguish packets from authorized and unauthorized users when it learns
source MAC addresses of packets to maintain the MAC address table. This causes network
risks. If an unauthorized user uses the MAC address of an authorized user as the source MAC
address of attack packets and connects to another interface of the device, the device learns an
incorrect MAC address entry. As a result, packets destined for the authorized user are
forwarded to the unauthorized user. To improve security, you can create static MAC address
entries to bind MAC addresses of authorized users to specified interfaces. This prevents
unauthorized users from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
l A static MAC address entry will not be aged out. After being saved, a static MAC
address entry will not be lost after a system restart, and can only be deleted manually.
l The VLAN bound to a static MAC address entry must have been created and assigned to
the interface bound to the entry.
l The MAC address in a static MAC address entry must be a unicast MAC address, and
cannot be a multicast or broadcast MAC address.
l A static MAC address entry takes precedence over a dynamic MAC address entry. The
system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run:
system-view
Step 3 Run:
commit
----End
Context
To prevent a hacker from using a MAC address to attack a user device or network, configure
the MAC address of an untrusted user as the blackhole MAC address. The switch directly
discards the received packets where the source or destination MAC address is the blackhole
MAC address and the VLAN ID of the packets corresponds to the blackhole MAC address.
Procedure
Step 1 Run:
system-view
----End
Context
To prevent explosive increase of MAC address entries, set the aging time for dynamic MAC
address entries.
Because the network topology changes frequently, the switch will learn more and more MAC
addresses. Therefore, the aging time needs to be set properly for dynamic MAC address
entries so that the switch can delete unneeded MAC address entries to prevent a sharp
increase of MAC address entries. A shorter aging time makes the switch more sensitive to
network changes and is applicable to networks where network topology changes frequently. A
longer aging time makes the switch more insensitive to network changes and is only
applicable to stable networks.
Procedure
Step 1 Run:
system-view
NOTE
When the aging time is 0, MAC address entries can be fixed. To clear the fixed MAC address entries, set
the aging time to a non-0 value. The system then deletes fixed MAC address entries after twice the aging
time.
Step 3 Run:
commit
----End
Procedure
l Disable MAC address learning on an interface.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which
means that:
○ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long
as they match one or more rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Run:
if-match
A traffic behavior is created and the traffic behavior view is displayed, or the
view of an existing traffic behavior is displayed.
ii. Run:
mac-address learning disable
system-view
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
iii. Run:
classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
l A traffic policy containing mac-address learning disable (traffic behavior view) can
only be applied in the inbound direction.
l For details about the configuration notes of applying traffic policies in different views,
see Configuration Notes.
n Applying a traffic policy to an interface
1) Run:
system-view
Procedure
l Disable MAC address learning on an interface.
a. Run:
system-view
A traffic classifier is created and the traffic classifier view is displayed, or the
existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier, which
means that:
○ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets match the
traffic classifier only when they match all the rules in the classifier.
The logical operator or means that packets match the traffic classifier as long
as they match one or more rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Run:
if-match
A traffic behavior is created and the traffic behavior view is displayed, or the
view of an existing traffic behavior is displayed.
ii. Run:
mac-address learning disable
A traffic policy is created and the traffic policy view is displayed, or the view
of an existing traffic policy is displayed.
iii. Run:
classifier classifier-name behavior behavior-name [ precedence
precedence-value ]
l A traffic policy containing mac-address learning disable (traffic behavior view) can
only be applied in the inbound direction.
l For details about the configuration notes of applying traffic policies in different views,
see Configuration Notes.
n Applying a traffic policy to an interface
1) Run:
system-view
2) Run:
vlan vlan-id
Context
The MAC address limiting function controls the number of access users to prevent MAC
addresses from hackers.
An insecure network is vulnerable to MAC address attacks. When hackers send a large
number of forged packets with different source MAC addresses to the switch, the MAC
address table of the switch will be filled with useless MAC address entries. As a result, the
switch cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the switch. When the number of
learned MAC address entries reaches the limit, the switch does not learn new MAC address
entries. You can also configure an action to take when the number of MAC address entries
reaches the limit. This prevents MAC address attacks and improves network security.
Procedure
l Limit the number of MAC address entries learned on an interface.
a. Run:
system-view
The maximum number of MAC address entries that can be learned on the interface
is set.
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
e. Run:
commit
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
d. Run:
mac-address limit action { discard | forward }
By default, the device forwards packets with unknown source MAC addresses after
the number of learned MAC address entries reaches the limit.
e. Run:
mac-address limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the number of learned
MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned MAC
address entries reaches the limit.
f. Run:
commit
----End
Context
A device usually uses a hash algorithm to learn MAC address entries to improve MAC
address forwarding performance. When multiple MAC addresses map the same key value, a
MAC address hash conflict may occur. When a MAC address hash conflict occurs, the device
may fail to learn many MAC addresses and can only broadcast traffic destined for these MAC
addresses. The heavy broadcast traffic increases the load on the device. In this case, use an
appropriate hash algorithm to mitigate the hash conflict.
NOTE
l Only the CE5810EI, CE5850HI, CE6800 series(exclude CE6870EI), CE7800 series, and CE8800
series support the configuration of a Hash Algorithm.
l MAC addresses are distributed on a network randomly, so the best hash algorithm cannot be
determined. Generally, the default hash algorithm is the best one, so do not change the hash
algorithm unless you have special requirements.
l An appropriate hash algorithm can reduce hash conflicts, but cannot prevent them.
l After the hash algorithm is changed, restart the device to make the configuration take effect.
Procedure
Step 1 Run:
system-view
Step 2 Run:
mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower | crc32-upper
| lsb }
Step 3 Run:
commit
----End
Context
To prevent MAC address flapping, configure different MAC address learning priorities for
interfaces. When interfaces learn the same MAC address, the MAC address entry learned by
the interface with the highest priority overrides the MAC address entries learned by the other
interfaces.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
mac-address learning priority priority-id
By default, the MAC address learning priority of an interface is 0. A larger priority value
indicates a higher MAC address learning priority.
Step 4 Run:
commit
----End
Context
You can configure the device to prevent MAC address flapping between interfaces with the
same priority to improve network security.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo mac-address learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with the same
priority.
By default, the device allows MAC address flapping between interfaces with the same
priority.
Step 3 Run:
commit
----End
Procedure
l Run the display current-configuration command to view the MAC address learning
priorities of interfaces.
----End
Context
By default, the system performs MAC address flapping detection in all VLANs. In a data
center virtualization scenario (virtual terminal migration), MAC address flapping may occur.
This is a normal situation where MAC address flapping detection is not required. You can
configure the whitelist of VLANs in MAC address flapping detection to prevent MAC
address flapping detection from being performed in a specified VLAN.
Increasing the aging time of flapping MAC addresses will cause MAC address flapping again
and increase the Error-Down time. To ensure that the system performs MAC address flapping
detection in a timely manner, adjust the aging time of flapping MAC addresses correctly.
When a loop on a network causes MAC address flapping and the network does not support
loop prevention protocols, to eliminate the loop, configure an action to take after MAC
address flapping occurs on the corresponding interface.
NOTE
l To prevent uplink traffic interruption, you are not advised to configure the action performed when
MAC address flapping is detected on upstream interfaces.
l MAC address flapping detection can only detect loops on interfaces, but cannot obtain the entire
network topology. If the user network connected to the switch supports loop prevention protocols,
use the loop prevention protocols instead of MAC address flapping detection.
l The MAC address flapping detection function can only detect a single ring. When there are multiple
rings, the MAC address flapping detection function detects only the first ring. That is, if two or more
rings exist in a VLAN, the system reports only alarms about interfaces in the first ring, regardless of
whether the port status in the first ring is Up or Down.
l The MAC address flapping detection function can only detect the first ring in a VLAN within the
configurable aging time (5 minutes by default). For example, MAC address flapping between PortA
and PortB. After PortA or Port B goes Down and MAC address flapping between PortC and PortD
within the same aging time, the flapping interfaces in the alarm are still PortA and PortB.
l By default, MAC address triggered ARP entry update is enabled. If MAC address flapping occurs
for more than 10 times, MAC address triggered ARP entry update is disabled. After MAC address
flapping is eliminated, MAC address triggered ARP entry update is enabled automatically.
Procedure
Step 1 Run:
system-view
The device is enabled to report a trap periodically when detecting MAC address
flapping.
By default, the device is disabled from reporting a trap periodically when detecting MAC
address flapping.
2. Run:
mac-address flapping periodical trap interval interval
The interval for reporting traps periodically is configured when MAC address flapping is
detected.
Step 7 (Optional) Configure the action performed on the interface when MAC address flapping is
detected on the interface.
1. Run:
interface interface-type interface-number
The interface is configured to enter the Error-Down state after MAC address flapping
occurs.
By default, an interface is not configured to enter the Error-Down state after MAC
address flapping occurs.
Step 8 Run:
commit
----End
Follow-up Procedure
When the action is set to error-down, if MAC address flapping occurs, the interface enters
the Error-Down state and the device sends an alarm to the NMS. The device records the status
of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down
state cannot receive or send packets and the interface indicator is off. You can run the display
error-down recovery command to check information about all interfaces in Error-Down state
on the device.
When the interface is in Error-Down state, check the cause. You can use the following modes
to restore the interface status:
l Manual (after the interface enter the Error-Down state)
When there are few interfaces in Error-Down state, you can run the shutdown and undo
shutdown commands in the interface view or run the restart command to restore the
interface.
l Auto (before the interface enter the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in heavy
workload and the configuration of some interfaces may be ignored. To prevent this
problem, run the error-down auto-recovery cause mac-address-flapping interval
interval-value command in the system view to enable an interface in error-down state to
go Up and set a recovery delay. You can run the display error-down recovery command
to view automatic recovery information about the interface.
NOTE
This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the
interface that enters the Error-Down state after the error-down auto-recovery cause mac-address-
flapping interval interval-value command is used.
Context
A faulty network device may send packets with an all-0 source or destination MAC address to
the switch. You can configure the switch to discard such packets.
You can configure the switch to discard packets with an all-0 source or destination MAC
address.
NOTE
Procedure
Step 1 Run:
system-view
Step 2 Run:
drop illegal-mac enable
By default, the switch does not discard packets with an all-0 MAC address.
Step 3 Run:
commit
----End
Context
After the switch is configured to discard packets that do not match any MAC address entries,
such packets are discarded, which reduces the load on the switch and enhances system
security.
After a DHCP user goes offline, the MAC address entry of the user ages out. If there are
packets destined for this user, the switch cannot find the MAC address entry and therefore
broadcasts the packets to all interfaces in the VLAN. In this case, all users receive the packets,
which brings security risks. To reduce the load on the switch and enhance security, configure
the switch to discard packets that do not match any MAC address entries.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vlan vlan-id
Step 3 Run:
mac-address miss action discard
The switch is configured to discard packets that do not match any MAC address entries.
By default, the switch broadcasts the packets that do not match any MAC address entries in a
VLAN.
Step 4 Run:
commit
----End
Context
For the packets in which the destination MAC address and the configured static MAC address
conflict, the device can be configured to or not to discard packets.
NOTE
Only the CE6850HI, CE6850U-HI, CE6851HI, CE6855HI, CE7850EI, CE7855EI, and CE8860EI support
the function.
By default, the device discards packets in which the destination MAC address and the
configured static MAC address conflict. This function reduces the device burden and ensures
security. In a scenario where the Open Virtual Switch DataBase (OVSDB) needs to be
enabled, to ensure that OVSDB functions properly, the device must be disabled from
discarding packets in which the destination MAC address and the configured static MAC
address conflict.
Procedure
Step 1 Run:
system-view
Step 2 Run:
undo mac-address drop static-conflict enable
The device is disabled from discarding packets in which the destination MAC address and the
configured static MAC address conflict.
By default, the device is enabled to discard packets in which the destination MAC address and
the configured static MAC address conflict.
NOTE
l If OVSDB needs to be enabled on the device, to ensure that OVSDB functions properly, you must run
the undo mac-address drop static-conflict enable command to disable the device from discarding
packets in which the destination MAC address and the configured static MAC address conflict.
l If OVSDB is not enabled on the device or stopped but the undo mac-address drop static-conflict
enable command is used, you must run the mac-address drop static-conflict enable command to
enable the device to discard packets in which the destination MAC address and the configured static
MAC address conflict. Otherwise, the device may not work properly.
Step 3 Run:
commit
----End
Context
The MAC address-triggered ARP entry update enables the switch to update the corresponding
ARP entry when the outbound interface in a MAC address entry changes.
On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding. The ARP
entries that define the mapping between IP addresses and MAC addresses guide
communication between devices on different network segments.
The outbound interface in a MAC address entry is updated by packets, whereas the outbound
interface in an ARP entry is updated after the aging time is reached. In this case, the outbound
interfaces in the MAC address entry and ARP entry may be different. In Figure 2-11,
SwitchA and SwitchB function as gateways of the server and have VRRP enabled to enhance
reliability. VRRP packets are transmitted on the directly connected link between the two
switches. When the server sends packets, only one network interface is selected to forward
packets. When a network fault or traffic exception is detected, another network interface is
used.
Figure 2-11 Networking for configuring MAC address-triggered ARP entry update when a
VRRP active/backup switchover is performed
Port2 Port2
Port1 Port1
Port1 Port2
Server
l SwitchA functions as the master device, and the server uses Port2 to send packets.
SwitchA learns the ARP entry and MAC address entry on Port2, and SwitchB learns the
server MAC address on Port1.
l When the server detects that Port2 is faulty, the server uses Port1 to forward service
packets. SwitchA then learns the server MAC address on Port1. If the server does not
send an ARP Request packet to SwitchA, SwitchA still maintains the ARP entry on
Port2. In this case, packets sent from SwitchA to the server are still forwarded through
Port2 until the ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update. This function
enables the device to update the corresponding ARP entry when the outbound interface in a
MAC address entry changes.
In data center virtualization scenarios, when the location of a virtual machine (VM) changes,
user traffic on the network may be interrupted if the VM cannot send gratuitous ARP
messages promptly to update ARP entries on the gateway. In this case, the device relearns
ARP entries by exchanging ARP messages only after ARP entries on the gateway age.
When the VM location is changed after MAC-ARP association is enabled and a gateway's
MAC entries are updated upon receipt of Layer 2 user traffic, ARP entries and outbound
interface information are updated as follows to accelerate Layer 3 traffic convergence:
l If ARP entries exist and the outbound interface of MAC entries is inconsistent with that
of ARP entries, ARP entries are updated based on MAC entries, and outbound interface
information is updated.
l If ARP entries do not exist, a broadcast suppression table is searched based on MAC
entries and ARP probe is re-initiated to update ARP entries and outbound interface
information.
Procedure
Step 1 Run:
system-view
NOTE
l This command takes effect only for dynamic ARP entries. Static ARP entries are not updated when
the corresponding MAC address entries change.
l The mac-address update arp enable command does not take effect after ARP entry fixing is
enabled by using the arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
command.
l After the mac-address update arp enable command is run, the switch updates an ARP entry only
when the outbound interface in the corresponding MAC address entry changes.
l By default, MAC address triggered ARP entry update is enabled. If MAC address flapping occurs
for more than 10 times, MAC address triggered ARP entry update is disabled. After MAC address
flapping is eliminated, MAC address triggered ARP entry update is enabled automatically.
Step 3 Run:
commit
----End
Context
The port bridge function enables an interface to forward packets in which the source and
destination MAC addresses are the same.
By default, an interface does not forward packets whose source and destination MAC
addresses are both learned by this interface. When the interface receives such a packet, it
discards the packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards such a packet
if the destination MAC address of the packet is in the MAC address table.
The port bridge function is used in the following scenarios:
The device is used as an access device in a data center and is connected to servers. Each
server is configured with multiple virtual machines. The virtual machines need to transmit
data to each other. If data between virtual machines is transmitted on the server, the data
transmission rate and server performance may be affected. To improve the data transmission
rate and server performance, enable the port bridge function on the interfaces connected to the
servers so that the device forwards data packets between the virtual machines.
Procedure
Step 1 Run:
system-view
commit
----End
Display MAC address entries learned in a display mac-address dynamic vlan vlan-id
VLAN.
Display statistics on MAC address entries. l Display the total statistics: display mac-
address total-number
l Display the statistics of various types of
MAC address entries: display mac-
address summary
Delete all static and blackhole MAC address undo mac-address all
entries.
Delete static and blackhole MAC address undo mac-address vlan vlan-id
entries in a VLAN.
Delete static and blackhole MAC address undo mac-address interface-type interface-
entries on an interface. number
Context
NOTICE
Cleared MAC address flapping records cannot be restored.
Procedure
l Run the reset mac-address flapping record [ all ] command in the user view to clear
MAC address flapping records.
----End
Procedure
Step 1 Run:
system-view
The interval at which the device checks MAC address learning or aging is set.
By default, the device checks MAC address learning or aging at intervals of 10s.
Step 3 Run:
interface interface-type interface-number
----End
Networking Requirements
As shown in Figure 2-12, the MAC address of the user host PC1 is 0002-0002-0002 and that
of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through
the LSW. The LSW is connected to 10GE1/0/1 of the Switch, which belongs to VLAN 2. The
MAC address of the server is 0004-0004-0004. The server is connected to 10GE1/0/2 of the
Switch. 10GE1/0/2 belongs to VLAN 2.
l To prevent hackers from using MAC addresses to attack the network, configure two
static MAC address entries for each user host on the Switch.
l To prevent hackers from stealing user information by forging the MAC address of the
server, configure a static MAC address entry on the Switch for the server.
NOTE
This example applies to the scenario where there are few users. When there are many users, perform
dynamic binding according to Example for Configuring Port Security.
Network Server
Switch
10GE1/0/2
10GE1/0/1
LSW
PC1 PC2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent MAC address attacks.
3. Configure the aging time of dynamic MAC address entries to update the entries.
Procedure
Step 1 Configure static MAC address entries.
# Run the display mac-address aging-time command in any view to check whether the aging
time of dynamic entries is set successfully.
[~Switch] display mac-address aging-time
Aging time: 500 second(s)
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
mac-address aging-time 500
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
mac-address static 0002-0002-0002 10GE1/0/1 vlan 2
mac-address static 0003-0003-0003 10GE1/0/1 vlan 2
mac-address static 0004-0004-0004 10GE1/0/2 vlan 2
#
return
Networking Requirements
As shown in Figure 2-13, user network 1 is connected to Switch on the 10GE1/0/1 through an
LSW. User network 2 is connected to Switch on the 10GE1/0/2 through another LSW. Both
10GE1/0/1 and 10GE1/0/2 belong to VLAN 2. To prevent MAC address attacks and limit the
number of access users on the device, limit MAC address learning on all the interfaces in
VLAN 2.
Network
Switch
10GE1/0/1 10GE1/0/2
LSW LSW
User User
VLAN 2
network 1 network 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC address
attacks and limit the number of access users.
Procedure
Step 1 Limit MAC address learning.
# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 2.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan 2
[*Switch-vlan2] quit
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port link-type trunk
[*Switch-10GE1/0/1] port trunk allow-pass vlan 2
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 2
[*Switch-10GE1/0/2] quit
[*Switch] commit
# Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC addresses reaches the limit, the
device and sends an alarm.
[~Switch] vlan 2
[~Switch-vlan2] mac-address limit maximum 100 alarm enable
[*Switch-vlan2] quit
[*Switch] commit
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-address limit maximum 100
#
interface 10GE1/0/1
port link-type trunk
port trunk allow-pass vlan 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 2
#
return
10GE1/0/1 VLAN 10
Switch
10GE1/0/2 PC4
MAC:11-22-33
LSW
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Configure MAC address anti-flapping on the server-side interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add 10GE1/0/1 and 10GE1/0/2 to VLAN 10.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan 10
[*Switch-vlan10] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 10
[*Switch-10GE1/0/2] quit
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port default vlan 10
[*Switch-10GE1/0/1] commit
interface 10GE1/0/1
port default vlan 10
mac-address learning priority 2
#
return
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface 10GE1/0/1
port default vlan 10
mac-address learning priority 2
#
interface 10GE1/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
Networking Requirements
As shown in Figure 2-15, a loop occurs on a user network because network cables between
two LSWs are incorrectly connected. The loop causes MAC address flapping and bridge table
flapping.
You can enable MAC address flapping detection on the Switch to detect MAC address
flapping and discover loops.
Network
Switch
10GE1/0/1 10GE1/0/2
LSW1 LSW2
Incorrect
connection
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Enable MAC address flapping detection.
<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] mac-address flapping detection
[*Switch] commit
Step 3 Shut down 10GE1/0/1 and 10GE1/0/2 when MAC address flapping is detected.
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] mac-address flapping trigger error-down
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] mac-address flapping trigger error-down
[*Switch-10GE1/0/2] quit
[*Switch] commit
Step 4 Configure automatic recovery and set the automatic recovery time for the shutdown interface.
[~Switch] error-down auto-recovery cause mac-address-flapping interval 500
[*Switch] commit
After the configuration is complete, when the MAC address on 10GE1/0/1 flaps to
10GE1/0/2, 10GE1/0/2 is shut down. Run the display mac-address flapping command to
view the flapping records.
[~Switch] display mac-address flapping
MAC Address Flapping Configurations :
-------------------------------------------------------------------------------
Flapping detection : Enable
Aging time(s) : 500
Quit-VLAN Recover time(m) : --
Exclude VLAN-list : --
Security level : Middle
-------------------------------------------------------------------------------
S : start time E : end time (D) : error down
-------------------------------------------------------------------------------
Time VLAN MAC-Address Original-Port Move-Ports MoveNum
/BD
-------------------------------------------------------------------------------
S:2011-12-11 11:00:08 1 0000-0000-0007 10GE1/0/1 10GE1/0/2(D) 83
E:2011-12-11 11:33:13 /-
-------------------------------------------------------------------------------
Total items on slot 1: 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
mac-address flapping aging-time 500
#
error-down auto-recovery cause mac-address-flapping interval 500
#
interface 10GE1/0/1
mac-address flapping trigger error-down
#
interface 10GE1/0/2
mac-address flapping trigger error-down
#
return
Fault Description
MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.
Procedure
Step 1 Check that the configurations on the interface are correct.
Run the display mac-address command in any view to check whether the binding
relationships between the MAC address, VLAN, and interface are correct.
<HUAWEI> display mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0025-9e80-2494 1/- 10GE1/0/1 dynamic
-------------------------------------------------------------------------------
Total items: 1
If not, re-configure the binding relationships between the MAC address, VLAN, and
interface.
If yes, go to step 2.
Step 2 Check whether a loop on the network causes MAC address flapping.
l Remove the loop from the network.
If no loop exists, go to step 3.
Step 3 Check that MAC address learning is enabled.
Check whether MAC address learning is enabled in the interface view and the VLAN view.
[~HUAWEI-10GE1/0/1] display this
#
interface 10GE1/0/1
mac-address learning disable
port link-type trunk
port trunk allow-pass vlan 10
#
return
[~HUAWEI-vlan10] display this
#
vlan 10
mac-address learning disable
#
return
If the command output contains mac-address learning disable, MAC address learning is
disabled on the interface or VLAN.
l If MAC address learning is disabled, run the undo mac-address learning disable
[ action { discard | forward } ] command in the interface view or undo mac-address
learning disable in the VLAN view to enable MAC address learning.
l If MAC address learning is enabled on the interface or vlan, go to step 4.
Step 4 Check whether any blackhole MAC address entry or MAC address limiting is configured.
If a blackhole MAC address entry or MAC address limiting is configured, the interface
discards packets.
l Blackhole MAC address entry
Run the display mac-address blackhole command to check whether any blackhole
MAC address entry is configured.
[~HUAWEI] display mac-address blackhole
------------------------------------------------------------------------------
-
MAC Address VLAN/VSI Learned-From Type
------------------------------------------------------------------------------
-
0001-0001-0001 3333/- - blackhole
------------------------------------------------------------------------------
-
Total items: 1
If a blackhole MAC address entry is displayed, run the undo mac-address blackhole
command to delete it.
l MAC address limiting on the interface or VLAN
– Run the display this command in the interface view or VLAN view. If the
command output contains mac-address limit maximum, the number of learned
MAC addresses is limited. Run either of the following commands:
n Run the undo mac-address limit command in the interface view or VLAN
view to cancel MAC address limiting.
n Run the mac-address limit command in the interface view or VLAN view to
increase the maximum number of learned MAC address entries.
– Run the display this command in the interface view. If the command output
contains port-security maximum or port-security enable, the number of secure
dynamic MAC addresses is limited on the interface. Run either of the following
commands:
NOTE
By default, the limit on the number of secure dynamic MAC addresses is 1 after port
security is enabled.
n Run the undo port-security enable command in the interface view to disable
port security.
----End
2.18 Reference
This section describes references of MAC address table.