No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes principles of MAC address table.

MAC Address Table

Packet Forwarding Based on the MAC Address Table

Each device maintains a MAC address table. A MAC address table records the MAC address, VLAN ID and outbound interfaces learned from other devices. When forwarding a data frame, the device searches the MAC table for the outbound interface according to the destination MAC address and VLAN ID in the frame. This helps the device reduce broadcasting.

The device forwards packets based on the MAC address table in either of the following modes:

  • Unicast mode: If the destination MAC address of a packet can be found in the MAC address table, the device forwards the packet through the outbound interface specified in the matching entry.
  • Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC address cannot be found in the MAC address table, the device broadcasts the packet to all the interfaces in the VLAN except the inbound interface.
Categories of MAC Address Entries

The MAC address entry can be classified into the dynamic entry, the static entry and the blackhole entry.

  • The dynamic entry is created by learning the source MAC address. It has aging time.

  • The static entry is set by users and is delivered to each SIC. It does not age.

  • The blackhole entry is used to discard the frame with the specified source MAC address or destination MAC address. Users manually set the blackhole entries and send them to each SIC. Blackhole entries have no aging time.

The dynamic entry will be lost after the system is reset or the interface board is hot swapped or reset. The static entry and the blackhole entry, however, will not be lost.

Generation of a MAC address entry

MAC address entries are generated automatically or configured manually.

  • Automatically Generated MAC Address Entries

    MAC address entries are learned by the system automatically. For example, SwitchA and HostB are connected. When SwitchB sends a frame to SwitchA, SwitchA obtains the source MAC address (the MAC address of HostB) from the frame and adds the source MAC address and the interface number to the MAC address table. When SwitchA receives a frame sent to HostB again, SwitchA can search the MAC address table to find the correct outbound interface.

    The entries in the MAC table will not be valid all the time. Each entry has its own lifetime. If the entry has not been refreshed at the expiration of its lifetime, the device will delete that entry from the MAC table. That lifetime is called aging time. If the entry is refreshed before its lifetime expires, the device resets the aging time for it.

  • Manually Configured MAC Address Entries

    When creating MAC address entries by itself, the device cannot identify whether the packets are from the legal users or the hackers. This threatens the network safety.

    Hackers can fake the source MAC address in attack packets. The packet with a forged address enters the device from the other port. Then the device learns a fault MAC table entry. That is why the packets sent to the legal users are forwarded to the hackers.

    For security, the network administrator can add static entries to the MAC table manually to bind the user's device and the port of the device. In this way, the device can stop the illegal users from stealing data.

    By configuring blackhole MAC address entries, you can configure the specified user traffic not to pass through a switch to prevent attacks from unauthorized users.

    The priority of MAC entries set up by users is higher than that generated by the device itself.

Aging Time of MAC Addresses

To adapt to the changes of networks, the MAC table needs to be updated constantly. The dynamic entries automatically created in a MAC address table are not always valid. Each entry has a life cycle. The entry that has never been updated till its life cycle ends will be deleted. This life cycle is called aging time. If the entry is updated before its life cycle ends, the aging time of the entry is recalculated.

Disabling MAC Address Learning and Limiting the Number of MAC Addresses

The capacity of a MAC address table is limited. Therefore, when hackers forge a large quantity of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device may reach its full capacity. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets.

A device limits the number of learned MAC addresses in one of the following modes:

  • Disabling MAC address learning on an interface , traffic behavior, or a VLAN

  • Limiting the number of MAC addresses on an interface or a VLAN

After MAC address learning is disabled on an interface or a VLAN, no MAC address entry can be learned on the interface or VLAN. The system deletes the previously learned dynamic MAC entries after the aging time expires. You can also manually delete these entries.

You can limit the maximum number of dynamic MAC address entries on a specified VLAN or interface. After the number of MAC address entries learned by the VLAN or interface reaches the limit, no MAC address entry can be learned on the VLAN or interface until the previously learned MAC address entries age out.

In most cases, attack packets sent by a hacker enter a switch through the same interface. Therefore, you can set the limit on the number of MAC address entries or disable MAC address learning on an interface to prevent attack packets from exhausting the MAC address table.

Port Security

Introduction to Port Security

The port security function changes MAC addresses learned on an interface into secure MAC addresses (including dynamic secure MAC addresses and sticky MAC addresses). Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances device security.

Secure MAC Address Learning

Secure MAC addresses are classified into dynamic secure MAC addresses and sticky MAC addresses:

  • Dynamic secure MAC addresses: are learned on an interface where port security is enabled but the sticky MAC function is disabled. By default, secure dynamic MAC addresses will never be aged out. After the switch restarts, secure dynamic MAC addresses are lost and need to be learned again.
  • Sticky MAC addresses: are learned on an interface where both port security and sticky MAC function are enabled. Sticky MAC addresses will not be aged out. After you save the configuration and restart the switch, sticky MAC addresses still exist.

Before port security is enabled on an interface, MAC address entries can be configured statically or learned dynamically on the interface. After port security is enabled on an interface, dynamic MAC address entries that have been learned on the interface are deleted and MAC address entries learned subsequently turn into secure dynamic MAC address entries. Only packets with source MAC addresses matching the secure dynamic MAC address entries or static MAC address entries can pass through the interface. After the sticky MAC function is enabled on the interface, existing secure dynamic MAC address entries and MAC address entries learned subsequently on the interface turn into sticky MAC address entries. When the number of secure MAC addresses reaches the limit, the switch stops learning MAC addresses on the interface and takes a protection action on the interface or packets received.

MAC Address Flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN. The MAC address entry learned later replaces the earlier one. If a large number of MAC addresses flap in a short time on the network, MAC address flapping is caused by loops. When a loop occurs and causes a broadcast storm, MAC address flapping occurs on each switch affected by the broadcast storm. Therefore, MAC address flapping detection can be used to check for loops on a network.

MAC Address Anti-flapping

MAC address flapping occurs on a network when the network has a loop or is attacked.

MAC address flapping can be prevented in the following two modes:
  • Increasing the MAC address learning priority of an interface: When the same MAC address entries are learned by interfaces of different priorities, the MAC address entries learned by the interface with the highest priority overrides the MAC address entries learned by other interfaces.
  • MAC address flapping between interfaces with the same priority is forbidden. If the priority of the interface on the forged device is the same as that on the authorized device, the MAC address of the forged device learned later does not replace the correct MAC address. If the device powers off, the MAC address of the forged device is learned. After the device powers on, the device cannot learn the correct MAC address.
Figure 5-9 Networking diagram of MAC address anti-flapping

As shown in Figure 5-9, you can set a high MAC address learning priority on Port1 to prevent unauthorized users from using the server MAC address to access the switch.

MAC Address Flapping Detection

The device can detect MAC address flapping. When MAC address flapping occurs, the device can provide diagnosis information, including the flapping MAC address, interfaces between which the MAC address flaps, and VLAN that the interfaces belong to. A loop may exist on the interfaces between which the MAC address flaps. You will know how the loop is generated by checking interfaces where MAC addresses are flapping.

Figure 5-10 MAC address flapping detection

As shown in Figure 5-10, Switch C should not be connected to Switch D. When the two switches are connected, Switch B, Switch C, and Switch D form a loop. When Port1 of Switch A receives a broadcast packet, Switch A forwards the packet to Switch B. The packet is then sent to Port2 of Switch A. Switch A detects that the source MAC address of the packet flaps from Port1 to Port2. If the MAC address flaps between the two ports frequently, Switch A considers that MAC address flapping occurs.

NOTE:

MAC address flapping detection allows a switch to detect changes in traffic based on learned MAC addresses, but the switch cannot obtain the entire network topology. It is recommended that this function be used on an interface when the interface connects to a user network where loops may occur.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57495

Downloads: 3619

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next