No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the MAC Address Table

Configuring the MAC Address Table

This section describes the MAC address table configuration.

Configuring the MAC Address Table

This section describes procedures to configure static, blackhole, and dynamic MAC address entries, prevent an interface from learning MAC addresses, limit the number of learned MAC addresses and configure hash algorithms.

Configuring a Static MAC Address Entry

Context

To ensure communication security, you can configure MAC addresses of trusted upstream devices or users as static MAC address entries. When there are few trusted users, configure static MAC address entries to ensure security. When there are many trusted users, configure dynamic binding according to Example for Configuring Port Security

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address static mac-address interface-type interface-number vlan vlan-id

    A static MAC address entry is configured.

    NOTE:

    A static MAC address entry takes precedence over a dynamic MAC address entry. The system discards packets with configured static MAC addresses that have been learned by other interfaces.

  3. Run:

    commit

    The configuration is committed.

Configuring a Blackhole MAC Address Entry

Context

To save the MAC address table space, protect user devices or network devices from MAC address attacks, you can configure untrusted MAC addresses as blackhole MAC addresses. Packets with source or destination MAC addresses matching the blackhole MAC address entries are discarded.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address blackhole mac-address vlan vlan-id

    A blackhole MAC address entry is configured.

  3. Run:

    commit

    The configuration is committed.

Setting the Aging Time of Dynamic MAC Address Entries

Context

The network topology changes frequently, and the switch modules will learn many MAC addresses. After the aging time of dynamic MAC address entries is set, the device can delete unneeded MAC address entries to prevent sharp increase of MAC address entries. A shorter aging time is applicable to networks where network topology changes frequently, and a longer aging time is applicable to stable networks.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address aging-time aging-time

    The aging time of a dynamic MAC address entry is set.

    The value of aging-time is 0 or an integer that ranges from 60 to 1000000, in seconds. The default value is 300. The value 0 indicates that dynamic MAC address entries will not be aged out.

  3. Run:

    commit

    The configuration is committed.

Disabling MAC Address Learning

Context

When an switch modules with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the switch modules forwards the frames through the outbound interface according to the MAC address entry. The MAC address learning function reduces broadcast packets on a network. After MAC address learning is disabled on an interface, the switch modules does not learn source MAC addresses of packets received by the interface.

Configuration Process
  • Disabling MAC address learning in the interface view
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      mac-address learning disable [ action { discard | forward } ]

      MAC address learning is disabled on the interface.

      By default, MAC address learning is enabled on an interface.

      By default, the switch modules performs the forward action after MAC address learning is disabled. That is, the switch modules forwards packets according to the MAC address table. When the action is configured to discard, the switch modules matches the source MAC addresses of packets with the MAC address entries. If the inbound interface and source MAC address of a packet matches a MAC address entry, the switch modules forwards the packet. Otherwise, the switch modules discards the packet.

    4. Run:

      commit

      The configuration is committed.

  • Disabling MAC address learning in the VLAN view
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vlan vlan-id

      The VLAN view is displayed.

    3. Run:

      mac-address learning disable

      MAC address learning is disabled in the VLAN.

      By default, MAC address learning is enabled in a VLAN.

    4. Run:

      commit

      The configuration is committed.

  • Disabling MAC address learning in the traffic behavior view
    1. Configure a traffic classifier.
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        traffic classifier classifier-name [ type { and | or } ]

        A traffic classifier is created and the traffic classifier view is displayed, or the existing traffic classifier view is displayed.

        and indicates that rules are ANDed with each other.
        • If a traffic classifier contains ACL rules, packets match the traffic classifier only when the packets match one ACL rule and all the non-ACL rules.

        • If a traffic classifier does not contain ACL rules, packets match the traffic classifier only when the packets match all the non-ACL rules.

        or indicates that rules are ORed with each other. Packets match a traffic classifier as long as packets match one rule of the traffic classifier.

        By default, the relationship between rules in a traffic classifier is OR.

      3. Run the following commands as required.

        Matching Rule

        Command

        Remarks

        Inner VLAN IDs in QinQ packets

        if-match inner-vlan start-inner-vlan-id [ to end-inner-vlan-id ]

        -

        802.1p priority in VLAN packets

        if-match 8021p 8021p-value &<1-8>

        Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of 802.1p priorities, the packet that matches one 802.1p priority matches the traffic classifier.

        Inner 802.1p priority in QinQ packets

        if-match inner-8021p 8021p-value &<1-8>

        -

        Outer VLAN ID or inner and outer VLAN IDs of QinQ packets

        if-match vlan start-vlan-id [ to end-vlan-id ] [ inner-vlan inner-vlan-id ] or if-match vlan vlan-id [ inner-vlan start-inner-vlan-id [ to end-inner-vlan-id ] ]

        -

        Drop packet

        if-match discard

        -

        Double tags in QinQ packets

        if-match double-tag

        -

        Destination MAC address

        if-match destination-mac mac-address [ mac-address-mask ]

        -

        Source MAC address

        if-match source-mac mac-address [ mac-address-mask ]

        -

        Protocol type field encapsulated in the Ethernet frame header

        if-match l2-protocol { arp | ip | rarp | protocol-value }

        -

        All packets

        if-match any

        -

        DSCP priority in IP packets

        if-match [ ipv6 ] dscp dscp-value &<1-8>

        • Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of DSCP priorities, the packet that matches one DSCP priority matches the traffic classifier.

        • If the relationship between rules in a traffic classifier is AND, the if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be used in the traffic classifier simultaneously.

        IP precedence in IP packets

        if-match ip-precedence ip-precedence-value &<1-8>

        • The if-match [ ipv6 ] dscp and if-match ip-precedence commands cannot be configured in a traffic classifier in which the relationship between rules is AND.

        • Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if you enter multiple values of IP priorities, the packet that matches one IP priority matches the traffic classifier.

        SYN Flag in the TCP packet header

        if-match tcp-flag { tcp-flag-value | { ack | fin | psh | rst | syn | urg }* }

        -

        Outbound interface

        if-match outbound-interface interface-type interface-number

        The traffic policy containing this matching rule cannot be applied to the outbound direction.

        ACL rule

        if-match acl { acl-number | acl-name }

        NOTE:

        When an ACL is used to define a traffic classification rule, it is recommended that the ACL be configured first.

        Regardless of whether the relationship between rules in a traffic classifier is AND or OR, if an ACL defines many rules, the packet that matches a single ACL rule matches the ACL.

        ACL6 rule

        if-match ipv6 acl { acl-number | acl-name }

        NOTE:

        When an ACL6 is used to define a traffic classification rule, it is recommended that the ACL6 be configured first.

        -

      4. Run:

        commit

        The configuration is committed.

      5. Run:

        quit

        The traffic classifier view is quitted.

    2. Configure a traffic behavior.
      1. Run:

        traffic behavior behavior-name

        A traffic behavior is created and the traffic behavior view is displayed.

      2. Run:

        mac-address learning disable(traffic behavior view)

        MAC address learning is disabled in a traffic behavior.

      3. (Optional) Run:

        statistics enable (traffic behavior view)

        The traffic statistics function is enabled.

      4. Run:

        commit

        The configuration is committed.

      5. Run:

        quit

        Exit from the traffic behavior view.

      6. Run:

        quit

        Exit from the system view.

    3. Configure a traffic policy.
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        traffic policy policy-name

        A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

      3. Run:

        classifier classifier-name behavior behavior-name [ precedence precedence-value ]

        A traffic behavior is bound to a traffic classifier in a traffic policy.

      4. Run:

        commit

        The configuration is committed.

      5. Run:

        quit

        The traffic policy view is quitted.

    4. Apply the traffic policy.
      • Applying a traffic policy to an interface
        1. Run:

          system-view

          The system view is displayed.

        2. Run:

          interface interface-type interface-number

          The interface view is displayed.

        3. Run:

          traffic-policy policy-name inbound

          A traffic policy is applied to the interface in the inbound direction.

        4. Run:

          commit

          The configuration is committed.

      • Applying a traffic policy to a VLAN
        1. Run:

          system-view

          The system view is displayed.

        2. Run:

          vlan vlan-id

          The VLAN view is displayed.

        3. Run:

          traffic-policy policy-name inbound

          A traffic policy is applied to the VLAN in the inbound direction.

          After a traffic policy is applied, the system performs traffic policing for the packets that belong to a VLAN and match traffic classification rules in the inbound direction.

        4. Run:

          commit

          The configuration is committed.

      • Applying a traffic policy to the system
        1. Run:

          system-view

          The system view is displayed.

        2. Run:

          traffic-policy policy-name global [ slot slot-id ] inbound

          A traffic policy is applied to the system in the inbound direction.

        3. Run:

          commit

          The configuration is committed.

      NOTE:

      A traffic policy containing mac-address learning disable (traffic behavior view) can be only applied to the inbound direction.

Checking the Configuration
  • Run the display traffic classifier [ classifier-name ] command to check the traffic classifier configuration on the device.
  • Run the display traffic behavior [ behavior-name ] command to check the traffic behavior configuration on the device.
  • Run the display traffic policy [ policy-name [ classifier classifier-name ] ] command to check the traffic policy configuration on the device.

  • Run the display traffic-policy applied-record [ policy-name ] [ global [ slot slot-id ] | interface interface-type interface-number | vlan vlan-id ] [ inbound | outbound ] command to check the record of the specified traffic policy.

Limiting the Number of Learned MAC Addresses

Context

The network with low security may be attacked by MAC address attacks. The capacity of a MAC address table is limited. Therefore, when hackers forge a large quantity of packets with different source MAC addresses and send the packets to the switch modules, the MAC address table of the switch modules may reach its full capacity. When the MAC address table is full, the switch modules cannot learn source MAC addresses of valid packets.

You can limit the number of MAC addresses learned on the switch modules. When the number of learned MAC address entries reaches the limit, the switch modules does not learn new MAC addresses. Packets whose source MAC addresses are not in the MAC address table are forwarded, but their MAC addresses are not recorded in the MAC address table. You can enable the device to send traps to the NMS.. This prevents MAC address attacks and improves network security.

Procedure

  • Limiting the number of MAC addresses learned by an interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      mac-address limit maximum max-num

      The maximum number of MAC addresses learned on the interface is set.

      By default, the number of MAC addresses learned on an interface is not limited.

    4. Run:

      mac-address limit action { discard | forward }

      The action to be taken on packets with unknown source MAC addresses when the number of learned MAC addresses reaches the limit is configured.

      By default, packets with unknown source MAC addresses are discarded after the number of learned MAC addresses reaches the limit.

    5. Run:

      mac-address limit alarm { disable | enable }

      The switch modules is configured to (or not to) send a trap to the NMS when the number of learned MAC addresses reaches the limit.

      By default, the switch modules sends a trap to the NMS when the number of learned MAC addresses reaches the limit.

    6. Run:

      commit

      The configuration is committed.

  • Limiting the number of MAC addresses learned in a VLAN
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vlan vlan-id

      The VLAN view is displayed.

    3. Run:

      mac-address limit maximum max-num

      The maximum number of MAC addresses learned in the VLAN is set.

      By default, the number of MAC addresses learned in a VLAN is not limited.

    4. Run:

      mac-address limit alarm { disable | enable }

      The switch modules is configured to (or not to) send a trap to the NMS when the number of learned MAC addresses reaches the limit.

      By default, the switch modules sends a trap to the NMS when the number of learned MAC addresses reaches the limit.

    5. Run:

      commit

      The configuration is committed.

Configuring a Hash Algorithm
Applicable Environment

The device uses a hash algorithm to improve MAC address forwarding performance. If multiple MAC addresses match a key value, a hash conflict occurs. When a hash conflict occurs, the device may fail to learn many MAC addresses and some traffic can only be broadcast. This results in heavy broadcast traffic on the device. If such a problem occurs, use an appropriate hash algorithm to reduce the hash conflict.

NOTE:
  • Only the CX110 switch module GE switching plane, CX710 switch module 40GE converged switching plane and CX31x&CX91x series switch module 10GE switching planes support the configuration of a Hash Algorithm.
  • MAC addresses are distributed on a network randomly, so the system cannot determine the best hash algorithm. Generally, the default hash algorithm is the best one, so do not change the hash algorithm unless you have special requirement.

  • An appropriate hash algorithm can only reduce hash conflicts, but cannot prevent them.

  • After the hash algorithm is changed, restart the device for the configuration to take effect.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address hash-mode { crc16-lower |  crc16-upper | crc32-lower | crc32-upper | lsb } slot slot-id

    The hash algorithm in a device is set.

    By default, the Switch Module uses crc32-lower.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display mac-address command to view all MAC address entries.
  • Run the display mac-address static command to view static MAC address entries.
  • Run the display mac-address dynamic command to view dynamic MAC address entries.
  • Run the display mac-address blackhole command to view blackhole MAC address entries.
  • Run the display mac-address aging-time command to view the aging time of dynamic MAC address entries.
  • Run the display mac-address summary command to view statistics on all the MAC address entries.
  • Run the display mac-address total-number command to view the number of MAC address entries.
  • Run the display mac-address limit command to view the limit of the number of learned MAC addresses.
  • Run the display mac-address hash-mode command to view the running and configured hash algorithms.

Configuring Port Security

The port security function changes MAC addresses learned on an interface into secure MAC addresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances security of the device.

Pre-configuration Tasks

Before configuring port security on an interface, complete the following tasks:

  • Disabling MAC address limiting on the interface
  • Disabling MUX VLAN on the interface
  • Disabling MAC address security for DHCP snooping on the interface
Configuring the Secure MAC Function on an Interface

Context

If a network requires high access security, you can configure port security on specified interfaces. MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the switch modules. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the network.

By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses are lost after the device restarts and the device needs to learn the MAC addresses again.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    port-security enable

    Port security is enabled.

    By default, port security is disabled on an interface.

  4. (Optional) Run:

    port-security maximum max-number

    The limit on the number of secure dynamic MAC addresses is set.

    By default, the limit on the number of secure dynamic MAC addresses is 1.

  5. (Optional) Run:

    port-security protect-action { protect | restrict | error-down } 

    The protection action is configured.

    The default action is restrict.

    The protection actions are as follows:

    • protect: discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
    • restrict: discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses exceeds the limit.
    • error-down: set the interface status to error down and sends a trap message when the number of learned MAC addresses exceeds the limit.

      By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the undo shutdown command on the interface in sequence. Alternatively, run the restart command on the interface to restart the interface.

      To configure the interface to go Up automatically, before the error-down event occurs, run the error-down auto-recovery cause portsec-reachedlimit command in the system view to set a recovery delay. After the delay, the interface goes Up automatically.

  6. (Optional) Run:

    port-security aging-time time [ type { absolute | inactivity } ]

    The aging time of secure dynamic MAC addresses is set.

    By default, secure dynamic MAC addresses will not be aged out.

  7. Run:

    commit

    The configuration is committed.

Configuring the Sticky MAC Function on an Interface

Context

If a network requires high access security, you can configure port security on specified interfaces. MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the switch modules. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the network.

The sticky MAC function changes MAC addresses learned by an interface to sticky MAC addresses. Sticky MAC addresses will not be aged out. After you save the configuration and restart the switch modules, sticky MAC addresses still exist.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    port-security enable

    Port security is enabled.

    By default, port security is disabled on an interface.

  4. Run:

    port-security mac-address sticky

    The sticky MAC function is enabled on the interface.

    By default, the sticky MAC function is disabled on an interface.

  5. (Optional) Run:

    port-security maximum max-number

    The limit on the number of sticky MAC addresses is set on the interface.

    By default, the limit on the number of sticky MAC addresses is 1.

  6. (Optional) Run:

    port-security protect-action { protect | restrict | error-down }

    The protection action is configured.

    The default action is restrict.

    The protection actions are as follows:

    • protect: discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
    • restrict: discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses exceeds the limit.
    • error-down: set the interface status to error down and sends a trap message when the number of learned MAC addresses exceeds the limit.

      By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the shutdown and undo shutdown commands on the interface in sequence. Alternatively, run the restart command on the interface to restart the interface.

      To configure the interface to go Up automatically, before the error-down event occurs, run the error-down auto-recovery cause portsec-reachedlimit command in the system view to set a recovery delay. After the delay, the interface goes Up automatically.

  7. (Optional) Run:

    port-security mac-address sticky mac-address vlan vlan-id

    A sticky MAC address entry is configured.

  8. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display current-configuration interface interface-type interface-number command to view the current configuration of an interface.
  • Run the display mac-address security [ vlan vlan-id | interface interface-type interface-number ] * command to view secure dynamic MAC address entries.
  • Run the display mac-address sticky [ vlan vlan-id | interface interface-type interface-number ] * command to view sticky MAC address entries.

Configuring MAC Address Anti-flapping

You can configure MAC address anti-flapping to ensure that the device learns MAC addresses on correct interfaces, preventing unauthorized users to access the device.

Configuring the MAC Address Learning Priority of an Interface

Context

To prevent MAC address flapping, configure different MAC address learning priorities for interfaces. When interfaces learn the same MAC address, the MAC address entry learned by the interface with the highest priority overrides the MAC address entries learned by the other interfaces.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    mac-address learning priority priority-id

    The MAC address learning priority of an interface is set.

    By default, the MAC address learning priority of an interface is 0. A greater priority value indicates a higher MAC address learning priority.

  4. Run:

    commit

    The configuration is committed.

Forbidding MAC Address Flapping Between Interfaces with the Same Priority

Context

You can configure the device to forbid MAC address flapping between interfaces with the same priority to improve network security.

The CX11x&CX31x&CX91x series switch modules are configured to forbid MAC address flapping between interfaces with the same priority. After a device (such as the server) connected to CX11x&CX31x&CX91x series switch modules power off, another interface on CX11x&CX31x&CX91x series switch modules learn the same MAC address as the device. The device cannot learn the correct MAC address after it powers on.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    undo mac-address learning priority priority-id allow-flapping

    MAC address flapping between interfaces with the same priority is forbidden.

    By default, MAC address flapping between interfaces with the same priority is allowed.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display current-configuration command to view the MAC address learning priorities of interfaces.

Configuring MAC Address Flapping Detection

MAC address flapping detection detects all MAC addresses on the device. If MAC address flapping occurs, the device sends an alarm to the NMS.

Context

By default, the system performs MAC address flapping detection in all VLANs. In a data center virtualization scenario (virtual terminal migration), MAC address flapping may occur. This is a normal situation where MAC address flapping detection is not required. You can configure the whitelist of VLANs in MAC address flapping detection to prevent MAC address flapping detection from being performed in a specified VLAN.

Increasing the aging time of flapping MAC addresses will cause MAC address flapping again and increase the error-down time. To ensure that the system performs MAC address flapping detection in a timely manner, adjust the aging time of flapping MAC addresses correctly.

If the user network where the device is deployed does not support loop prevention protocols, configure the device to shut down the interfaces where MAC address flapping occurs. This reduces the impact of MAC address flapping on the user network.

NOTE:
  • To prevent uplink traffic interruption, you are not advised to configure the action performed when MAC address flapping is detected on upstream interfaces.
  • MAC address flapping detection can only detect loops on interfaces, but cannot obtain the entire network topology. If the user network connected to the switch modules supports loop prevention protocols, use the loop prevention protocols instead of MAC address flapping detection.
  • The MAC address flapping detection function is not applicable to TRILL network scenarios.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    mac-address flapping detection

    Global MAC address flapping detection is configured.

    By default, global MAC address flapping detection is enabled.

  3. (Optional) Run:

    mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> 

    The whitelist of VLANs in MAC address flapping detection is configured.

    By default, the whitelist of VLANs in MAC address flapping detection is not configured.

  4. (Optional) Run:

    mac-address flapping aging-time aging-time

    The aging time of flapping MAC addresses is set.

    By default, the aging time of flapping MAC addresses is 5 minutes.

  5. (Optional) Configure the action performed on the interface when MAC address flapping is detected on the interface.
    1. Run:

      interface interface-type interface-number

      The interface view is displayed.

    2. Run:

      mac-address flapping trigger error-down

      The interface is shut down when MAC address flapping is detected on the interface.

      By default, the interface is not shut down when MAC address flapping is detected on the interface.

  6. Run:

    commit

    The configuration is committed.

Checking the Configuration

Run the display mac-address flapping command to check the MAC address flapping detection configuration.

Follow-up Procedure

By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the shutdown and undo shutdown commands on the interface in sequence. Alternatively, run the restart command on the interface to restart the interface.

To configure the interface to go Up automatically, run the error-down auto-recovery cause mac-address-flapping interval interval-value command in the system view to set a recovery delay. After the delay, the interface goes Up automatically.

Configuring the Switch Module to Discard Packets with an All-0 MAC Address

A faulty network device may send a packet with an all-0 source or destination MAC address to the switch modules. You can configure the switch modules to discard such packets.

Context

You can configure the switch modules to discard packets with an all-0 source or destination MAC address.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    drop illegal-mac enable

    The switch modules is configured to discard packets with an all-0 MAC address.

    By default, the switch modules does not discard packets with an all-0 MAC address.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Run the display current-configuration command to check whether the switch modules is configured to discard packets with an all-0 MAC address.

Discarding Packets that Cannot Match MAC Address Entries

This function enables the device to discard packets that cannot match MAC address entries, which reduces workload on the device and improve packet security.

Context

When a DHCP user goes offline, the MAC address entry of the user ages. If there are packets destined for this user, the system cannot find the MAC address entry. Therefore, it broadcasts the packets to all interfaces in the VLAN. In this case, all users can receive the packets. This affects packet security. This function enables the device to discard packets that cannot match MAC address entries, which reduces workload on the device and improve packet security.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

  3. Run:

    mac-address miss action discard

    Packets that cannot match MAC address entries are discarded.

    By default, the device broadcasts packets that cannot match MAC address entries in the VLAN.

  4. Run:

    commit

    The configuration is committed.

Checking the Configuration

Run the display current-configuration command to check whether the device is configured to discard packets that cannot match MAC address entries.

Enabling Port Bridge

The port bridge function enables an interface to forward packets in which the source and destination MAC addresses are the same.

Context

By default, an interface does not forward packets whose source and destination MAC addresses are both learned by this interface. When the interface receives such a packet, it discards the packet as an invalid packet.

After the port bridge function is enabled on the interface, the interface forwards such a packet if the destination MAC address of the packet is in the MAC address table.

The port bridge function is used in the following scenarios:

The device is used as an access device in a data center and is connected to servers. Each server is configured with multiple virtual machines. The virtual machines need to transmit data to each other. If data between virtual machines is transmitted on the server, the data transmission rate and server performance may be affected. To improve the data transmission rate and server performance, enable the port bridge function on the interfaces connected to the servers so that the device forwards data packets between the virtual machines.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    port bridge enable

    The port bridge function is enabled.

    By default, the port bridge function is disabled on an interface.

  4. Run:

    commit

    The configuration is committed.

Checking the Configuration

Run the display current-configuration command to check whether the port bridge function is enabled.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59307

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next