No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

Example for Configuring the MAC Address Table

Networking Requirements

As shown in Figure 5-13, the MAC address of the user host PC1 is 0002-0002-0002 and that of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch Module through the LSW. The LSW is connected to 10GE1/17/1 of the Switch Module, which belongs to VLAN 2. The MAC address of the server is 0004-0004-0004. The server is connected to 10GE1/17/2 of the Switch Module. 10GE1/17/2 belongs to VLAN 2.

  • To prevent hackers from using MAC addresses to attack the network, configure two static MAC address entries for each user host on the Switch Module.

  • To prevent hackers from stealing user information by forging the MAC address of the server, configure a static MAC address entry on the Switch Module for the server.

This example applies to the scenario where there are few users. When there are many users, perform dynamic binding according to Example for Configuring Port Security.

Figure 5-13 Configuring the MAC address table

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.

  2. Configure static MAC address entries to prevent MAC address attacks.

  3. Configure the aging time of dynamic MAC address entries to update the entries.

Procedure

  1. Configure static MAC address entries.

    # Create VLAN 2 and add 10GE1/17/1 and 10GE1/17/2 to VLAN 2.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch Module
    [*HUAWEI] commit
    [~Switch Module] vlan 2
    [*Switch Module-vlan2] quit
    [*Switch Module] interface 10ge 1/17/1
    [*Switch Module-10GE1/17/1] port link-type trunk
    [*Switch Module-10GE1/17/1] port trunk allow-pass vlan 2
    [*Switch Module-10GE1/17/1] quit
    [*Switch Module] interface 10ge 1/17/2
    [*Switch Module-10GE1/17/2] port link-type trunk
    [*Switch Module-10GE1/17/2] port trunk allow-pass vlan 2
    [*Switch Module-10GE1/17/2] quit
    [*Switch Module] commit

    # Configure a static MAC address entry.

    [~Switch Module] mac-address static 2-2-2 10GE 1/17/1 vlan 2
    [*Switch Module] mac-address static 3-3-3 10GE 1/17/1 vlan 2
    [*Switch Module] mac-address static 4-4-4 10GE 1/17/2 vlan 2
    [*Switch Module] commit
    

  2. Set the aging time of a dynamic MAC address entry.

    [~Switch Module] mac-address aging-time 500
    [*Switch Module] commit
    

  3. Verify the configuration.

    # Run the display mac-address static command in any view to check whether the static MAC address entries are successfully added to the MAC address table.

    [~Switch Module] display mac-address static vlan 2
    -------------------------------------------------------------------------------                                                     
    MAC Address    VLAN/VSI                          Learned-From        Type                                                           
    -------------------------------------------------------------------------------                                                     
    0002-0002-0002 2/-                               10GE1/17/1           static                                                         
    0003-0003-0003 2/-                               10GE1/17/1           static                                                         
    0004-0004-0004 2/-                               10GE1/17/2           static                                                         
    -------------------------------------------------------------------------------                                                     
    Total items: 3                                                                                                                      
                                                                                       

    # Run the display mac-address aging-time command in any view to check whether the aging time of dynamic entries is set successfully.

    [~Switch Module] display mac-address aging-time
      Aging time: 500 second(s)

Configuration Files

Configuration file of the Switch Module

#
sysname Switch Module
#
vlan batch 2
#
mac-address aging-time 500
#
interface 10GE1/17/1
 port link-type trunk
 port trunk allow-pass vlan 2
#
interface 10GE1/17/2
 port link-type trunk
 port trunk allow-pass vlan 2
#
mac-address static 0002-0002-0002 10GE1/17/1 vlan 2
mac-address static 0003-0003-0003 10GE1/17/1 vlan 2
mac-address static 0004-0004-0004 10GE1/17/2 vlan 2
#
return

Example for Configuring MAC Address Learning in a VLAN

Networking Requirements

As shown in Figure 5-14, user network 1 is connected to Switch Module on the 10GE1/17/1 through an LSW. User network 2 is connected to Switch Module on the 10GE1/17/2 through another LSW. Both 10GE1/17/1 and 10GE1/17/2 belong to VLAN 2. To prevent MAC address attacks and limit the number of access users on the device, limit MAC address learning on all the interfaces in VLAN 2.

Figure 5-14 Networking diagram for MAC address limiting in a VLAN

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.

  2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC address attacks and limit the number of access users.

Procedure

  1. Limit MAC address learning.

    # Add 10GE1/17/1 and 10GE1/17/2 to VLAN 2.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch Module] vlan 2
    [*Switch Module-vlan2] quit
    [*Switch Module] interface 10ge 1/17/1
    [*Switch Module-10GE1/17/1] port link-type trunk
    [*Switch Module-10GE1/17/1] port trunk allow-pass vlan 2
    [*Switch Module-10GE1/17/1] quit
    [*Switch Module] interface 10ge 1/17/2
    [*Switch Module-10GE1/17/2] port link-type trunk
    [*Switch Module-10GE1/17/2] port trunk allow-pass vlan 2
    [*Switch Module-10GE1/17/2] quit
    [*Switch Module] commit

    # Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC addresses can be learned. When the number of learned MAC addresses reaches the limit, the device and sends an alarm.

    [~Switch Module] vlan 2
    [~Switch Module-vlan2] mac-address limit maximum 100 alarm enable
    [*Switch Module-vlan2] return
    [*Switch Module] commit

  2. Verify the configuration.

    # Run the display mac-address limit command in any view to check whether the MAC address limiting rule is successfully configured.

    [~Switch Module] display mac-address limit                                                          
    MAC Limit is enabled                                                                                                                
    Total MAC limit rule count : 1                                                                                                      
                                                                                                                                        
    PORT                 VLAN/VSI/SI      SLOT Maximum Action  Alarm                                                                    
    -------------------------------------------------------------------                                                                 
    -                    2                -    100     forward enable

Configuration Files

The following lists only the configuration file of Switch Module.

#
sysname Switch Module
#
vlan batch 2
#
vlan 2
 mac-address limit maximum 100
#
interface 10GE1/17/1
 port link-type trunk
 port trunk allow-pass vlan 2
#
interface 10GE1/17/2
 port link-type trunk
 port trunk allow-pass vlan 2
#
return

Example for Configuring Port Security

Networking Requirements

As shown in Figure 5-15, a company wants to prevent computers of non-employees from accessing the intranet of the company to protect information security. To achieve this goal, the company needs to enable port security on the interface connected to computers of employees and set the maximum number of MAC addresses learned by the interface to be the same as the number of trusted computers.

Figure 5-15 Network diagram of port security

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure a VLAN to implement Layer 2 forwarding.

  2. Configure port security to prevent the learned MAC addresses from aging.

Procedure

  1. Create a VLAN and set the link type of the interface.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] vlan 10
    [*Switch-vlan10] quit
    [*Switch] interface 10ge 1/17/1
    [*Switch-10GE1/17/1] port link-type trunk
    [*Switch-10GE1/17/1] port trunk allow-pass vlan 10
    [*Switch-10GE1/17/1] commit

  2. Configure port security.

    # Enable port security.

    [~Switch-10GE1/17/1] port-security enable
    

    # Enable the sticky MAC function.

    [*Switch-10GE1/17/1] port-security mac-address sticky
    

    # Configure the security protection action.

    [*Switch-10GE1/17/1] port-security protect-action protect
    

    # Set the limit on the number of MAC addresses that can be learned on the interface.

    [*Switch-10GE1/17/1] port-security maximum 4
    [*Switch-10GE1/17/1] quit
    [*Switch] commit

    To enable the port security function on other interfaces, repeat the preceding steps.

    Assume that MAC addresses of four devices (three Servers and one access switch) connected to the Switch have been learned. The maximum number of MAC addresses to be learned is 4.

  3. Verify the configuration.

    If User1 is replaced by another device, the device cannot access the intranet of the company.

Configuration Files

Configuration file of the switch

#
sysname Switch
#
vlan batch 10
#
interface 10GE1/17/1
 port link-type trunk
 port trunk allow-pass vlan 10
 port-security enable
 port-security protect-action protect
 port-security maximum 4
 port-security mac-address sticky
#
return

Example for Configuring MAC Address Anti-flapping

Networking Requirements

Employees of an enterprise need to access the enterprise server. If an attacker uses the server MAC address as the source MAC address to send packets to another interface, the server MAC address is learned on the interface. Packets sent to the server are sent to unauthorized users. In this case, employees cannot access the server, and important data will be intercepted by the attacker.

As shown in Figure 5-16, MAC address anti-flapping can be configured to protect the server from attacks.

Figure 5-16 Networking diagram of MAC address anti-flapping

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.

  2. Configure MAC address anti-flapping on the server-side interface.

Procedure

  1. Create a VLAN and add the interfaces to the VLAN.

    # Add 10GE1/17/1 and 10GE1/17/2 to VLAN 10.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch Module] vlan 10
    [*Switch Module-vlan10] quit
    [*Switch Module] interface 10ge 1/17/2
    [*Switch Module-10GE1/17/2] port link-type trunk
    [*Switch Module-10GE1/17/2] port trunk allow-pass vlan 10 
    [*Switch Module-10GE1/17/2] quit
    [*Switch Module] interface 10ge 1/17/1
    [*Switch Module-10GE1/17/1] port default vlan 10
    [*Switch Module-10GE1/17/1] commit

  2. # Set the MAC address learning priority of 10GE1/17/1 to 2.

    [~Switch Module-10GE1/17/1] mac-address learning priority 2
    [*Switch Module-10GE1/17/1] commit
    [~Switch Module-10GE1/17/1] quit

  3. Verify the configuration.

    # Run the display current-configuration command in any view to check whether the MAC address learning priority of the interface is set correctly.

    [~Switch Module] display current-configuration interface 10ge 1/17/1
    #
    interface 10GE1/17/1
     port default vlan 10
     mac-address learning priority 2
    #
    return

Configuration Files

Configuration file of the Switch Module

#
sysname Switch Module
#
vlan batch 10
#
interface 10GE1/17/1
 port default vlan 10
 mac-address learning priority 2
#
interface 10GE1/17/2
 port link-type trunk
 port trunk allow-pass vlan 10
#
return

Example for Configuring MAC Address Flapping Detection

Networking Requirements

As shown in Figure 5-17, a loop occurs on a user network because network cables between two LSWs are incorrectly connected. The loop causes MAC address flapping and bridge table flapping.

You can enable MAC address flapping detection on the Switch Module to detect MAC address flapping and discover loops.

Figure 5-17 Networking diagram of MAC address flapping detection

Configuration Roadmap

The configuration roadmap is as follows:

  1. Enable MAC address flapping detection.

  2. Set the aging time of flapping MAC addresses.

  3. Configure the action performed on the interface when MAC address flapping is detected on the interface to prevent loops.

Procedure

  1. Enable MAC address flapping detection.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch Module] mac-address flapping detection
    [*Switch Module] commit

  2. Set the aging time of flapping MAC addresses.

    [~Switch Module] mac-address flapping aging-time 500
    [*Switch Module] commit

  3. Shut down 10GE1/17/1 and 10GE1/17/2 when MAC address flapping is detected.

    [~Switch Module] interface 10ge 1/17/1
    [~Switch Module-10GE1/17/1] mac-address flapping trigger error-down
    [*Switch Module-10GE1/17/1] quit
    [*Switch Module] interface 10ge 1/17/2
    [*Switch Module-10GE1/17/2] mac-address flapping trigger error-down
    [*Switch Module-10GE1/17/2] quit
    [*Switch Module] commit

  4. Configure automatic recovery and set the automatic recovery time for the shutdown interface.

    [~Switch Module] error-down auto-recovery cause mac-address-flapping interval 500
    [*Switch Module] commit

  5. Verify the configuration.

    After the configuration is complete, when the MAC address on 10GE1/17/1 flaps to 10GE1/17/2, 10GE1/17/2 is shut down. Run the display mac-address flapping command to view the flapping records.

    [~Switch] display mac-address flapping
    Mac-address Flapping Configurations :
    -------------------------------------------------------------------------------
      Flapping detection          : Enable
      Aging  time(s)              : 500
      Quit-vlan Recover time(m)   : --
      Exclude vlan-list           : --
    -------------------------------------------------------------------------------
    S  : start time    E  : end time    (D) : error down
    -------------------------------------------------------------------------------
    Time                  VLAN MAC-Address    Original-Port  Move-Ports     MoveNum
    -------------------------------------------------------------------------------
    S:2011-12-11 11:00:08 1    0000-0000-0007 10GE1/17/1      10GE1/17/2(D)   83  
    E:2011-12-11 11:33:13                                        
    
    -------------------------------------------------------------------------------
    Total items on slot 1: 1

Configuration Files

Configuration file of the Switch Module

#
sysname Switch Module
#                                                                               
mac-address flapping aging-time 500    
#                                                                               
error-down auto-recovery cause mac-address-flapping interval 500
#
interface 10GE1/17/1
 mac-address flapping trigger error-down    
#
interface 10GE1/17/2
 mac-address flapping trigger error-down    
#
return
Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 61292

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next