No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 CLI-based Configuration Guide - Ethernet Switching

This document describes the configuration of Ethernet services, including configuring transparent bridge, MAC table, link aggregation, VLANs, STP/RSTP/MSTP, and so on.The document provides the configuration procedures and configuration examples to illustrate the service configuration methods and application scenario.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Correct MAC Address Entry Cannot Be Learned on the Device

Correct MAC Address Entry Cannot Be Learned on the Device

Fault Description

MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.

Procedure

  1. Check that the configurations on the interface are correct.

    Run the display mac-address command in any view to check whether the binding relationships between the MAC address, VLAN, and interface are correct.

    <Huawei> display mac-address 
    ------------------------------------------------------------------------------- 
    MAC Address    VLAN/Bridge                       Learned-From        Type       
    ------------------------------------------------------------------------------- 
    0025-9e80-2494 1/-                               Eth0/0/1            dynamic    
                                                                                    
    ------------------------------------------------------------------------------- 
    Total items displayed = 1                                                       

    If not, re-configure the binding relationships between the MAC address, VLAN, and interface.

    If yes, go to step 2.

  2. Check whether a loop on the network causes MAC address flapping.

    Generally, MAC address flapping is caused by loops. You can run the loop-detect eth-loop command in the VLAN view to enable the MAC flapping detection function. The industrial switch router checks whether a MAC address moves from one interface to another in the VLAN.

    Use either of the following methods to prevent MAC address flapping:

    • Remove the loop from the network.

    If no loop exists, go to step 3.

  3. Check whether the interface is blocked by a loop prevention protocol.

    Run the display stp brief command in any view to check whether the interface participates in STP calculation and check the interface status.

    Run the display sep topology command in any view to check whether the interface participates in STP calculation and check the interface status.

    If the interface status is incorrect, check the STP or SEP configuration.

    If the interface status is correct, go to step 4.

  4. Check that MAC address learning is enabled.

    Check whether MAC address learning is enabled in the interface view and the VLAN view.

    [Huawei-Ethernet0/0/1] display this
    #
    interface Ethernet0/0/1
     mac-address learning disable 
     port hybrid tagged vlan 10
     undo negotiation auto
     speed 100
    #
    return
    
    [Huawei-vlan10] display this
    #
    vlan 10
     mac-address learning disable
    #
    return
    

    If the command output contains mac-address learning disable, MAC address learning is disabled on the interface or VLAN.

    • If MAC address learning is disabled, run the undo mac-address learning disable command in the interface view or VLAN view to enable MAC address learning.
    • If MAC address learning is enabled on the interface, go to step 4.
  5. Check whether any blackhole MAC address entry or MAC address limiting is configured.

    If a blackhole MAC address entry or MAC address limiting is configured, the interface discards packets.

    • Blackhole MAC address entry

      Run the display mac-address blackhole command to check whether any blackhole MAC address entry is configured.
      [Huawei] display mac-address blackhole
      -------------------------------------------------------------------------------
      MAC Address    VLAN/Bridge                       Learned-From        Type
      -------------------------------------------------------------------------------
      0001-0001-0001 3333/-                            -                   blackhole
      
      -------------------------------------------------------------------------------
      Total items displayed = 1

      If a blackhole MAC address entry is displayed, run the undo mac-address blackhole command to delete it.

    • MAC address limiting on the interface or VLAN

      • Run the display this command in the interface view or VLAN view. If the command output contains mac-limit maximum, the number of learned MAC addresses is limited. Run either of the following commands:
        • Run the undo mac-limit command in the interface view or VLAN view to cancel MAC address limiting.
        • Run the mac-limit command in the interface view or VLAN view to increase the maximum number of learned MAC address entries.
      • Run the display this command in the interface view. If the command output contains port-security max-mac-num or port-security enable, the number of secure dynamic MAC addresses is limited on the interface. Run either of the following commands:
        NOTE:
        By default, the limit on the number of secure dynamic MAC addresses is 1 after port security is enabled.
        • Run the undo port-security enable command in the interface view to disable port security.
        • Run the port-security max-mac-num command in the interface view to increase the maximum number of secure dynamic MAC address entries on the interface.

    If the fault persists, go to step 5.

  6. Check whether the number of learned MAC address entries has reached the maximum value supported by the industrial switch router.

    Run the display mac-address summary command to check the number of MAC address entries in the MAC address table.

    • If the number of learned MAC address entries has reached the maximum value supported by the industrial switch router, no MAC address entry can be created. Run the display mac-address command to view all MAC address entries.
      • If the number of MAC address entries learned on an interface is much larger than the number of devices on the network connected to the interface, a user on the network may maliciously update the MAC address table. Check the device connected to the interface:
        • If the interface is connected to a device, run the display mac-address command on the device to view its MAC address table. Locate the interface connected to the malicious user host based on the displayed MAC address entries. If the interface that you find is connected to another device, repeat this step until you find the user of the malicious user.
        • If the interface is connected to a computer, perform either of the following operations after obtaining permission from the administrator:
          • Disconnect the computer. When the attack stops, connect the computer to the network again.
          • Run the port-security enable command on the interface to enable port security or run the mac-limit command to set the maximum number of MAC addresses that the interface can learn to 1.
        • If the interface is connected to a hub, perform either of the following operations:
          • Configure port mirroring or other tools to observe packets received by the interface. Analyze the packet types to locate the attacking computer. Disconnect the computer after obtaining permission from the administrator. When the attack stops, connect the computer to the hub again.
          • Disconnect computers connected to the hub one by one after obtaining permission from the administrator. If the fault is rectified after a computer is disconnected, the computer is the attacker. After it stops the attack, connect it to the hub again.
      • If the number of MAC addresses on the interface is equal to or smaller than the number of devices connected to the interface, the number of devices connected to the industrial switch router has exceeded the maximum supported by the industrial switch router. Adjust network deployment.
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097279

Views: 17542

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next