No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R010C00 Configuration Guide - Ethernet Switching

This document describes the configuration of Ethernet services, including configuring link aggregation, VLANs, Voice VLAN, VLAN mapping, QinQ, GVRP, MAC table, STP/RSTP/MSTP, SEP, and so on.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MAC Address Entries Failed to Be Learned on an Interface

MAC Address Entries Failed to Be Learned on an Interface

Fault Symptom

MAC address entries cannot be learned on an interface, causing Layer 2 forwarding failures.

Procedure

  1. Check the configuration on the device.

    Check Item

    Verification Method

    Follow-up Operation

    Whether the VLAN that the interface belongs to has been created

    Run the display vlan vlan-id command in any view. If the system displays the message "Error: The VLAN does not exist", the VLAN has not been created.

    Run the vlan vlan-id command in the system view to create the VLAN.

    Whether the interface transparently transmits packets from the VLAN

    Run the display vlan vlan-id command in any view to check whether the interface name exists. If not, the interface does not transparently transmit packets from the VLAN.

    Run one of the following commands in the interface view to add the interface to the VLAN.

    • Run the port trunk allow-pass vlan command if the interface is a trunk interface.
    • Run the port hybrid tagged vlan or port hybrid untagged vlan command if the interface is a hybrid interface.
    • Run the port default vlan command if the interface is an access interface.

    Whether a blackhole MAC address entry is configured

    Run the display mac-address blackhole command in any view to check whether a blackhole MAC address entry is configured.

    If a blackhole MAC address entry is displayed and you want to delete it, run the undo mac-address blackhole command in any view.

    Whether MAC address learning is disabled on the interface or in the VLAN

    Run the display this | include learning command in the interface view and VLAN view to check whether the mac-address learning disable configuration exists. If so, MAC address learning is disabled on the interface or in the VLAN.

    Run the undo mac-address learning disable command in the interface view or VLAN view to enable MAC address learning.

    Whether MAC address limiting is configured on the interface and in the VLAN

    Run the display this | include mac-limit command in the interface view and VLAN view to check whether the MAC address limiting is configured. If so, the maximum number of learned MAC address entries is set.

    • Run the mac-limit command in the interface view or VLAN view to increase the maximum number of learned MAC address entries.
    • Run the undo mac-limit command in the interface view or VLAN view to remove the MAC address limit.

    Whether port security is configured on the interface

    Run the display this | include port-security command in the interface view to check whether port security is configured.

    • Run the undo port-security enable command in the interface view to disable port security.
    • Run the port-security max-mac-num command in the interface view to increase the maximum number of secure dynamic MAC address entries on the interface.

    If the fault persists, go to step 2.

  2. Check whether a loop is causing MAC address entry flapping.

    1. Run the mac-address flapping detection command in the system view to configure MAC address flapping detection.
    2. The system checks all MAC addresses in the VLAN to detect MAC address flapping. Run the display mac-address flapping record command to check MAC address flapping records to determine whether a loop occurs.
    3. If a loop is causing MAC address flapping, use the following methods to remove MAC address flapping:
      • Eliminate the loop.
      • Run the mac-learning priority command in the interface view to configure the MAC address learning priority for the interface to ensure that MAC addresses are learned by the correct interface.

    If no loop was detected, go to step 3.

  3. Check whether the number of learned MAC address entries has reached the maximum value. If so, the device cannot learn new MAC address entries.

    • If the number of MAC address entries on the interface is less than or equal to the number of hosts connected to the interface, the device is connected to more hosts than it supports. Adjust your network plan accordingly.
    • If the interface has learned more MAC address entries than the hosts connected to the interface, the interface may be undergoing a MAC address attack from the attached network. Use the following table to locate the attack source.

      Scenario

      Solution

      The interface connects to another network device.

      Run the display mac-address command on the connected device to view MAC address entries. Use the displayed MAC address entries to locate the interface connected to the malicious host. If the located interface is connected to another network device, repeat this step until you find the malicious host.

      The interface connects to a host.

      • Disconnect the host after obtaining permission from the administrator. When the attack stops, connect the host to the network again.
      • Run the port-security enable command on the interface to enable port security or run the mac-limit command to set the maximum number of MAC address entries to 1.

      The interface connects to a hub.

      • Analyze packets mirrored from the interface or use a another tool to analyze packets received by the interface to locate the attacking host. Disconnect the host after obtaining permission from the administrator. Connect the host to the hub again only after confirming that it no longer sends attacking packets.
      • Disconnect hosts connected to the hub one by one after obtaining permission from the administrator. If the fault is rectified after a host is disconnected, the host is the attacker. After the host stops the attack, connect it to the hub again.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000142081

Views: 255548

Downloads: 408

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next