01-03 MAC Address Table Configuration
Uploaded by
Bacof1601-03 MAC Address Table Configuration
Uploaded by
Bacof16S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3 MAC Address Table Configuration
About This Chapter
This chapter describes how to configure the Medium Access Control (MAC)
address table. Each station or server has a unique MAC address. When a device
exchanges data with connected stations or servers, the device records their MAC
addresses, access interfaces, and VLAN IDs for unicast forwarding.
3.1 Overview of MAC Address Tables
3.2 Understanding MAC Address Tables
3.3 Application Scenarios for MAC Address Tables
3.4 Summary of MAC Address Table Configuration Tasks
3.5 Licensing Requirements and Limitations for MAC Address Tables
3.6 Default Settings for MAC Address Tables
3.7 Configuring MAC Address Tables
3.8 Configuring MAC Address Flapping Prevention
3.9 Configuring MAC Address Flapping Detection
3.10 Configuring the Switch to Discard Packets with an All-0 MAC Address
3.11 Enabling MAC Address-triggered ARP Entry Update
3.12 Enabling Port Bridge
3.13 Configuring Re-marking of Destination MAC Addresses
3.14 Maintaining MAC Address Tables
3.15 Configuration Examples for MAC Address Tables
3.16 Troubleshooting MAC Address Tables
3.17 FAQ About MAC Address Tables
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 30
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3.1 Overview of MAC Address Tables
A MAC address defines the location of a network device. A MAC address consists
of 48 bits and is displayed as a 12-digit hexadecimal number. Bits 0 to 23 are
assigned by the IETF and other institutions to identify vendors, and bits 24 to 47
are the unique ID assigned by vendors to identify their network adapters.
MAC addresses fall into the following types:
● Physical MAC address: uniquely identifies a terminal on an Ethernet network
and is the globally unique hardware address.
● Broadcast MAC address: indicates all terminals on a LAN. The broadcast
address is all 1s (FF-FF-FF-FF-FF-FF).
● Multicast MAC address: indicates a group of terminals on a LAN. All the MAC
addresses with the eighth bit as 1 are multicast MAC addresses (for example,
01-00-00-00-00-00), excluding the broadcast MAC address. The multicast
MAC address starting from 01-80-c2 is the BPDU MAC address, and is often
used as the destination MAC address of protocol packets.
3.2 Understanding MAC Address Tables
3.2.1 Definition and Classification of MAC Address Entries
Definition of a MAC Address Table
A MAC address table records other devices' MAC addresses learned by the switch,
interfaces on which MAC addresses are learned, and VLANs that the interfaces
belong to. Before forwarding a packet, the switch looks up the destination MAC
address of the packet in the MAC address table. If a MAC address entry matches
the destination MAC address, the switch forwards the packet from the
corresponding outbound interface in the MAC address entry. If no MAC address
entry matches the destination MAC address, the switch broadcasts the packet to
all interfaces in the corresponding VLAN, except the inbound interface receiving
the packet.
Classification of MAC Address Entries
MAC address entries are classified into dynamic, static, and blackhole entries. In
addition, there are MAC address entries that are related to service types, for
example, secure MAC, MUX MAC, authen MAC, and guest MAC. They are
maintained by service modules and are converted from dynamic MAC address
entries.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 31
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Table 3-1 Characteristics and functions of different MAC address entries
MAC Address Entry Characteristics Function
Type
Dynamic MAC address ● Dynamic MAC address ● You can check
entry entries are obtained by whether data is
learning source MAC forwarded between
addresses of packets two connected
on an interface, and devices by checking
can be aged. dynamic MAC
● Dynamic MAC address address entries.
entries are lost after a ● You can obtain the
system restart. number of
communicating users
connected to an
interface by checking
the number of
specified dynamic
MAC address entries.
Static MAC address entry ● Static MAC address When static MAC
entries are manually address entries are
configured. Static MAC configured, authorized
address entries never users can use network
age. resources and other
● The static MAC users are prevented
address entries saved from using the bound
in the system are not MAC addresses to
lost after a system initiate attacks.
restart.
● After an interface is
statically bound to a
MAC address, other
interfaces discard
packets from this
source MAC address.
● Each static MAC
address entry can have
only one outbound
interface.
● Statically binding an
interface to a MAC
address does not affect
the learning of
dynamic MAC address
entries on the
interface.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 32
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
MAC Address Entry Characteristics Function
Type
Blackhole MAC address ● Blackhole MAC Blackhole MAC address
entry address entries are entries can filter out
manually configured. unauthorized users.
Blackhole MAC
address entries never
age.
● The blackhole MAC
address entries saved
in the system are not
lost after a system
restart.
● After blackhole MAC
address entries are
configured, the device
discards packets from
or destined for the
blackhole MAC
addresses.
3.2.2 Elements and Functions of a MAC Address Table
Elements
Each entry in a MAC address table is identified by a MAC address and a VLAN ID
or VSI. When a destination host joins multiple VLANs or VSIs, the host's MAC
address corresponds to multiple VLAN IDs or VSIs in the MAC address table. Table
3-2 lists four MAC address entries, which specify the outbound interfaces for
packets with specified destination MAC addresses and VLAN IDs or VSI names. For
example, the first MAC address entry is used to forward the packets with
destination MAC address 0011-0022-0034 and VLAN 10 through outbound
interface GE3/0/1.
Table 3-2 MAC address entries
MAC Address VLAN ID/VSI Name Outbound Interface
0011-0022-0034 10 GE0/0/1
0011-0022-0034 20 GE0/0/2
0011-0022-0035 30 Eth-Trunk20
0011-0022-0035 huawei GE0/0/3
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 33
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Functions
A MAC address table is used for unicast forwarding of packets. In Figure 3-1,
when packets sent from PC1 to PC3 reach the switch, the switch searches its MAC
address table for the destination MAC address MAC3 and VLAN 10 in the packets
to obtain outbound interface Port3. The switch then forwards packets to PC3 from
Port3.
Figure 3-1 Forwarding based on the MAC address table
MAC Address VLANID Port
MAC1 10 Port1
MAC2 10 Port2
PC2
MAC3 10 Port3
PC1 Switch Port2
Port1
Port3 PC3
MAC3 MAC1 VLAN10 Type Data MAC
3
MAC
1
VLAN
10
Type
Data
3.2.3 MAC Address Entry Learning and Aging
MAC Address Entry Learning
Generally, MAC address entries are learned from source MAC addresses of data
frame.
Figure 3-2 MAC address entry learning
PortA
HostA Data frame SwitchA
As shown in Figure 3-2, HostA sends a data frame to SwitchA. When receiving the
data frame, SwitchA obtains the source MAC address (HostA's MAC address) and
VLAN ID of the frame.
● If the MAC address entry does not exist in the MAC address table, SwitchA
adds an entry with the new MAC address, PortA, and VLAN ID to the MAC
address table.
● If the MAC address entry exists in the MAC address table, SwitchA resets the
aging timer of the MAC address entry and updates the entry.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 34
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
NOTE
● If PortA is a member interface of Eth-TrunkA, the outbound interface in the MAC
address entry is Eth-TrunkA.
● All interfaces of a switch belong to VLAN 1 by default. If the default VLAN is not
changed, the VLAN ID of all MAC address entries is VLAN 1.
● The switch does not learn the BPDU MAC address similar to 0180-c200-xxxx.
MAC address entry learning and update are triggered on a device only when the
device receives data frames.
MAC Address Entry Aging
A device needs to update its MAC address table continuously to adapt to changing
network topologies. Dynamic MAC address entries are not always valid. Each entry
has a life cycle (aging time) and will be deleted when the aging time expires. If an
entry is updated within the aging time, the aging timer of the entry is reset.
Figure 3-3 MAC address entry aging
t1: The entry with MAC
t2-t3: No packet matching
address 00e0-fc00-0001 and
this MAC address is
VLAN ID 1 is learned, and
received, so hit flag is 0.
the hit flag is set to 1.
0 1T 2T 3T 4T
t1 t2 t3 Time
t2: The hit flag of the entry t3: The entry with MAC
with MAC address 00e0-fc00- address 00e0-fc00-0001
0001 and VLAN ID 1 is set to and VLAN ID 1 is deleted
0, but the entry is not deleted. because its hit flag is 0.
As shown in Figure 3-3, the aging time of MAC address entries is set to T. At t1,
packets with source MAC address 00e0-fc00-0001 and VLAN ID 1 arrive at an
interface, which has joined VLAN 1. If no entry with MAC address 0e0-fc00-0001
and VLAN 1 exists in the MAC address table, the MAC address is learned as a
dynamic MAC address entry in the MAC address table, and the hit flag of the
entry is set to 1.
The device checks all dynamic MAC address entries at an interval of T.
1. At t2, if the device finds that the hit flag of the matching dynamic MAC
address entry with MAC address 00e0-fc00-0001 and VLAN 1 is 1, the device
sets the hit flag to 0 but does not delete the MAC address entry.
2. If no packet with source MAC address 00e0-fc00-0001 and VLAN 1 enters the
device between t2 and t3, the hit flag of the matching MAC address entry is
always 0.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 35
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3. At t3, the device finds that the hit flag of the matching MAC address entry is
0. The device considers that the aging time of the MAC address entry has
expired and deletes the MAC address entry.
The minimum holdtime of a dynamic MAC address entry ranges from T to 2T on
the device.
You can set the aging time of MAC address entries to control the life cycle of
dynamic MAC address entries in a MAC address table.
NOTE
When the interface frequently alternates between Up and Down, MAC address entries may
be not aged within two aging period. At this time, you are advised to check the link quality
or run the port link-flap protection enable command to configure link flapping
protection.
3.2.4 MAC Address Learning Control
When hackers send a large number of packets with different source MAC
addresses to a device, useless MAC addresses will consume MAC address entry
resources of the device. As a result, the device cannot learn source MAC addresses
of valid packets. The device broadcasts the packets that do not match MAC
address entries, wasting bandwidth resources.
The device provides the following MAC address learning control methods to
address the preceding issue:
● Disabling MAC address learning on a VLAN or an interface
● Limiting the number of learned MAC address entries on a VLAN or an
interface
Table 3-3 MAC address learning control
MAC Address Principle Application Scenario
Learning
Control Method
Disabling MAC After MAC address learning ● In most cases, attack
address learning is disabled on a VLAN or an packets sent by a hacker
on a VLAN or an interface, the device does not enter the device through
interface learn new dynamic MAC the same interface.
address entries on the VLAN Therefore, you can use
or interface. The dynamic either of the two methods
MAC address entries learned to prevent attack packets
before are aged out when from using up MAC
the aging time expires. They address entry resources on
can also be manually deleted the device.
through commands. ● The method of limiting
the number of learned
MAC address entries on a
VLAN or an interface can
also be used to limit the
number of access users.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 36
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
MAC Address Principle Application Scenario
Learning
Control Method
Limiting the The device can only learn a
number of specified number of MAC
learned MAC address entries on a VLAN or
address entries an interface.
on a VLAN or an When the number of learned
interface MAC address entries reaches
the limit, the device reports
an alarm to notify the
network administrator.
Then, the device cannot learn
new MAC address entries on
the VLAN or interface and
discards the packets with
source MAC addresses out of
the MAC address table.
3.2.5 MAC Address Flapping
What Is MAC Address Flapping
MAC address flapping occurs when a MAC address is learned by two interfaces in
the same VLAN and the MAC address entry learned later overrides the earlier one.
Figure 3-4 shows how MAC address flapping occurs. In the MAC address entry
with MAC address 0011-0022-0034 and VLAN 2, the outbound interface is
changed from GE0/0/1 to GE0/0/2. MAC address flapping can cause an increase in
the CPU usage on the device.
MAC address flapping does not occur frequently on a network unless a network
loop occurs. If MAC address flapping frequently occurs on your network, you can
quickly locate the fault and eliminate the loops according to alarms and MAC
address flapping records.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 37
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Figure 3-4 MAC address flapping
GE0/0/2
GE0/0/1
Broadcast to
two interfaces
in the VLAN MAC Address VLAN ID Port
First
First interface
interface that
0011-0022-0034 2 GE0/0/1 learns
learns this
this MAC
that
MAC address.
address.
Interface
Interface that
that learns
learns this
0011-0022-0034 2 GE0/0/2 MAC
MAC address
address later
later
this
MAC: 0011-0022-0034
How to Detect MAC Address Flapping
MAC address flapping detection determines whether MAC address flapping occurs
by checking whether outbound interfaces in MAC address entries change
frequently.
After MAC address flapping detection is enabled, the device can report an alarm
when MAC address flapping occurs. The alarm contains the flapping MAC address,
VLAN ID, and outbound interfaces between which the MAC address flaps. A loop
may exist between the outbound interfaces. The network administrator can locate
the cause of the loop based on the alarm. Alternatively, the device can perform
the action specified in the configuration of MAC address flapping detection to
remove the loop automatically. The action can be quit-vlan (remove the interface
from the VLAN) or error-down (shut down the interface).
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 38
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Figure 3-5 Networking of MAC address flapping detection
Network
Port1 SwitchA
MAC:11-22-33
Port2 Access interface
MAC:11-22-33
User
SwitchB
SwitchC Broadcast SwitchD
storm
Incorrect connection Data flow
As shown in Figure 3-5, a network cable is incorrectly connected between SwitchC
to SwitchD, causing a loop between SwitchB, SwitchC, and SwitchD. When Port1 of
SwitchA receives a broadcast packet, SwitchA forwards the packet to SwitchB. The
packet is then sent to Port2 of SwitchA. After MAC address flapping detection is
configured on SwitchA, SwitchA can detect that the source MAC address of the
packet flaps from Port1 to Port2. If the MAC address flaps between Port1 and
Port2 frequently, SwitchA reports an alarm about MAC address flapping to alert
the network administrator.
NOTE
MAC address flapping detection allows a device to detect changes in traffic transmission
paths based on learned MAC addresses, but the device cannot obtain the entire network
topology. It is recommended that this function be used on the interface connected to a user
network where loops may occur.
How to Prevent MAC Address Flapping
MAC address flapping occurs on a network when the network has a loop or
undergoes an attack.
During network planning, you can use the following methods to prevent MAC
address flapping:
● Increase the MAC address learning priority of an interface: When the same
MAC address is learned on interfaces of different priorities, the MAC address
entry on the interface with the highest priority overrides the MAC address
entries on the other interfaces.
● Prevent MAC address entries from being overridden on interfaces with the
same priority: If the interface connected to a bogus network device has the
same priority as the interface connected to an authorized device, the MAC
address entry of the bogus device learned later does not override the original
correct MAC address entry. If the authorized device is powered off, the MAC
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 39
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
address entry of the bogus device is learned. After the authorized device is
powered on again, its MAC address cannot be learned.
As shown in Figure 3-6, Port1 of the switch is connected to a server. To prevent
unauthorized users from connecting to the switch using the server's MAC address,
you can set a high MAC address learning priority for Port1.
Figure 3-6 Networking of MAC address flapping prevention
MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch
Authorized Authorized Authorized
user 1 user 2 user 3
3.2.6 MAC Address-Triggered ARP Entry Update
NOTE
Only the S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720HI,
S6720EI, and S6720S-EI support this function.
On an Ethernet network, a host sends and receives Ethernet data frames based on
MAC addresses. The Address Resolution Protocol (ARP) maps IP addresses to MAC
addresses. When two devices on different network segments communicate with
each other, they need to map IP addresses to MAC addresses and outbound
interfaces according to ARP entries.
Generally, the outbound interfaces in the matching MAC address entries and ARP
entries are consistent. As shown in Figure 3-7, the outbound interface in both the
MAC address entry and ARP entry is GE0/0/1 at T1. The interface is then changed.
At T2, after a packet is received from the peer device, the outbound interface in
the MAC address entry is immediately changed to GE0/0/2. However, the
outbound interface in the ARP entry is still GE0/0/1. At T3, the aging time of the
ARP entry expires, and the outbound interface in the ARP entry is changed to
GE0/0/2 through ARP aging probe. Between T2 and T3, the outbound interface in
the ARP entry is unavailable, interrupting communication between devices on
different network segments.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 40
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Figure 3-7 MAC address-triggered ARP entry update is not enabled
MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
11-22-34 2 GE0/0/1 10.2.2.2 11-22-34 2 GE0/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 10.2.2.2 2
11-22-34 2 GE0/0/2 11-22-34 GE0/0/1
After port switching &
ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T3 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/2
MAC address-triggered ARP entry update enables a device to update the
outbound interface in an ARP entry immediately after the outbound interface in
the corresponding MAC address entry changes. As shown in Figure 3-8, MAC
address-triggered ARP entry update is enabled. At T2, after the outbound interface
in the MAC address entry is changed to GE0/0/2, the outbound interface in the
ARP entry is immediately changed to GE0/0/2. This function prevents
communication interruption between T2 and T3 due to the incorrect outbound
interface in the ARP entry.
Figure 3-8 MAC address-triggered ARP entry update is enabled
MAC address entry ARP entry
T1 MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
11-22-34 2 GE0/0/1 10.2.2.2 11-22-34 2 GE0/0/1
Before port switching
Port switching
& ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T2 10.2.2.2 2 GE0/0/2
11-22-34 2 GE0/0/2 11-22-34
After port switching &
ARP aging probe
MAC Address VLAN ID Port IP Address MAC Address VLAN ID Port
T3 11-22-34 2 GE0/0/2 10.2.2.2 11-22-34 2 GE0/0/2
NOTE
The MAC address-triggered ARP entry update function is often used in networking where
devices in a Virtual Router Redundancy Protocol (VRRP) group connect to servers (see 3.3.3
Configuring MAC Address-Triggered ARP Entry Update to Improve VRRP Switchover
Performance), or Layer 3 traffic switching scenarios where STP and Smart Link are used.
3.3 Application Scenarios for MAC Address Tables
3.3.1 Configuring MAC Address Flapping Prevention to Block
User Attacks
When you deploy a Layer 2 network, you can configure MAC address flapping
prevention to block attacks from unauthorized users. As shown in Figure 3-9,
employees of an enterprise need to access the server connected to Port1 of the
switch. If an unauthorized user sends packets using the server's MAC address as
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 41
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
the source MAC address, the server's MAC address is learned on another interface
of the switch. Then packets sent by employees to the server are sent to the
unauthorized user. As a result, employees cannot access the server, and important
data may be intercepted by the unauthorized user. To prevent unauthorized users
from using the server's MAC address to attack the switch, set a higher MAC
address learning priority for the interface connected to the server than the
interfaces connected to unauthorized users. In this case, MAC address flapping will
not occur when unauthorized users attack the switch.
Figure 3-9 Networking of MAC address flapping prevention
MAC:11-22-33
MAC:11-22-33
Server
Unauthorized
user
Port1
Switch
Authorized Authorized Authorized
user 1 user 2 user 3
3.3.2 Configuring MAC Address Flapping Detection to Quickly
Detect Loops
When a loop occurs, MAC address flapping must have occurred on the failure
point. You can use the MAC address flapping function to locate loops on a
network. When one of the following situations occurs, enable MAC address
flapping detection to check whether a loop occurs:
● A MAC address entry alternatively appears and disappears.
● Ping operations alternatively succeed and fail.
● A high CPU usage alarm is generated.
Compared to other loop detection technologies, MAC address flapping detection is
easy to configure. Table 3-4 compares loop detection technologies.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 42
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Table 3-4 Comparison of loop detection technologies
Feature Advantage Disadvantage
MAC address ● Checks all interfaces and The device only reports alarms
flapping VLANs on a device. after detecting a loop but
detection ● Requires only one cannot eliminate the loop.
command and is
enabled by default.
Loopback ● Detects loops based on This function is not enabled by
detection interfaces and VLANs. default and needs to be
● The device can eliminate configured through
a loop after detecting commands.
the loop.
3.3.3 Configuring MAC Address-Triggered ARP Entry Update to
Improve VRRP Switchover Performance
When a VRRP group connects to servers, MAC address-triggered ARP entry update
can be configured to speed up VRRP active/standby switchovers. This function
reduces the service interruption time upon a link or device failure. The Virtual
Router Redundancy Protocol (VRRP) groups multiple routing devices into a virtual
router. The virtual router functions as the virtual gateway for users, and its virtual
IP address is used as the default gateway address to implement communication
with an external network. When a gateway device fails, VRRP selects another
gateway device to transmit service traffic, ensuring reliable communication.
As shown in Figure 3-10, HostA is dual-homed to SwitchA and SwitchB through
the switch. A VRRP group is configured on SwitchA and SwitchB to implement link
redundancy. If the link between SwitchA and the switch fails, MAC address entries
and ARP entries on the switch are updated to ensure that traffic is switched to the
link between the switch and SwitchB.
Figure 3-10 VRRP networking
SwitchA SwitchB
(VRRP Master) (VRRP Backup)
Port1 Port1
Port1 Port2
Before Switch After
switchover switchover
HostA
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 43
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
A VRRP group may connect to a server but not a switch, as shown in Figure 3-11.
Generally, a server selects only one of network interfaces to send packets. When
the server detects a network failure or traffic transmission failure, it sends packets
through another network interface.
● SwitchA functions as the master device, and the server uses Port2 to send
packets. SwitchA learns the ARP entry and MAC address entry matching the
server on Port2, and SwitchB learns the server MAC address on Port1.
● When the server detects that Port2 is faulty, the server sends packets through
Port1. SwitchA then learns the server MAC address on Port1. If the server does
not send an ARP Request packet to SwitchA, SwitchA still maintains the ARP
entry on Port2. In this case, packets sent from SwitchA to the server are still
forwarded through Port2 until the ARP entry is aged out.
To solve the problem, configure MAC address-triggered ARP entry update on the
switches. This function enables a switch to update the corresponding ARP entry
when the outbound interface in a MAC address entry changes.
Figure 3-11 VRRP group connects to a server
SwitchA(VRRP Master) SwitchB(VRRP Backup)
Port2 Port2
Port1 Port1
Port1 Port2
Server
3.4 Summary of MAC Address Table Configuration
Tasks
Table 3-5 MAC address table configuration tasks
Scenario Description Task
MAC addresses and Configure static MAC address 3.7.1 Configuring a
interfaces need to entries to bind MAC addresses and Static MAC Address
be bound statically. interfaces, improving security of Entry
authorized users.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 44
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Scenario Description Task
Attack packets Configure blackhole MAC address 3.7.2 Configuring a
from unauthorized entries to filter out packets from Blackhole MAC
users need to be unauthorized users, thereby Address Entry
filtered out. protecting the system against
attacks.
Aging of dynamic Set the aging time according to 3.7.3 Setting the
MAC address your needs. Set the aging time to Aging Time of
entries needs to be a large value or 0 (not to age Dynamic MAC
flexibly controlled. dynamic MAC address entries) on Address Entries
a stable network; set a short
aging time in other situations.
MAC address Attacks initiated by unauthorized 3.7.4 Disabling MAC
learning needs to users may exhaust MAC address Address Learning
be controlled. entries. To prevent this problem, 3.7.5 Configuring
disable MAC address learning or the MAC Address
limit the number of learned MAC Limiting Function
address entries.
The MAC address You can configure various trap 3.7.6 Enabling MAC
table needs to be functions about MAC addresses to Address Trap
monitored. monitor the usage of MAC Functions
address entries.
● Configure an alarm threshold
for MAC address usage. When
the MAC address usage
exceeds the upper threshold,
the switch generates an alarm.
When the MAC address usage
falls below the lower threshold,
the switch reports a clear
alarm.
● Enable the trap function for
MAC address learning or aging.
When a MAC address entry is
learned or aged out, the switch
sends an alarm.
● Enable the trap function for
MAC address hash conflicts. If
the device cannot learn MAC
address entries while its MAC
address table is not full, the
switch reports an alarm about
a MAC address hash conflict.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 45
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Scenario Description Task
The outbound Configure the MAC address- 3.11 Enabling MAC
interfaces in ARP triggered ARP entry update Address-triggered
entries need to be function. When the outbound ARP Entry Update
updated quickly. interface in a MAC address entry
changes, the device updates the
outbound interface in the
corresponding ARP entry before
ARP probing. This function
shortens service interruption time.
MAC address MAC address flapping occurs on a 3.8 Configuring
flapping needs to network when the network has a MAC Address
be prevented. loop or undergoes an attack. You Flapping Prevention
can use the following methods to
prevent MAC address flapping:
● Configure the MAC address
learning priorities for
interfaces. When the same
MAC address is learned by two
interfaces of different priorities,
the MAC address entries
learned by the interface with a
higher priority override the
MAC address entries learned by
the other interface.
● Prevent MAC address entries
from being overridden on
interfaces with the same
priority.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 46
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Scenario Description Task
MAC address MAC address flapping occurs 3.9 Configuring
flapping needs to when a MAC address is learned by MAC Address
be detected. two interfaces in the same VLAN Flapping Detection
and the MAC address entry
learned later overrides the earlier
one.
MAC address flapping detection
enables a switch to check whether
any MAC address flaps between
interfaces and determine whether
a loop occurs. When MAC address
flapping occurs, the switch sends
an alarm to the NMS. The
network maintenance personnel
can locate the loop based on the
alarm information and historical
records for MAC address flapping.
This greatly improves network
maintainability. If the network
connected to the switch does not
support loop prevention protocols,
configure the switch to shut down
the interfaces where MAC address
flapping occurs to reduce the
impact of MAC address flapping
on the network.
The switch needs A faulty host or device may send 3.10 Configuring the
to discard packets packets with an all-0 source or Switch to Discard
with an all-0 destination MAC address to a Packets with an
source or switch. Configure the switch to All-0 MAC Address
destination MAC discard such packets and send an
address. alarm to the NMS so that the
network administrator can locate
the faulty host or device based on
the alarm information.
An interface needs By default, an interface does not 3.12 Enabling Port
to forward packets forward packets whose source and Bridge
of which the source destination MAC addresses are
and destination both learned by this interface.
MAC addresses are When the interface receives such a
both learned on packet, it discards the packet as
the interface. an invalid packet. After the port
bridge function is enabled on the
interface, the interface forwards
such packets. This function applies
to a switch that connects to
devices incapable of Layer 2
forwarding or functions as an
access device in a data center.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 47
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3.5 Licensing Requirements and Limitations for MAC
Address Tables
Involved Network Elements
Other network elements are not required.
Licensing Requirements
MAC address configuration commands are available only after the S1720GW,
S1720GWR, and S1720X have the license (WEB management to full management
Electronic RTU License) loaded and activated and the switches are restarted. MAC
address configuration commands on other models are not under license control.
For details about how to apply for a license, see S Series Switch License Use
Guide.
Version Requirements
Table 3-6 Products and versions supporting MAC
Product Product Software Version
Model
S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S1720GW, V200R010C00, V200R011C00, V200R011C10
S1720GWR
S1720GW- V200R010C00, V200R011C00, V200R011C10
E,
S1720GWR
-E
S1720X, V200R011C00, V200R011C10
S1720X-E
Other Models that cannot be configured using commands.
S1700 For details about features and versions, see S1700
models Documentation Bookshelf.
S2700 S2700SI V100R005C01, V100R006(C00&C01&C03&C05)
S2700EI V100R005C01, V100R006(C00&C01&C03&C05)
S2710SI V100R006(C03&C05)
S2720EI V200R006C10, V200R009C00, V200R010C00,
V200R011C10
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 48
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Product Product Software Version
Model
S2750EI V200R003C00, V200R005C00SPC300, V200R006C00,
V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)
S3700EI V100R005C01, V100R006(C00&C01&C03&C05)
S3700HI V100R006C01, V200R001C00
S5700 S5700LI V200R001C00, V200R002C00,
V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5700S-LI V200R001C00, V200R002C00, V200R003C00,
V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S5700EI V100R005C01, V100R006(C00&C01),
V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)
S5700SI V100R005C01, V100R006C00, V200R001C00,
V200R002C00, V200R003C00, V200R005C00
S5710EI V200R001C00, V200R002C00, V200R003C00,
V200R005(C00&C02)
S5720EI V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10
S5720LI, V200R010C00, V200R011C00, V200R011C10
S5720S-LI
S5720SI, V200R008C00, V200R009C00, V200R010C00,
S5720S-SI V200R011C00, V200R011C10
S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,
V200R003C00, V200R005(C00SPC500&C01&C02)
S5710HI V200R003C00, V200R005(C00&C02&C03)
S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S5730SI V200R011C10
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 49
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Product Product Software Version
Model
S5730S-EI V200R011C10
S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,
V200R003C00, V200R005(C00&C01&C02)
S6720EI V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10
S6720S-EI V200R009C00, V200R010C00, V200R011C00,
V200R011C10
S6720LI, V200R011C00, V200R011C10
S6720S-LI
S6720SI, V200R011C00, V200R011C10
S6720S-SI
NOTE
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
● Dynamic MAC address entries can be learned on an interface only after the
interface is added to an existing VLAN.
● Among existing MAC address entries, only MAC addresses of the dynamic
type can be overwritten as MAC addresses of other types.
● Each static MAC address entry can have only one outbound interface.
● When the aging time of dynamic MAC address entries is set to 0, dynamic
MAC address entries do not age. To age MAC address entries, delete the aging
time configuration.
● When MAC address learning is disabled in a VLAN and an interface in the
VLAN on the S5700EI, S5710EI, S5700HI, S5710HI, and S5720EI and the
discard action is configured for the interface, the interface does not discard
packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 in VLAN 2 and VLAN 3 has MAC
address learning disabled and the discard action is defined. In this situation,
Port1 discards packets from VLAN 3 but forwards packets from VLAN 2.
● When the interface frequently alternates between Up and Down, MAC
address entries may be not aged within two aging period. At this time, you
are advised to check the link quality or run the port link-flap protection
enable command to configure link flapping protection.
3.6 Default Settings for MAC Address Tables
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 50
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Table 3-7 Default setting for a MAC address table
Parameter Default Setting
Aging time of dynamic MAC address 300s
entries
MAC address learning Enabled
MAC address learning priority of an 0
interface
Preventing MAC address entries from Disabled
being overridden on interfaces with
the same priority
MAC address flapping detection Enabled
Aging time of flapping MAC address 300s
entries
MAC address-triggered ARP entry Disabled
update
Trap function for the MAC address Enabled
usage
Trap function for MAC address Disabled
learning or aging
Trap function for MAC address hash Disabled
conflicts
Discarding packets with an all-0 MAC Disabled
address
Trap function for packets with an all-0 Disabled
MAC address
Port bridge Disabled
3.7 Configuring MAC Address Tables
3.7.1 Configuring a Static MAC Address Entry
Context
A device cannot distinguish packets from authorized and unauthorized users when
it learns source MAC addresses of packets to maintain the MAC address table. This
causes network risks. If an unauthorized user uses the MAC address of an
authorized user as the source MAC address of attack packets and connects to
another interface of the device, the device learns an incorrect MAC address entry.
As a result, packets destined for the authorized user are forwarded to the
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 51
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
unauthorized user. For security purposes, you can create static MAC address
entries to bind MAC addresses of authorized users to specified interfaces. This
prevents unauthorized users from intercepting data of authorized users.
Static MAC address entries have the following characteristics:
● A static MAC address entry will not be aged out. After being saved, a static
MAC address entry will not be lost after a system restart, and can only be
deleted manually.
● The VLAN bound to a static MAC address entry must have been created and
assigned to the interface bound to the entry.
● The MAC address in a static MAC address entry must be a unicast MAC
address, and cannot be a multicast or broadcast MAC address.
● A static MAC address entry takes precedence over a dynamic MAC address
entry. The system discards packets with flapping static MAC addresses.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is created.
----End
Verifying the Configuration
Run the display mac-address static command to check configured static MAC
address entries.
3.7.2 Configuring a Blackhole MAC Address Entry
Context
To protect a device or network against MAC address attacks from hackers,
configure MAC addresses of untrusted users as blackhole MAC addresses. The
device then directly discards the received packets of which the source or
destination MAC addresses match the blackhole MAC address entries.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address blackhole mac-address [ vlan vlan-id ]
A blackhole MAC address entry is configured.
----End
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 52
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Verifying the Configuration
Run the display mac-address blackhole command to check configured blackhole
MAC address entries.
3.7.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
Because the network topology changes frequently, the switch will learn more and
more MAC addresses. Therefore, the aging time needs to be set properly for
dynamic MAC address entries so that the switch can delete unneeded MAC
address entries to prevent a sharp increase of MAC address entries. A shorter
aging time makes the switch more sensitive to network changes and is applicable
to networks where network topology changes frequently. A longer aging time
makes the switch more insensitive to network changes and is only applicable to
stable networks.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address aging-time aging-time
The aging time is set for dynamic MAC address entries.
The aging time is 0 or an integer that ranges from 10 to 1000000, in seconds. The
default value is 300. The value 0 indicates that dynamic MAC address entries will
not be aged out.
NOTE
When the aging time is 0, MAC address entries can be fixed. To clear the fixed MAC address
entries, set the aging time to a non-0 value. The system then deletes fixed MAC address
entries after twice the aging time.
----End
Verifying the Configuration
Run the display mac-address aging-time command to view the aging time of
dynamic MAC address entries.
3.7.4 Disabling MAC Address Learning
Context
The MAC address learning function is enabled by default on the switch. When
receiving a data frame, the switch records the source MAC address of the data
frame and the interface that receives the data frame in a MAC address entry.
When receiving data frames destined for this MAC address, the switch forwards
the data frames through the outbound interface according to the MAC address
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 53
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
entry. The MAC address learning function reduces broadcast packets on a network.
After MAC address learning is disabled on an interface, the switch does not learn
source MAC addresses of data frames received by the interface, but the dynamic
MAC address entries learned on the interface are not immediately deleted. These
dynamic MAC address entries are deleted after the aging time expires or can be
manually deleted using commands.
Procedure
● Disable MAC address learning on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
By default, the switch takes the forward action after MAC address
learning is disabled. That is, the switch forwards packets according to the
MAC address table. When the action is set to discard, the switch looks up
the source MAC address of the packet in the MAC address table. If the
source MAC address is found in the MAC address table, the switch
forwards the packet according to the matching MAC address entry. If the
source MAC address is not found, the switch discards the packet.
● Disable MAC address learning in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
NOTE
When MAC address learning is disabled in a VLAN and an interface in the VLAN on
the S5720EI, and the discard action is configured for the interface, the interface does
not discard packets from this VLAN. For example, MAC address learning is disabled in
VLAN 2 but enabled in VLAN 3; Port1 in VLAN 2 and VLAN has MAC address learning
disabled and performs the discard action. In this situation, Port1 discards packets from
VLAN 3 but forwards packets from VLAN 2.
● Disable MAC address learning for a specified flow.
a. Configure a traffic classifier.
i. Run system-view
The system view is displayed.
ii. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed,
or an existing traffic classifier view is displayed.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 54
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
and is the logical operator between the rules in the traffic classifier,
which means that:
○ If the traffic classifier contains ACL rules, packets match the
traffic classifier only when they match one ACL rule and all the
non-ACL rules.
○ If the traffic classifier does not contain any ACL rules, packets
match the traffic classifier only when they match all the rules in
the classifier.
The logical operator or means that packets match the traffic
classifier if they match one of the rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
iii. Configure matching rules according to the following table.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support traffic classifiers with
advanced ACLs containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-
name }, the S5720HI does not support remark 8021p [ 8021p-value |
inner-8021p ], remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-
address learning disable.
Matchin Command Remarks
g Rule
Outer if-match vlan-id start-vlan- Only the S1720X,
VLAN ID id [ to end-vlan-id ] [ cvlan- S1720X-E, S5720EI,
or inner id cvlan-id ] S5720HI, S5730SI,
and S5730S-EI, S6720LI,
outer S6720S-LI, S6720SI,
VLAN S6720S-SI, S6720EI, and
IDs of S6720S-EI support the
QinQ cvlan-id cvlan-id
packets parameter.
Inner if-match cvlan-id start- -
and vlan-id [ to end-vlan-id ]
outer [ vlan-id vlan-id ] (S1720X,
VLAN S1720X-E, S5720EI, S5720HI,
IDs in S5730SI, S5730S-EI, S6720LI,
QinQ S6720S-LI, S6720SI, S6720S-
packets SI, S6720EI, S6720S-EI)
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 55
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
802.1p if-match 8021p 8021p- If you enter multiple
priority value &<1-8> 802.1p priority values in
in VLAN one command, a packet
packets matches the traffic
classifier if it matches
any of the priorities,
regardless of whether
the relationship
between rules in the
traffic classifier is AND
or OR.
Inner if-match cvlan-8021p -
802.1p 8021p-value &<1-8>
priority (S5720EI, S5720HI, S6720EI,
in QinQ S6720S-EI)
packets
Drop if-match discard (S5720EI, A traffic classifier
packet S5720HI, S6720EI, S6720S- containing this
EI) matching rule can only
be bound to traffic
behaviors containing
traffic statistics
collection and flow
mirroring actions.
Double if-match double-tag -
tags in (S5720EI, S5720HI, S6720EI,
QinQ S6720S-EI)
packets
Destinati if-match destination-mac -
on MAC mac-address [ mac-address-
address mask ]
Source if-match source-mac mac- -
MAC address [ mac-address-
address mask ]
Protocol if-match l2-protocol { arp | -
type ip | mpls | rarp | protocol-
field in value }
the
Ethernet
frame
header
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 56
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
All if-match any After the if-match any
packets command is run, only
the matching rule
configured using this
command takes effect,
and the other matching
rules in the same traffic
classifier will become
ineffective.
DSCP if-match dscp dscp-value ● If you enter multiple
priority &<1-8> DSCP values in one
in IP command, a packet
packets matches the traffic
classifier if it matches
any of the DSCP
values, regardless of
whether the
relationship between
rules in the traffic
classifier is AND or
OR.
● If the relationship
between rules in a
traffic classifier is
AND, the if-match
dscp and if-match
ip-precedence
commands cannot be
used in the traffic
classifier
simultaneously.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 57
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
IP if-match ip-precedence ip- ● The if-match dscp
preceden precedence-value &<1-8> and if-match ip-
ce in IP precedence
packets commands cannot be
configured in a traffic
classifier in which the
relationship between
rules is AND.
● If you enter multiple
IP precedence values
in one command, a
packet matches the
traffic classifier if it
matches any of the
IP precedence values,
regardless of whether
the relationship
between rules in the
traffic classifier is
AND or OR.
Layer 3 if-match protocol { ip | -
protocol ipv6 }
type
SYN Flag if-match tcp syn-flag { syn- -
in the flag-value | ack | fin | psh |
TCP rst | syn | urg }
packet
Inbound if-match inbound-interface A traffic policy
interface interface-type interface- containing this
number matching rule cannot be
applied to the outbound
direction or in the
interface view.
Outboun if-match outbound- A traffic policy
d interface interface-type containing this
interface interface-number (S5720EI, matching rule cannot be
S5720HI, S6720EI, S6720S- applied to the inbound
EI) direction on the
S5720HI.
The traffic policy
containing this
matching rule cannot be
applied in the interface
view.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 58
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
ACL rule if-match acl { acl-number | ● When an ACL is used
acl-name } to define a traffic
classification rule, it
is recommended that
the ACL be
configured first.
● If an ACL in a traffic
classifier defines
multiple rules, a
packet matches the
ACL as long as it
matches one of rules,
regardless of whether
the relationship
between rules in the
traffic classifier is
AND or OR.
ACL6 if-match ipv6 acl { acl- Before specifying an
rule number | acl-name } ACL6 in a matching
rule, configure the
ACL6.
Flow ID if-match flow-id flow-id The traffic classifier
(S5720EI, S6720EI, S6720S- containing if-match
EI) flow-id and the traffic
behavior containing
remark flow-id must be
bound to different
traffic policies.
The traffic policy
containing if-match
flow-id can only be
applied to an interface,
a VLAN, or the system
in the inbound direction.
iv. Run quit
Exit from the traffic classifier view.
b. Configure a traffic behavior.
i. Run the traffic behavior behavior-name command to create a traffic
behavior and enter the traffic behavior view.
ii. Run the mac-address learning disable command in the traffic
behavior view to disable MAC address learning.
NOTE
This command is only supported by the S5720HI, S5720EI, S6720EI, and
S6720S-EI.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 59
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
iii. Run the quit command to exit from the traffic behavior view.
iv. Run the quit command to exit from the system view.
c. Configure a traffic policy.
i. Run traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or
the view of an existing traffic policy is displayed. If you do not specify
a matching order for traffic classifiers in the traffic policy, the default
matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy
command to modify the matching order of traffic classifiers in the
traffic policy. To modify the matching order, delete the traffic policy,
create a traffic policy, and specify the matching order.
When creating a traffic policy, you can specify the matching order of
its matching rules. The matching order can be either automatic order
or configuration order:
○ Automatic order: Traffic classifiers are matched based on the
priorities of their types. Traffic classifiers based on the following
information are in descending order of priority: Layer 2 and IPv4
Layer 3 information, advanced ACL6 information, basic ACL6
information, Layer 2 information, IPv4 Layer 3 information, and
user-defined ACL information. If data traffic matches multiple
traffic classifiers, and the traffic behaviors conflict with each
other, the traffic behavior corresponding to the highest priority
rule takes effect.
○ Configuration order: Traffic classifiers are matched based on the
sequence in which traffic classifiers were bound to traffic
behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy
must be applied to an interface, a VLAN, and the system in sequence in the
outbound direction. In the preceding situation, if you need to update ACL
rules, delete the traffic policy from the interface, VLAN, and system and
reconfigure it in sequence.
ii. Run classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.
iii. Run quit
Exit from the traffic policy view.
iv. Run quit
Exit from the system view.
d. Apply the traffic policy.
▪ Applying a traffic policy to an interface
1) Run system-view
The system view is displayed.
2) Run interface interface-type interface-number
The interface view is displayed.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 60
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3) Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the interface.
A traffic policy can be applied to only one direction on an
interface, but a traffic policy can be applied to different
directions on different interfaces. After a traffic policy is applied
to an interface, the system performs traffic policing for all the
incoming or outgoing packets that match traffic classification
rules on the interface.
▪ Applying a traffic policy to a VLAN
1) Run system-view
The system view is displayed.
2) Run vlan vlan-id
The VLAN view is displayed.
3) Run traffic-policy policy-name { inbound | outbound }
A traffic policy is applied to the VLAN.
Only one traffic policy can be applied to a VLAN in the inbound
or outbound direction.
After a traffic policy is applied, the system performs traffic
policing for the packets that belong to a VLAN and match traffic
classification rules in the inbound or outbound direction.
▪ Applying a traffic policy to the system
1) Run system-view
The system view is displayed.
2) Run traffic-policy policy-name global { inbound | outbound }
[ slot slot-id ]
A traffic policy is applied to the system.
Only one traffic policy can be applied to the system or slot in
one direction. A traffic policy cannot be applied to the same
direction in the system and slot simultaneously.
○ In a stack, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of all the member
switches in the stack. The system then performs traffic
policing for all the incoming and outgoing packets that
match traffic classification rules on all the member switches.
A traffic policy that is applied to a specified slot takes effect
on all the interfaces and VLANs of the member switch with
the specified stack ID. The system then performs traffic
policing for all the incoming and outgoing packets that
match traffic classification rules on this member switch.
○ On a standalone switch, a traffic policy that is applied to the
system takes effect on all the interfaces and VLANs of the
local switch. The system then performs traffic policing for all
the incoming and outgoing packets that match traffic
classification rules on the local switch. Traffic policies
applied to the slot and system have the same functions.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 61
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Verifying the Configuration
● Run the display traffic classifier user-defined [ classifier-name ] command
to check the traffic classifier configuration on the device.
● Run the display traffic behavior user-defined [ behavior-name ] command
to check the traffic behavior configuration on the device.
● Run the display traffic policy user-defined [ policy-name [ classifier
classifier-name ] ] command to check the user-defined traffic policy
configuration.
● Run the display traffic-applied [ interface [ interface-type interface-
number ] | vlan [ vlan-id ] ] { inbound | outbound } [ verbose ] command to
check traffic actions and ACL rules associated with the system, a VLAN, or an
interface.
● Run the display traffic policy { interface [ interface-type interface-number ]
| vlan [ vlan-id ] | global } [ inbound | outbound ] command to check the
traffic policy configuration on the device.
● Run the display traffic-policy applied-record [ policy-name ] command to
check the record of the specified traffic policy.
3.7.5 Configuring the MAC Address Limiting Function
Context
An insecure network is vulnerable to MAC address attacks. When hackers send a
large number of forged packets with different source MAC addresses to the switch,
the MAC address table of the switch will be filled with useless MAC address
entries. As a result, the switch cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the switch. When the
number of learned MAC address entries reaches the limit, the switch does not
learn new MAC address entries. You can also configure an action to take when the
number of MAC address entries reaches the limit. This prevents MAC address
attacks and improves network security.
Procedure
● Limit the number of MAC address entries learned on an interface.
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. Run mac-limit maximum max-num
The maximum number of MAC address entries that can be learned on
the interface is set.
By default, the number of MAC address entries learned on an interface is
not limited.
d. Run mac-limit action { discard | forward }
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 62
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
The action to take when the number of learned MAC address entries
reaches the limit is configured.
By default, the switch discards packets with new MAC addresses when
the number of learned MAC address entries reaches the limit.
e. Run mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the
number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
● Limit the number of MAC address entries learned in a VLAN.
a. Run system-view
The system view is displayed.
b. Run vlan vlan-id
The VLAN view is displayed.
c. Run mac-limit maximum max-num
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not
limited.
d. Run mac-limit alarm { disable | enable }
The switch is configured to or not to generate an alarm when the
number of learned MAC address entries reaches the limit.
By default, the switch generates an alarm when the number of learned
MAC address entries reaches the limit.
----End
Verifying the Configuration
Run the display mac-limit command to check limiting on MAC address learning.
3.7.6 Enabling MAC Address Trap Functions
Context
The switch enabled with trap functions sends an alarm when the MAC address
usage exceeds the threshold, a MAC address changes, or a MAC address hash
conflict occurs. The alarms enable you to know the running status of the MAC
address table in real time. MAC address entry resources are key resources for the
switch. Monitoring the use of the MAC address table ensures normal system
operations. The switch provides three trap functions for MAC address entries.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 63
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Table 3-8 Three trap functions for MAC address entries
Trap Function Description
MAC address An alarm is generated when the MAC address usage is
usage out of the higher than 80%, and a clear alarm is generated when the
specified range MAC address usage is lower than 70%.
A clear alarm can be generated only if a threshold-
exceeding alarm has been generated.
A threshold-exceeding alarm indicates that the MAC address
usage is too high. You are advised to redistribute traffic or
expand the network.
MAC address An alarm is generated when a MAC address entry is learned
learning or aging or aged.
MAC address To improve the MAC address forwarding performance, the
hash conflict MAC address table of the switch is saved using a hash chain.
When multiple MAC addresses map the same key value in
accordance with the hash algorithm, some MAC addresses
may not be learned. That is, a MAC address hash conflict
occurs.
In this situation, the MAC address entries cannot be learned
even though the MAC address table is not full.
A MAC address hash conflict does not affect traffic
forwarding. The switch broadcasts traffic destined for the
conflicting MAC addresses, occupying bandwidth and system
resources. You can replace the device or network adapter of
a terminal to prevent MAC address hash conflicts.
Procedure
● Enable the trap function for MAC address usage out of the specified range.
a. Run system-view
The system view is displayed.
b. Run mac-address threshold-alarm upper-limit upper-limit-value lower-
limit lower-limit-value
The upper and lower alarm thresholds for the MAC address usage are set.
By default, the upper and lower alarm thresholds for the MAC address usage
are 80% and 70% respectively. An alarm is generated when the MAC address
usage is higher than 80%, and a clear alarm is generated when the MAC
address usage is lower than 70%.
● Enable the trap function for MAC address learning or aging.
a. Run system-view
The system view is displayed.
b. (Optional) Run mac-address trap notification interval interval-time
The interval at which the switch checks MAC address learning or aging is
set.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 64
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
By default, the switch checks MAC address learning or aging at intervals
of 10s.
c. Run interface interface-type interface-number
The interface view is displayed.
d. Run mac-address trap notification { aging | learn | all }
The trap function for MAC address learning and aging is enabled on the
interface.
By default, the trap function for MAC address learning or aging is
disabled.
● Enable the trap function for MAC address hash conflicts.
a. Run system-view
The system view is displayed.
b. Run mac-address trap hash-conflict enable
The trap function for MAC address hash conflicts is enabled.
By default, the trap function for MAC address hash conflicts is enabled.
c. (Optional) Run mac-address trap hash-conflict history history-number
The number of MAC address hash conflict alarms reported at an interval
is set.
By default, 10 MAC address hash conflict alarms are reported at an
interval.
d. (Optional) Run mac-address trap hash-conflict interval interval-time
The interval at which MAC address hash conflict alarms are reported is
set.
By default, MAC address hash conflict alarms are reported at intervals of
60s.
Verifying the Configuration
Run the display current-configuration command to check MAC address trap
functions on the switch.
3.7.7 Configuring a MAC Hash Algorithm
Context
A device usually uses a hash algorithm to learn MAC address entries to improve
MAC address forwarding performance. When multiple MAC addresses map the
same key value, a MAC address hash conflict may occur. When a MAC address
hash conflict occurs, the device may fail to learn many MAC addresses and can
only broadcast traffic destined for these MAC addresses. The heavy broadcast
traffic increases the load on the device. In this case, use an appropriate hash
algorithm to mitigate the hash conflict.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 65
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
NOTE
● The device uses the hash bucket to store MAC addresses. The device that uses the hash
bucket performs hash calculation for VLAN IDs and MAC addresses in MAC address
entries to be stored and obtains hash bucket indexes. The MAC addresses with the same
hash bucket index are stored in the same hash bucket. If a hash bucket with the
maximum storage space cannot accommodate learned MAC addresses of the hash
bucket, a hash conflict occurs and MAC addresses cannot be stored. The maximum
number of MAC addresses learned by the device through the hash bucket may be not
reached.
● The S5720HI does not support this configuration.
● MAC addresses are distributed on a network randomly, so the best hash algorithm
cannot be determined. Generally, the default hash algorithm is the best one, so do not
change the hash algorithm unless you have special requirements.
● An appropriate hash algorithm can reduce hash conflicts, but cannot prevent them.
● After the hash algorithm is changed, restart the device to make the configuration take
effect.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Configure a hash algorithm.
● Run the mac-address hash-mode { xor | crc } slot slot-id command on the
S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E,
S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI,
S5700S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and
S5720S-SI.
● Run the mac-address hash-mode { crc16-lower | crc16-upper | crc32-lower
| crc32-upper | lsb } slot slot-id command on other models except the
S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E,
S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI,
S5700S-LI, S5710-X-LI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720SI, and
S5720S-SI.
By default, the hash algorithm is crc on the S1720GFR, S1720GW, S1720GWR,
S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-
LI, S6720LI, S6720S-LI, S5700LI, S5700S-LI, S5710-X-LI, S5730SI, S5730S-EI,
S6720SI, S6720S-SI, S5720SI, and S5720S-SI and crc32-lower on other models.
Step 3 Run mac-address hash-bucket-mode { size4 | size8 | size12 | size16 }
The hash bucket size is configured for the MAC address table.
This function is supported only by the S1720GFR, S1720GW, S1720GWR, S1720X,
S1720GW-E, S1720GWR-E, S1720X-E, S2750EI, S5700LI, S5700S-LI, S5720LI,
S5720S-LI, S5720SI, and S5720S-SI.
By default, the hash bucket size of a MAC address table is 4.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 66
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
NOTE
● A larger hash bucket size will lower device forwarding performance.
● After you change the hash bucket size to a smaller value, you need to restart the device.
----End
Verifying the Configuration
Run the display mac-address hash-mode command to check the running and
configured hash algorithms.
3.7.8 Configuring the Extended MAC Entry Resource Mode
Context
You can set the MAC entry resource mode to big-mac to increase the MAC
address table size. When the switch transmits heavy traffic, MAC address entries
increase accordingly. If the current MAC address table size cannot meet service
requirements, service running efficiency is reduced. The switch provides the
extended entry space register. You can configure an extended MAC entry resource
mode to increase the MAC address table size.
NOTE
Only the S5720EI, S6720EI and S6720S-EI support this function.
Procedure
Step 1 (Optional) Run display resource-mode configuration
The extended entry resource mode is displayed.
Step 2 Run system-view
The system view is displayed.
Step 3 Run assign resource-mode enhanced-mac slot slot-id
The extended MAC entry resource mode is configured.
NOTE
After the extended MAC entry resource mode is configured, you must restart the switch to make
the configuration take effect.
----End
Verifying the Configuration
Run the display resource-mode configuration command to check the configured
and current extended entry resource modes.
3.8 Configuring MAC Address Flapping Prevention
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 67
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3.8.1 Configuring a MAC Address Learning Priority for an
Interface
Context
To prevent MAC address flapping, set different MAC address learning priorities for
interfaces. When two interfaces learn the same MAC address entries, the MAC
address entries learned by the interface with a higher priority override the MAC
address entries learned by the other interface.
Procedure
Perform the following operations on the S5720HI, S5720EI, S6720EI, and S6720S-
EI.
1. Run system-view
The system view is displayed.
2. Run interface interface-type interface-number
The interface view is displayed.
3. Run mac-learning priority priority-id
The MAC address learning priority of the interface is set.
By default, the MAC address learning priority of an interface is 0. A larger
priority value indicates a higher MAC address learning priority.
4. Run mac-learning priority flapping-defend action discard
The switch is configured to discard packets when the switch is configured to
prohibit MAC address flapping.
By default, the action is forward when the switch is configured to prohibit
MAC address flapping.
Perform the following operations on the S1720GFR, S1720GW, S1720GWR,
S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5700LI, S5700S-LI,
S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5710-X-LI, S2750EI, S5730SI, S5730S-EI,
S6720SI, S6720S-SI, S5720S-SI, and S5720SI.
1. Run system-view
The system view is displayed.
2. Run mac-spoofing-defend enable
Global MAC spoofing defense is enabled.
By default, global MAC spoofing defense is disabled.
3. Run interface interface-type interface-number
The interface view is displayed.
4. Run mac-spoofing-defend enable
MAC spoofing defense is enabled on the interface so that the interface
becomes a trusted interface.
By default, MAC spoofing defense is disabled on an interface.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 68
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Verifying the Configuration
Run the display current-configuration command to check the MAC address
learning priorities of interfaces.
3.8.2 Preventing MAC Address Flapping Between Interfaces
with the Same Priority
Context
Preventing MAC address flapping between interfaces with the same priority can
improve network security.
After the switch is configured to prevent MAC address flapping between interfaces
with the same priority, the following problem may occur: If the network device
(such as a server) connected to an interface of switch is powered off and the same
MAC address is learned on another interface, the switch cannot learn the correct
MAC address on the original interface after the network device is powered on.
NOTE
Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support this configuration.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run undo mac-learning priority priority-id allow-flapping
The device is configured to prevent MAC address flapping between interfaces with
the same priority.
By default, the device allows MAC address flapping between interfaces with the
same priority.
Step 3 Run mac-learning priority flapping-defend action discard
The switch discards packets when it is configured to prohibit MAC address
flapping.
By default, the action is forward when the switch is configured to prohibit MAC
address flapping.
----End
Verifying the Configuration
Run the display current-configuration command to check whether MAC address
flapping is allowed between interfaces with the same priority.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 69
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3.9 Configuring MAC Address Flapping Detection
Context
MAC address flapping detection enables the device to check all MAC addresses to
detect MAC address flapping.
NOTE
● Configuring an action to take for MAC address flapping on an uplink interface may
cause interruption of important uplink traffic, and such configuration is not
recommended.
● The device enabled with MAC address flapping detection can detect loops on a single
point, but cannot obtain the entire network topology. If the network connected to the
device supports loop prevention protocols, use the loop prevention protocols instead of
MAC address flapping detection to eliminate loops.
● If only a few VLANs on the user network encounter loops, it is recommended that you
set the loop prevention action to quit-vlan.
● If a large number of VLANs on the user network encounter loops, it is recommended
that you set the loop prevention action to error-down. This action improves system
performance. Additionally, the remote device can detect the error-down event so that it
can quickly switch traffic to a backup link (if any).
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address flapping detection
MAC address flapping detection is enabled.
By default, MAC address flapping detection is enabled. The device detects MAC
address flapping in all VLANs.
Step 3 (Optional) Run mac-address flapping detection exclude vlan { vlan-id1 [ to
vlan-id2 ] } &<1-10>
One or more VLANs are excluded from MAC address flapping detection.
By default, the system performs MAC address flapping detection in all VLANs. In
special scenarios, for example, when a switch is connected to a server with two
network adapters in active-active mode, the server's MAC address may be learned
on two interfaces of the switch. Such a MAC address flapping event does not need
to be handled. You can exclude the VLAN where the server resides from MAC
address flapping detection.
Step 4 (Optional) Run mac-address flapping detection vlan { { vlan-id1 [ to vlan-id2 ] }
&<1-10> | all } security-level { high | middle | low }
The security level of MAC address flapping detection is configured in one or more
specified VLANs.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 70
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
By default, the security level of MAC address flapping detection is middle. That is,
the system considers that MAC address flapping occurs when a MAC address flaps
10 times.
Step 5 (Optional) Run mac-address flapping aging-time aging-time
The aging time of flapping MAC addresses is set.
By default, the aging time of flapping MAC addresses is 300 seconds. If the aging
time of dynamic MAC addresses is long, a MAC address flapping event may be
detected after a long time. To ensure that the system detects MAC address
flapping quickly, shorten the aging time of flapping MAC addresses.
Step 6 (Optional) Configure an action to take after MAC address flapping is detected on
an interface and the priority of the action.
1. Run interface interface-type interface-number
The interface view is displayed.
2. Run mac-address flapping action { quit-vlan | error-down }
An action is specified for the interface if MAC address flapping occurs on the
interface.
By default, no action is configured. If an interface is connected to a user
network that does not support loop prevention protocols, MAC address
flapping may occur when there is a loop on the user network. Use this
command to configure an action on the interface. When MAC address
flapping is detected on the interface, the device takes the configured action. If
the action is set to error-down, the device shuts down the interface. If the
action is set to quit-vlan, the device removes the interface from the VLAN
where MAC address flapping occurs. Only one interface can be shut down
during one aging time of flapping MAC addresses.
NOTE
– Do not use the quit-vlan action together with dynamic VLAN functions such as
GVRP.
– When a MAC address flaps between an interface configured with the error-down
action and an interface configured with the quit-vlan action, the former interface
is shut down and the latter interface is removed from the VLAN. If a loop may be
generated between some interfaces, configure the same action for all the
interfaces.
3. Run mac-address flapping action priority priority
The priority of the action against MAC address flapping is set.
----End
Verifying the Configuration
Run the display mac-address flapping command to check information about
MAC address flapping detection in a VLAN.
Action to Take After MAC Address Flapping Occurs
The device that has MAC address flapping detection configured reports alarms
when it detects MAC address flapping. If the same alarm is reported multiple
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 71
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
times, a loop may exist on the network. To remove the loop, run the shutdown
command to shut down the interface specified in the MAC address flapping alarm.
Alternatively, configure an action against MAC address flapping on the interface to
remove the loop.
When configuring an action against MAC address flapping on an interface to
remove a loop, pay attention to the following points:
● When the action is set to error-down, the interface cannot be automatically
restored after it is shut down. You can only restore the interface by running
the shutdown and undo shutdown commands or the restart command in
the interface view.
To enable the interface to go Up automatically, you must run the error-down
auto-recovery cause mac-address-flapping command in the system view
before the interface enters the error-down state. This command enables an
interface in error-down state to go Up and sets a recovery delay. The interface
goes Up automatically after the delay.
● If the action is set to quit-vlan, the interface can be automatically restored
after a delay after it is removed from the VLAN. The default recovery delay is
10 minutes. The recovery delay time can be set using the mac-address
flapping quit-vlan recover-time time-value command in the system view.
3.10 Configuring the Switch to Discard Packets with an
All-0 MAC Address
Context
You can configure the switch to discard packets with an all-0 source or destination
MAC address.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run drop illegal-mac enable
The switch is enabled to discard packets with an all-0 MAC address.
By default, the switch does not discard packets with an all-0 MAC address.
Step 3 (Optional) Run drop illegal-mac alarm
The switch is configured to send an alarm to the NMS when receiving packets
with an all-0 MAC address.
By default, the switch does not send an alarm when receiving packets with an
all-0 MAC address.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 72
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
NOTE
The drop illegal-mac alarm command allows the switch to generate one alarm. You must
reconfigure the drop illegal-mac alarm command if more than one alarm is required.
----End
Verifying the Configuration
Run the display current-configuration command to check whether the switch is
enabled to discard packets with an all-0 MAC address.
3.11 Enabling MAC Address-triggered ARP Entry
Update
Context
Each network device uses an IP address to communicate with other devices. On an
Ethernet network, a host, switching device, or routing device sends and receives
Ethernet data frames based on MAC addresses. The ARP protocol maps IP
addresses to MAC addresses. When two devices on different network segments
communicate with each other, they need to map IP addresses to MAC addresses
and outbound interfaces according to ARP entries.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run mac-address update arp
The MAC address-triggered ARP entry update function is enabled.
By default, the MAC address-triggered ARP entry update function is disabled.
NOTE
● Only the S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, S6720S-SI, S5720HI,
S6720EI, and S6720S-EI support this command.
● This command takes effect only for dynamic ARP entries. Static ARP entries are not
updated when the corresponding MAC address entries change.
● The MAC address-triggered ARP entry update function does not take effect after ARP
entry fixing is enabled using the arp anti-attack entry-check enable command.
● After the MAC address-triggered ARP entry update function is enabled, the switch
updates an ARP entry only when the outbound interface in the corresponding MAC
address entry changes.
----End
Verifying the Configuration
Run the display current-configuration command to check whether the MAC
address-triggered ARP entry update function is enabled.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 73
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3.12 Enabling Port Bridge
Context
By default, an interface does not forward packets whose source and destination
MAC addresses are both learned by this interface. When the interface receives
such a packet, it discards the packet as an invalid packet.
After the port bridge function is enabled on the interface, the interface forwards
such a packet if the destination MAC address of the packet is in the MAC address
table.
The port bridge function is used in the following scenarios:
● The switch connects to devices that do not support Layer 2 forwarding. When
users connected to the devices need to communicate, the devices send
packets of the users to the switch for packet forwarding. Because source and
destination MAC addresses of the packets are learned on the same interface,
the port bridge function needs to be enabled on the interface so that the
interface can forward such packets.
● The switch is used as an access device in a data center and is connected to
servers. Each server is configured with multiple virtual machines. The virtual
machines need to transmit data to each other. If servers perform data
switching for virtual machines, the data switching speed and server
performance are reduced. To improve the data transmission rate and server
performance, enable the port bridge function on the interfaces connected to
the servers so that the switch forwards data packets between the virtual
machines.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 Run port bridge enable
The port bridge function is enabled on the interface.
By default, the port bridge function is disabled on an interface.
----End
Verifying the Configuration
Run the display current-configuration command to check whether the port
bridge function is enabled.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 74
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3.13 Configuring Re-marking of Destination MAC
Addresses
Context
The re-marking function enables the switch to set the specified fields of packets
matching traffic classification rules. After the re-marking action is configured, the
switch still processes outgoing packets based on the original priority but the
downstream device processes the packets based on the re-marked priority. You can
configure action that re-marks the destination MAC address of packets in a traffic
behavior so that the downstream device can identify packets and provide
differentiated services.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support this configuration.
Procedure
1. Configure a traffic classifier.
a. Run system-view
The system view is displayed.
b. Run traffic classifier classifier-name [ operator { and | or } ]
A traffic classifier is created and the traffic classifier view is displayed, or
an existing traffic classifier view is displayed.
and is the logical operator between the rules in the traffic classifier,
which means that:
▪ If the traffic classifier contains ACL rules, packets match the traffic
classifier only when they match one ACL rule and all the non-ACL
rules.
▪ If the traffic classifier does not contain any ACL rules, packets match
the traffic classifier only when they match all the rules in the
classifier.
The logical operator or means that packets match the traffic classifier if
they match one of the rules in the classifier.
By default, the relationship between rules in a traffic classifier is OR.
c. Configure matching rules according to the following table.
NOTE
Only the S5720EI, S6720EI, and S6720S-EI support traffic classifiers with
advanced ACLs containing the ttl-expired field.
When a traffic classifier contains if-match ipv6 acl { acl-number | acl-name },
the S5720HI does not support remark 8021p [ 8021p-value | inner-8021p ],
remark cvlan-id cvlan-id, remark vlan-id vlan-id, or mac-address learning
disable.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 75
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
Outer if-match vlan-id start-vlan-id Only the S1720X, S1720X-
VLAN ID [ to end-vlan-id ] [ cvlan-id E, S5720EI, S5720HI,
or inner cvlan-id ] S5730SI, S5730S-EI,
and outer S6720LI, S6720S-LI,
VLAN IDs S6720SI, S6720S-SI,
of QinQ S6720EI, and S6720S-EI
packets support the cvlan-id
cvlan-id parameter.
Inner and if-match cvlan-id start-vlan-id -
outer [ to end-vlan-id ] [ vlan-id
VLAN IDs vlan-id ] (S1720X, S1720X-E,
in QinQ S5720EI, S5720HI, S5730SI,
packets S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720EI,
S6720S-EI)
802.1p if-match 8021p 8021p-value If you enter multiple
priority in &<1-8> 802.1p priority values in
VLAN one command, a packet
packets matches the traffic
classifier if it matches any
of the priorities,
regardless of whether the
relationship between
rules in the traffic
classifier is AND or OR.
Inner if-match cvlan-8021p 8021p- -
802.1p value &<1-8> (S5720EI,
priority in S5720HI, S6720EI, S6720S-EI)
QinQ
packets
Drop if-match discard (S5720EI, A traffic classifier
packet S5720HI, S6720EI, S6720S-EI) containing this matching
rule can only be bound to
traffic behaviors
containing traffic statistics
collection and flow
mirroring actions.
Double if-match double-tag -
tags in (S5720EI, S5720HI, S6720EI,
QinQ S6720S-EI)
packets
Destinati if-match destination-mac -
on MAC mac-address [ mac-address-
address mask ]
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 76
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
Source if-match source-mac mac- -
MAC address [ mac-address-mask ]
address
Protocol if-match l2-protocol { arp | ip -
type field | mpls | rarp | protocol-value }
in the
Ethernet
frame
header
All if-match any After the if-match any
packets command is run, only the
matching rule configured
using this command takes
effect, and the other
matching rules in the
same traffic classifier will
become ineffective.
DSCP if-match dscp dscp-value ● If you enter multiple
priority in &<1-8> DSCP values in one
IP command, a packet
packets matches the traffic
classifier if it matches
any of the DSCP
values, regardless of
whether the
relationship between
rules in the traffic
classifier is AND or OR.
● If the relationship
between rules in a
traffic classifier is AND,
the if-match dscp and
if-match ip-
precedence
commands cannot be
used in the traffic
classifier
simultaneously.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 77
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
IP if-match ip-precedence ip- ● The if-match dscp and
preceden precedence-value &<1-8> if-match ip-
ce in IP precedence
packets commands cannot be
configured in a traffic
classifier in which the
relationship between
rules is AND.
● If you enter multiple IP
precedence values in
one command, a
packet matches the
traffic classifier if it
matches any of the IP
precedence values,
regardless of whether
the relationship
between rules in the
traffic classifier is AND
or OR.
Layer 3 if-match protocol { ip | ipv6 } -
protocol
type
SYN Flag if-match tcp syn-flag { syn- -
in the flag-value | ack | fin | psh | rst
TCP | syn | urg }
packet
Inbound if-match inbound-interface A traffic policy containing
interface interface-type interface- this matching rule cannot
number be applied to the
outbound direction or in
the interface view.
Outboun if-match outbound-interface A traffic policy containing
d interface-type interface- this matching rule cannot
interface number (S5720EI, S5720HI, be applied to the inbound
S6720EI, S6720S-EI) direction on the S5720HI.
The traffic policy
containing this matching
rule cannot be applied in
the interface view.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 78
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Matchin Command Remarks
g Rule
ACL rule if-match acl { acl-number | ● When an ACL is used
acl-name } to define a traffic
classification rule, it is
recommended that the
ACL be configured first.
● If an ACL in a traffic
classifier defines
multiple rules, a packet
matches the ACL as
long as it matches one
of rules, regardless of
whether the
relationship between
rules in the traffic
classifier is AND or OR.
ACL6 rule if-match ipv6 acl { acl- Before specifying an ACL6
number | acl-name } in a matching rule,
configure the ACL6.
Flow ID if-match flow-id flow-id The traffic classifier
(S5720EI, S6720EI, S6720S-EI) containing if-match
flow-id and the traffic
behavior containing
remark flow-id must be
bound to different traffic
policies.
The traffic policy
containing if-match
flow-id can only be
applied to an interface, a
VLAN, or the system in
the inbound direction.
d. Run quit
Exit from the traffic classifier view.
2. Configure a traffic behavior.
a. Run the traffic behavior behavior-name command to create a traffic
behavior and enter the traffic behavior view.
b. Run the remark destination-mac mac-address command to configure
the action that re-marks destination MAC addresses of packets. The
destination MAC address to be re-marked must be a unicast MAC
address.
c. Run the quit command to exit from the traffic behavior view.
d. Run the quit command to exit from the system view.
3. Configure a traffic policy.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 79
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
a. Run traffic policy policy-name [ match-order { auto | config } ]
A traffic policy is created and the traffic policy view is displayed, or the
view of an existing traffic policy is displayed. If you do not specify a
matching order for traffic classifiers in the traffic policy, the default
matching order config is used.
After a traffic policy is applied, you cannot use the traffic policy
command to modify the matching order of traffic classifiers in the traffic
policy. To modify the matching order, delete the traffic policy, create a
traffic policy, and specify the matching order.
When creating a traffic policy, you can specify the matching order of its
matching rules. The matching order can be either automatic order or
configuration order:
▪ Automatic order: Traffic classifiers are matched based on the
priorities of their types. Traffic classifiers based on the following
information are in descending order of priority: Layer 2 and IPv4
Layer 3 information, advanced ACL6 information, basic ACL6
information, Layer 2 information, IPv4 Layer 3 information, and user-
defined ACL information. If data traffic matches multiple traffic
classifiers, and the traffic behaviors conflict with each other, the
traffic behavior corresponding to the highest priority rule takes
effect.
▪ Configuration order: Traffic classifiers are matched based on the
sequence in which traffic classifiers were bound to traffic behaviors.
NOTE
If more than 128 ACL rules defining CAR are configured, a traffic policy must be
applied to an interface, a VLAN, and the system in sequence in the outbound
direction. In the preceding situation, if you need to update ACL rules, delete the
traffic policy from the interface, VLAN, and system and reconfigure it in
sequence.
b. Run classifier classifier-name behavior behavior-name
A traffic behavior is bound to a traffic classifier in the traffic policy.
c. Run quit
Exit from the traffic policy view.
d. Run quit
Exit from the system view.
4. Apply the traffic policy.
– Applying a traffic policy to an interface
i. Run system-view
The system view is displayed.
ii. Run interface interface-type interface-number
The interface view is displayed.
iii. Run traffic-policy policy-name { inbound }
A traffic policy is applied to the interface.
– Applying a traffic policy to a VLAN
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 80
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
i. Run system-view
The system view is displayed.
ii. Run vlan vlan-id
The VLAN view is displayed.
iii. Run traffic-policy policy-name { inbound }
A traffic policy is applied to the VLAN.
– Applying a traffic policy to the system
i. Run system-view
The system view is displayed.
ii. Run traffic-policy policy-name global { inbound | outbound } [ slot
slot-id ]
A traffic policy is applied to the system.
Only one traffic policy can be applied to the system or slot in one
direction. A traffic policy cannot be applied to the same direction in
the system and slot simultaneously.
○ In a stack, a traffic policy that is applied to the system takes
effect on all the interfaces and VLANs of all the member
switches in the stack. The system then performs traffic policing
for all the incoming and outgoing packets that match traffic
classification rules on all the member switches. A traffic policy
that is applied to a specified slot takes effect on all the
interfaces and VLANs of the member switch with the specified
stack ID. The system then performs traffic policing for all the
incoming and outgoing packets that match traffic classification
rules on this member switch.
○ On a standalone switch, a traffic policy that is applied to the
system takes effect on all the interfaces and VLANs of the local
switch. The system then performs traffic policing for all the
incoming and outgoing packets that match traffic classification
rules on the local switch. Traffic policies applied to the slot and
system have the same functions.
Verifying the Configuration
● Run the display traffic classifier user-defined [ classifier-name ] command
to check the traffic classifier configuration on the device.
● Run the display traffic behavior user-defined [ behavior-name ] command
to check the traffic behavior configuration on the device.
● Run the display traffic policy user-defined [ policy-name [ classifier
classifier-name ] ] command to check the user-defined traffic policy
configuration.
● Run the display traffic-applied [ interface [ interface-type interface-
number ] | vlan [ vlan-id ] ] { inbound } [ verbose ] command to check
traffic actions and ACL rules associated with the system, a VLAN, or an
interface.
● Run the display traffic policy { interface [ interface-type interface-number ]
| vlan [ vlan-id ] | global } [ inbound ] command to check the traffic policy
configuration on the device.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 81
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
● Run the display traffic-policy applied-record [ policy-name ] command to
check the record of the specified traffic policy.
3.14 Maintaining MAC Address Tables
3.14.1 Displaying MAC Address Entries
Table 3-9 Commands used to display MAC address entries
Action Command
Display all MAC address entries. display mac-address
Display static MAC address entries. display mac-address static
Display static MAC address entries in a display mac-address static vlan vlan-
specified VLAN. id
Display MAC address entries learned in display mac-address dynamic vlan
a VLAN. vlan-id
Display MAC address entries learned display mac-address dynamic
on an interface. interface-type interface-number
Display a specified MAC address. display mac-address mac-address
Display the aging time of dynamic display mac-address aging-time
MAC address entries.
Display statistics on MAC address ● Display the total statistics: display
entries. mac-address total-number
● Display the statistics of various
types of MAC address entries:
display mac-address summary
Display the system MAC address. display bridge mac-address
Display the MAC address of an display interface interface-type
interface. interface-number
Hardware address indicates the MAC
address of the interface.
Display the MAC address of a VLANIF display interface vlanif vlan-id
interface. Hardware address indicates the MAC
address of the VLANIF interface.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 82
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
3.14.2 Deleting MAC Address Entries
Table 3-10 Commands used to delete MAC address entries
Action Command
Delete all MAC address entries. undo mac-address
Delete MAC address entries in a VLAN. undo mac-address vlan vlan-id
Delete MAC address entries on an undo mac-address interface-type
interface. interface-number
Delete all the dynamic MAC address undo mac-address dynamic
entries
Delete all the static MAC address undo mac-address static
entries
3.14.3 Displaying MAC Address Flapping Information
Table 3-11 Commands used to display MAC address flapping records
Action Command
Display alarms about MAC address Run the display trapbuffer command
flapping. to check whether the following alarms
exist:
● OID 1.3.6.1.4.1.2011.5.25.160.3.7
Display detailed MAC address flapping display mac-address flapping record
records.
3.15 Configuration Examples for MAC Address Tables
3.15.1 Example for Configuring Static MAC Address Entries
Networking Requirements
As shown in Figure 3-12, the user PC with MAC address 0002-0002-0002 connects
to the GE0/0/1 of the Switch, and the server with MAC address 0004-0004-0004
connects to GE0/0/2 of the Switch. The user PC and server communicate in VLAN
2.
● To prevent unauthorized users from using the user PC's MAC address to
initiate attacks, configure a static MAC address entry for the user PC on the
Switch.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 83
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
● To prevent unauthorized users from using the server's MAC address to
intercept information about important users, configure a static MAC address
entry for the server on the Switch.
NOTE
This example applies to scenarios with a small number of users. When there are many
users, use dynamic MAC address entries. For details, see Example for Configuring Port
Security in "Port Security Configuration" in the S1720, S2700, S5700, and S6720
V200R011C10 Configuration Guide - Security.
Figure 3-12 Networking for configuring static MAC address entries
Network
Switch
GE0/0/1 GE0/0/2
VLAN 2
PC:2-2-2 Server:4-4-4
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN 2 and add the interfaces connected to the PC and server to the
VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent attacks from unauthorized
users.
Procedure
Step 1 Create static MAC address entries.
# Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN
2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 84
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] quit
# Configure static MAC address entries.
[Switch] mac-address static 2-2-2 GigabitEthernet 0/0/1 vlan 2
[Switch] mac-address static 4-4-4 GigabitEthernet 0/0/2 vlan 2
Step 2 Verify the configuration.
# Run the display mac-address static vlan 2 command in any view to check
whether the static MAC address entries are successfully added to the MAC address
table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/-/- GE0/0/1 static
0004-0004-0004 2/-/- GE0/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2
#
mac-address static 0002-0002-0002 GigabitEthernet0/0/1 vlan 2
mac-address static 0004-0004-0004 GigabitEthernet0/0/2 vlan 2
#
return
3.15.2 Example for Configuring Blackhole MAC Address
Entries
Networking Requirements
In Figure 3-13, the Switch receives packets from an unauthorized PC that has the
MAC address of 0005-0005-0005 and belongs to VLAN 3. This MAC address entry
can be configured as a blackhole MAC address entry so that the Switch filters out
packets from the unauthorized PC.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 85
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Figure 3-13 Networking for configuring a blackhole MAC address entry
Unauthorized
MAC Address VLAN ID
5-5-5 3 user
Switch
Authorized Authorized Authorized
user 1 user 2 user 3
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure a blackhole MAC address entry to filter out packets from the
unauthorized PC.
Procedure
Step 1 Configure a blackhole MAC address entry.
# Create VLAN 3.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 3
[Switch-vlan3] quit
# Configure a blackhole MAC address entry.
[Switch] mac-address blackhole 0005-0005-0005 vlan 3
Step 2 Verify the configuration.
# Run the display mac-address blackhole command in any view to check
whether the blackhole MAC address entry is successfully added to the MAC
address table.
[Switch] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/VSI/BD Learned-From Type
-------------------------------------------------------------------------------
0005-0005-0005 3/-/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 86
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole 0005-0005-0005 vlan 3
#
return
3.15.3 Example for Configuring MAC Address Limiting on an
Interface
Networking Requirements
In Figure 3-14, user network 1 and user network 2 connect to the Switch through
the LSW, and the LSW connects to the Switch through GE0/0/1. User network 1
and user network 2 belong to VLAN 10 and VLAN 20 respectively. On the Switch,
MAC address limiting can be configured on GE0/0/1 to control the number of
access users.
Figure 3-14 Networking for configuring MAC address limiting on an interface
Network
Switch
GE0/0/1
LSW
User User
network 1 network 2
VLAN 10 VLAN 20
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLANs and add the downlink interface to the VLANs to implement
Layer 2 forwarding.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 87
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
2. Configure MAC address limiting on the interface to control the number of
access users.
Procedure
Step 1 Configure MAC address limiting.
# Create VLAN 10 and VLAN 20, and add the GigabitEthernet0/0/1 to VLAN 10
and VLAN 20.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20
# Configure a MAC address limiting rule on GigabitEthernet0/0/1: A maximum of
100 MAC address entries can be learned on the interface. When the number of
learned MAC address entries reaches the limit, the Switch forwards the packets
with new source MAC address entries and generates an alarm.
[Switch-GigabitEthernet0/0/1] mac-limit maximum 100 alarm enable
[Switch-GigabitEthernet0/0/1] return
Step 2 Verify the configuration.
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm
----------------------------------------------------------------------------
GE0/0/1 - - 100 - discard enable
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 20
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid tagged vlan 10 20
mac-limit maximum 100
#
return
3.15.4 Example for Configuring MAC Address Limiting in a
VLAN
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 88
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Networking Requirements
In Figure 3-15, user network 1 is connected to GE0/0/1 of the Switch through
LSW1, and user network 2 is connected to GE0/0/2 of the Switch through LSW2.
GE0/0/1 and GE0/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.
Figure 3-15 Networking of MAC address limiting
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
User User
network 1 VLAN 2 network 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address limiting in the VLAN to prevent MAC address attacks
and control access users.
Procedure
Step 1 Configure MAC address limiting.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 2
[Switch-vlan2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type hybrid
[Switch-GigabitEthernet0/0/2] port hybrid pvid vlan 2
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 2
[Switch-GigabitEthernet0/0/2] quit
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 89
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
# Configure the following MAC address limiting rule in VLAN 2: A maximum of
100 MAC addresses can be learned. When the number of learned MAC address
entries reaches the limit, the Switch directly discards the packets with new source
MAC address entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 alarm enable
[Switch-vlan2] return
Step 2 Verify the configuration.
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
<Switch> display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm
----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
interface GigabitEthernet0/0/2
port link-type hybrid
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
return
3.15.5 Example for Configuring MAC Address Flapping
Prevention
Networking Requirements
In Figure 3-16, employees of an enterprise need to access the server connected to
a switch interface. If an unauthorized user uses the server's MAC address as the
source MAC address to send packets to another interface, the server's MAC
address is learned on the interface. Then packets sent from employees to the
server are forwarded to the unauthorized user. As a result, employees cannot
access the server, and important data may be intercepted by the unauthorized
user.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 90
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
MAC address flapping prevention can be configured to protect the server against
attacks from unauthorized users.
Figure 3-16 Networking of MAC address flapping prevention
Server
MAC:11-22-33
GE0/0/1 VLAN 10
Switch
GE0/0/2 PC4
MAC:11-22-33
LSW
PC1 PC2 PC3
VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address flapping prevention on the server-side interface.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type hybrid
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 10
Step 2 # Set the MAC address learning priority of GigabitEthernet0/0/1 to 2.
[Switch-GigabitEthernet0/0/1] mac-learning priority 2
[Switch-GigabitEthernet0/0/1] quit
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 91
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Step 3 Verify the configuration.
# Run the display current-configuration command in any view to check whether
the MAC address learning priority is set correctly.
[Switch] display current-configuration interface gigabitethernet 0/0/1
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
mac-learning priority 2
#
return
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet0/0/1
port link-type hybrid
port hybrid pvid vlan 10
port hybrid untagged vlan 10
mac-learning priority 2
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10
#
return
3.15.6 Example for Configuring MAC Address Flapping
Detection
Networking Requirements
In Figure 3-17, a loop occurs on a user network because two LSWs are incorrectly
connected using a network cable. The loop causes MAC address flapping in the
MAC address table of the Switch.
To detect loops in a timely manner, configure MAC address flapping detection on
the Switch. This function enables the Switch to detect loops by checking whether a
MAC address flaps between interfaces. To remove loops on the network, configure
an action against MAC address flapping on the interfaces.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 92
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Figure 3-17 Networking of MAC address flapping detection
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
Incorrect connection
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable MAC address flapping detection.
2. Set the aging time of flapping MAC addresses.
3. Configure an action against MAC address flapping on the interfaces to
remove loops.
Procedure
Step 1 Enable MAC address flapping detection.
<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] mac-address flapping detection
Step 2 Set the aging time of flapping MAC addresses.
[Switch] mac-address flapping aging-time 500
Step 3 Configure the action against MAC address flapping to shutdown on the GE0/0/1
and GE0/0/2.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/2] quit
Step 4 Enable error-down interfaces to go Up automatically and set the automatic
recovery delay.
[Switch] error-down auto-recovery cause mac-address-flapping interval 500
Step 5 Verify the configuration.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 93
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
When the MAC address learned on the GE moves to GE0/0/2, GE0/0/2 is shut
down automatically. You can run the display mac-address flapping record
command to view MAC address flapping records.
[Switch] display mac-address flapping record
S : start time
E : end time
(Q) : quit vlan
(D) : error down
-------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum
-------------------------------------------------------------------------------
S:2012-04-01 17:22:36 1 0000-0000-0007 GE0/0/1 GE0/0/2(D) 83
E:2012-04-01 17:22:44
-------------------------------------------------------------------------------
Total items on slot 0: 1
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
interface GigabitEthernet0/0/1
mac-address flapping action error-down
#
interface GigabitEthernet0/0/2
mac-address flapping action error-down
#
return
3.16 Troubleshooting MAC Address Tables
3.16.1 MAC Address Entries Failed to Be Learned on an
Interface
Fault Symptom
MAC address entries cannot be learned on an interface, causing Layer 2
forwarding failures.
Procedure
Step 1 Check the configuration on the device.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 94
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Check Item Check Method Follow-up Operation
Whether the Run the display vlan Run the vlan vlan-id command in
VLAN that the vlan-id command in any the system view to create the
interface view. If the system VLAN.
belongs to has displays the message
been created "Error: The VLAN does
not exist", the VLAN is
not created.
Whether the Run the display vlan Run one of the following
interface vlan-id command in any commands in the interface view
transparently view to check whether to add the interface to the VLAN.
transmits the interface name ● Run the port trunk allow-pass
packets from exists. If not, the vlan command if the interface
the VLAN interface does not is a trunk interface.
transparently transmit
packets from the VLAN. ● Run the port hybrid tagged
vlan or port hybrid untagged
vlan command if the interface
is a hybrid interface.
● Run the port default vlan
command if the interface is an
access interface.
Whether a Run the display mac- If a blackhole MAC address entry
blackhole MAC address blackhole is displayed, run the undo mac-
address entry is command in any view to address blackhole command to
configured check whether a delete it.
blackhole MAC address
entry is configured.
Whether MAC Run the display this | Run the undo mac-address
address learning include learning learning disable command in the
is disabled on command in the interface view or VLAN view to
the interface or interface view and VLAN enable MAC address learning.
in the VLAN view to check whether
the mac-address
learning disable
configuration exists. If
so, MAC address
learning is disabled on
the interface or in the
VLAN.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 95
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
Check Item Check Method Follow-up Operation
Whether MAC Run the display this | ● Run the mac-limit command
address limiting include mac-limit in the interface view or VLAN
is configured on command in the view to increase the maximum
the interface interface view and VLAN number of learned MAC
and in the VLAN view to check whether address entries.
there is the MAC address ● Run the undo mac-limit
limiting configuration. If command in the interface view
so, the maximum or VLAN view to cancel MAC
number of learned MAC address limiting.
address entries is set.
Whether port Run the display this | ● Run the undo port-security
security is include port-security enable command in the
configured on command in the interface view to disable port
the interface interface view to check security.
whether there is the port ● Run the port-security max-
security configuration. If mac-num command in the
so, port security is interface view to increase the
configured on the maximum number of secure
interface. dynamic MAC address entries
on the interface.
If the fault persists, go to step 2.
Step 2 Check whether a loop causes MAC address entry flapping.
1. Generally, MAC address flapping is caused by loops. Run the mac-address
flapping detection command in the system view to configure MAC address
flapping detection.
2. The system checks all MAC addresses in the VLAN to detect MAC address
flapping. Run the display mac-address flapping record command to check
MAC address flapping records to determine whether a loop occurs.
3. If MAC address flapping occurs, use the following methods to remove MAC
address flapping:
– Eliminate the loop.
– Run the mac-learning priority command in the interface view to
configure the MAC address learning priority for the interface so that a
MAC address is learned by the correct interface.
If no loop occurs, go to step 3.
Step 3 Check whether the number of learned MAC address entries has reached the
maximum value. If so, the device cannot learn new MAC address entries.
● If the number of MAC address entries on the interface is less than or equal to
the number of hosts connected to the interface, the device is connected to
more hosts than it supports. Adjust the network deployment.
● If the interface has learned more MAC address entries than the hosts
connected to the interface, the interface may be undergoing a MAC address
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 96
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
attack from the attached network. Locate the attack source in accordance
with the following table.
Scenario Solution
The interface connects to another Run the display mac-address
network device. command on the connected device
to view MAC address entries. Locate
the interface connected to the
malicious user host based on the
displayed MAC address entries. If the
interface that you find is connected
to another device, repeat this step
until you find the malicious host.
The interface connects to a host. – Disconnect the host after
obtaining permission from the
administrator. When the attack
stops, connect the host to the
network again.
– Run the port-security enable
command on the interface to
enable port security or the mac-
limit command to set the
maximum number of MAC
address entries to 1.
The interface connects to a hub. – Configure port mirroring and use
a tool to analyze packets received
by the interface. Analyze the
packet types to locate the
attacking host. Disconnect the
host after obtaining permission
from the administrator. When the
attack stops, connect the host to
the hub again.
– Disconnect hosts connected to
the hub one by one after
obtaining permission from the
administrator. If the fault is
rectified after a host is
disconnected, the host is the
attacker. After the host stops the
attack, connect it to the hub
again.
If the number of MAC addresses that have learned by the device does not reach
the maximum number of addresses allowed on the device but MAC addresses still
cannot be learned, go to step 4.
Step 4 Check whether a MAC address hash conflict alarm is generated on the device.
L2IFPPI/4/MACHASHCONFLICTALARM: OID [oid] A hash conflict occurs in MAC addresses.
(IfIndex=[INTEGER], MacAddr=[OPAQUE], VLAN=[GAUGE], VsiName=[OCTET1], InterfaceName=[OCTET2]).
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 97
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
For details about how to handle this alarm, see
L2IFPPI_1.3.6.1.4.1.2011.5.25.315.3.6 hwMacTrapHashConflictAlarm.
----End
3.17 FAQ About MAC Address Tables
3.17.1 How Do I Enable and Disable MAC Address Flapping
Detection?
Version Enable MAC Address Disable MAC Address
Flapping Detection Flapping Detection
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.
V200R001 and Run the mac-address Run the undo mac-address
later versions flapping detection in the flapping detection in the
support global system view. system view.
MAC address
flapping detection
in all VLANs. By
default, global
MAC address
flapping detection
is enabled.
3.17.2 How Do I Check MAC Address Flapping Information?
Version Command
Versions earlier display trapbuffer
than V200R001
V200R001 and display trapbuffer or display mac-address flapping
later versions record
3.17.3 What Should I Do When Finding a MAC Address
Flapping Alarm?
If the alarm is reported only once, ignore it.
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 98
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
If the alarm is reported multiple times, find the first and second interfaces where
the MAC address is learned. Shut down the second interface to locate the loop.
Then adjust the networking to remove the loop.
3.17.4 How Do I Rapidly Determine a Loop?
Check whether MAC address flapping occurs to rapidly determine a loop on a
network. Generally, a loop occurs if a MAC address flapping alarm is generated
consecutively.
Enable MAC address flapping detection according to the following table.
Version Enable MAC Address Disable MAC Address
Flapping Detection Flapping Detection
Versions earlier Run the loop-detect eth- Run the undo loop-detect
than V200R001 loop alarm-only in the eth-loop alarm-only in the
support only MAC VLAN view. VLAN view.
address flapping
detection in a
VLAN.
V200R001 and Run the mac-address Run the undo mac-address
later versions flapping detection in the flapping detection in the
support global system view. system view.
MAC address
flapping detection
in all VLANs. By
default, global
MAC address
flapping detection
is enabled.
Check whether MAC address flapping occurs according to the following table.
Version Command
Versions earlier display trapbuffer
than V200R001
V200R001 and display trapbuffer or display mac-address flapping
later versions record
3.17.5 How Do I Configure VLAN-based Blackhole MAC
Address Entries?
To configure VLAN-based blackhole MAC address entries, perform the following
operations:
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 99
S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Ethernet Switching 3 MAC Address Table Configuration
# Add a blackhole MAC address entry to the MAC address table. For example, in
the blackhole MAC address entry, the MAC address is 0004-0004-0004 and the
VLAN ID is VLAN 10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] mac-address blackhole 0004-0004-0004 vlan 10
For the S1720GFR, S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E,
S1720X-E, S2750EI, S2720EI, S5720LI, S5720S-LI, S6720LI, S6720S-LI, S5700LI,
S5700S-LI, S5710-X-LI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720SI, or
S6720S-SI switch, if both traffic policy-based redirection action and VLAN-based
blackhole MAC address are configured, the switch will not discard the packet if its
source or destination MAC address is a blackhole MAC address and the packet
matches the redirection policy. In this scenario, you are advised to configure a
global blackhole MAC address or configure an ACL-based simplified traffic policy
to discard a specific packet.
# Add the global blackhole MAC address 0004-0004-0004 to the MAC address
table.
<HUAWEI> system-view
[HUAWEI] mac-address blackhole 0004-0004-0004
# Configure an ACL-based simplified traffic policy to discard the packet with MAC
address 0004-0004-0004 and VLAN 10.
<HUAWEI> system-view
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] acl number 4000
[HUAWEI-acl-L2-4000] rule 5 deny source-mac 0004-0004-0004 vlan-id 10
[HUAWEI-acl-L2-4000] rule 10 deny destination-mac 0004-0004-0004 vlan-id 10
[HUAWEI-acl-L2-4000] quit
[HUAWEI] traffic-filter inbound acl 4000
Issue 13 (2021-10-20) Copyright © Huawei Technologies Co., Ltd. 100
You might also like
- HCIE-Routing & Switching V3.0 Training Material PDFNo ratings yetHCIE-Routing & Switching V3.0 Training Material PDF1,133 pages
- 7.3.7 Lab - View The Switch MAC Address TableNo ratings yet7.3.7 Lab - View The Switch MAC Address Table8 pages
- 7.3.7 Lab - View The Switch MAC Address TableNo ratings yet7.3.7 Lab - View The Switch MAC Address Table7 pages
- 7.3.7 Lab - View The Switch MAC Address Table - ILMNo ratings yet7.3.7 Lab - View The Switch MAC Address Table - ILM11 pages
- 7.3.7 Lab - View The Switch MAC Address Table - ILMNo ratings yet7.3.7 Lab - View The Switch MAC Address Table - ILM11 pages
- 7.3.7 Lab - View The Switch MAC Address TableNo ratings yet7.3.7 Lab - View The Switch MAC Address Table8 pages
- 01-06 Typical Ethernet Switching ConfigurationNo ratings yet01-06 Typical Ethernet Switching Configuration222 pages
- 06-MAC Address Table Management CommandsNo ratings yet06-MAC Address Table Management Commands16 pages
- IA1801 - 7.3.7 Lab View The Switch MAC Address TableNo ratings yetIA1801 - 7.3.7 Lab View The Switch MAC Address Table5 pages
- 01-05 Ethernet Switching Configuration CommandsNo ratings yet01-05 Ethernet Switching Configuration Commands736 pages
- 7.3.7-Lab - View-The-Switch-Mac-Address-TableNo ratings yet7.3.7-Lab - View-The-Switch-Mac-Address-Table5 pages
- Configuring MAC Address Tables: Information About MAC AddressesNo ratings yetConfiguring MAC Address Tables: Information About MAC Addresses6 pages
- 7.3.7 Lab View The Switch Mac Address Table 1No ratings yet7.3.7 Lab View The Switch Mac Address Table 15 pages
- Exercise 06 - View The Switch MAC Address TableNo ratings yetExercise 06 - View The Switch MAC Address Table4 pages
- CCNA 200-301 Chapter 5 - Analyzing Ethernet LAN SwitchingNo ratings yetCCNA 200-301 Chapter 5 - Analyzing Ethernet LAN Switching24 pages
- 10-MAC Address Table Configuration CommandsNo ratings yet10-MAC Address Table Configuration Commands6 pages
- 7.3.7 Lab - View The Switch Mac Address Table0% (1)7.3.7 Lab - View The Switch Mac Address Table4 pages
- 0105 Ethernet Switching Configuration Commands PDFNo ratings yet0105 Ethernet Switching Configuration Commands PDF694 pages
- 7.3.7 Lab - View The Switch MAC Address TableNo ratings yet7.3.7 Lab - View The Switch MAC Address Table8 pages
- 7.3.7 Lab - View The Switch MAC Address Table (Seng Pisey)No ratings yet7.3.7 Lab - View The Switch MAC Address Table (Seng Pisey)11 pages
- 7.3.7 Lab - View The Switch Mac Address TableNo ratings yet7.3.7 Lab - View The Switch Mac Address Table5 pages
- 7.3.7 Lab - View The Switch MAC Address Table-Đã NénNo ratings yet7.3.7 Lab - View The Switch MAC Address Table-Đã Nén12 pages
- 7.3.7 Lab - View The Switch MAC Address TableNo ratings yet7.3.7 Lab - View The Switch MAC Address Table9 pages
- 7.3.7 Lab - View The Switch Mac Address TableNo ratings yet7.3.7 Lab - View The Switch Mac Address Table4 pages
- 10-MAC Address Table Attribute ConfigurationNo ratings yet10-MAC Address Table Attribute Configuration5 pages
- 5.2.1.7 Lab - Viewing The Switch MAC Address Table80% (5)5.2.1.7 Lab - Viewing The Switch MAC Address Table4 pages
- 7.3.7 - Lab - View - The - Switch - MAC - Address - Table - STU COMPLETEDNo ratings yet7.3.7 - Lab - View - The - Switch - MAC - Address - Table - STU COMPLETED5 pages
- 7.3.7 Lab - View The Switch MAC Address TableNo ratings yet7.3.7 Lab - View The Switch MAC Address Table5 pages
- Show Mac Address-Table: Syntax DescriptionNo ratings yetShow Mac Address-Table: Syntax Description3 pages
- Lab - View The Switch MAC Address Table: TopologyNo ratings yetLab - View The Switch MAC Address Table: Topology4 pages
- 1 - Created by Ahmad Ali E-Mail:, Mobile: 056 430 3717No ratings yet1 - Created by Ahmad Ali E-Mail:, Mobile: 056 430 37172 pages
- 5.1.2.8 Lab - Viewing Network Device MAC AddressesNo ratings yet5.1.2.8 Lab - Viewing Network Device MAC Addresses5 pages
- 01-05 Typical Ethernet Switching ConfigurationNo ratings yet01-05 Typical Ethernet Switching Configuration103 pages
- Guide 7.3.7 Lab - View The Switch Mac AddressNo ratings yetGuide 7.3.7 Lab - View The Switch Mac Address20 pages
- 7.2.7 Lab - View Network Device MAC AddressesNo ratings yet7.2.7 Lab - View Network Device MAC Addresses10 pages
- 7.3.7 Lab 4 - View The Switch MAC Address TableNo ratings yet7.3.7 Lab 4 - View The Switch MAC Address Table8 pages
- Lab - View Network Device MAC Addresses: TopologyNo ratings yetLab - View Network Device MAC Addresses: Topology6 pages
- 5.2.1.7 Lab - Viewing The Switch MAC Address Table33% (3)5.2.1.7 Lab - Viewing The Switch MAC Address Table4 pages
- CCNA 200-301 Chapter 5 - Analyzing Ethernet LAN SwitchingNo ratings yetCCNA 200-301 Chapter 5 - Analyzing Ethernet LAN Switching20 pages
- 7.2.7 Lab - View Network Device Mac AddressesNo ratings yet7.2.7 Lab - View Network Device Mac Addresses8 pages
- Computer Networking: An introductory guide for complete beginners: Computer Networking, #1From EverandComputer Networking: An introductory guide for complete beginners: Computer Networking, #14.5/5 (2)
- Cisco CCNA Security Chapter 1 Exam AnswersNo ratings yetCisco CCNA Security Chapter 1 Exam Answers5 pages
- Revolutionary, Cost/Performance Breakthrough Carrier Class Mimo Basestation AntennasNo ratings yetRevolutionary, Cost/Performance Breakthrough Carrier Class Mimo Basestation Antennas3 pages
- HP A5500 EI & A5500 SI Switch Series Layer 3 - IP Routing Command Reference100% (1)HP A5500 EI & A5500 SI Switch Series Layer 3 - IP Routing Command Reference511 pages
- Ch9-Internet service-ICT-Grade 6-CAIE (2020-21)No ratings yetCh9-Internet service-ICT-Grade 6-CAIE (2020-21)5 pages
- RFC 3031 - Multiprotocol Label Switching ArchitectureNo ratings yetRFC 3031 - Multiprotocol Label Switching Architecture61 pages
- Bahir Dar University: Institute of Technology Faculty of Computing MSC Program in Computer ScienceNo ratings yetBahir Dar University: Institute of Technology Faculty of Computing MSC Program in Computer Science11 pages
- Alcatel-Lucent Test4prep 4A0-104 v2019-03-12 by Elwell 178qNo ratings yetAlcatel-Lucent Test4prep 4A0-104 v2019-03-12 by Elwell 178q88 pages
- NQA - Configuration Guide - System Monitor (V800R002C01 - 01)No ratings yetNQA - Configuration Guide - System Monitor (V800R002C01 - 01)83 pages
- Lesson Plan: Department of Electronics and Communication EngineeringNo ratings yetLesson Plan: Department of Electronics and Communication Engineering6 pages
- Computer Networks - Network Ninjas - The Subnetting Quest - Kahoot!No ratings yetComputer Networks - Network Ninjas - The Subnetting Quest - Kahoot!8 pages
- Angelica F. Naldoza Empowerment G12ABM-Anthurium Mr. Edgar Allan C. de GuiaNo ratings yetAngelica F. Naldoza Empowerment G12ABM-Anthurium Mr. Edgar Allan C. de Guia3 pages
- 4.3.8 Packet Tracer - Configure Layer 3 Switching and Inter-VLAN RoutingNo ratings yet4.3.8 Packet Tracer - Configure Layer 3 Switching and Inter-VLAN Routing6 pages
- 3.4.6 Lab - Configure VLANs and Trunking - ILM TasksNo ratings yet3.4.6 Lab - Configure VLANs and Trunking - ILM Tasks15 pages
- Packet Tracer 6.1 Tutorial - IP Telephony Basic ConfigurationNo ratings yetPacket Tracer 6.1 Tutorial - IP Telephony Basic Configuration17 pages
