No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R010C00 Configuration Guide - Ethernet Switching

This document describes the configuration of Ethernet services, including configuring link aggregation, VLANs, Voice VLAN, VLAN mapping, QinQ, GVRP, MAC table, STP/RSTP/MSTP, SEP, and so on.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Task Summary

Configuration Task Summary

Table 2-5  Configuration task summary for a MAC address table
Scenario Description Task

Bind static MAC addresses and interfaces

Configure static MAC address entries to bind MAC addresses and interfaces, improving security of authorized users.

Configuring a Static MAC Address Entry

Filter out attack packets

Configure blackhole MAC address entries to filter out packets from unauthorized users, thereby protecting the system against attacks.

Configuring a Blackhole MAC Address Entry

Flexibly control aging of dynamic MAC address entries

For stable networks, set a long aging time or set the aging time as 0 to not age dynamic MAC address entries. For other scenarios, set a short aging time.

Setting the Aging Time of Dynamic MAC Address Entries

Control MAC address learning

Certain network attacks aim to exhaust MAC address entries. To protect against this kind of attack, disable MAC address learning or limit the number of MAC address entries that can be learned.

Disabling MAC Address Learning

Configuring the MAC Address Limiting Function

Monitor the MAC address table

You can configure various alarm functions about MAC addresses to monitor the usage of MAC address entries.

  • Alarm threshold for MAC address usage: When the MAC address usage exceeds the upper threshold, the switch generates an alarm. When the MAC address usage falls below the lower threshold, the switch reports a clear message.
  • MAC address learning or aging alarm: When a MAC address entry is learned or aged out, the switch generates an alarm.
  • MAC address hash conflict alarm: If the switch cannot learn MAC address entries even when its MAC address table is not full, the switch generates an alarm.

Enabling MAC Address Alarm Functions

Quickly update outbound interfaces in ARP entries

Configure the MAC address-triggered ARP entry update function. When the outbound interface in a MAC address entry changes, the device updates the outbound interface in the corresponding ARP entry before ARP probing. This function shortens service interruption time.

Enabling MAC Address-Triggered ARP Entry Update

Prevent MAC address flapping

MAC address flapping occurs on a network when the network has a loop or undergoes certain attacks. You can use the following methods to prevent MAC address flapping:

  • Configure the MAC address learning priorities for interfaces. When the same MAC address is learned by two interfaces of different priorities, the MAC address entries learned by the interface with a higher priority override the MAC address entries learned by the other interface.
  • Prevent MAC address entries from being overridden on interfaces with the same priority.

Configuring MAC Address Flapping Prevention

Detect MAC address flapping

MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN and the MAC address entry learned later overrides the earlier one.

MAC address flapping detection enables a switch to check whether any MAC address flaps exist between interfaces and determine whether a loop exists. When MAC address flapping occurs, the switch sends an alarm to the NMS. The network maintenance personnel can locate the loop based on the alarm information and historical records for MAC address flapping. This greatly simplifies network maintenance. If the network connected to the switch does not support loop prevention protocols, configure the switch to shut down the interfaces where MAC address flapping occurs to reduce the impact of MAC address flapping on the network.

Configuring MAC Address Flapping Detection

Discard packets with an all-0 source or destination MAC address

A faulty host or device may send packets with an all-0 source or destination MAC address to a switch. Configure the switch to discard such packets and send an alarm to the NMS to help the network administrator locate the faulty host or device.

Configuring the Switch to Discard Packets with an All-0 MAC Address

Discard packets in which destination MAC addresses do not match the MAC address table

After a DHCP user goes offline, the MAC address entry of the user ages out. If there are packets destined for this user, the system cannot find the MAC address entry. The system then broadcasts the packets to all interfaces in the VLAN. In this case, all users receive the packets, which brings security risks. After the switch is configured to discard packets that do not match any MAC address entry, the switch discards such packets. This function mitigates the burden on the switch and enhances security.

Configuring the Switch to Discard Packets That Do Not Match Any MAC Address Entry

Forward packets from an interface when the source and destination MAC addresses are the same

By default, an interface discards packets whose source and destination MAC addresses are the same. After the port bridge function is enabled on the interface, the interface forwards such packets. This function applies to a switch that connects to devices incapable of Layer 2 forwarding or functions as an access device in a data center.

Enabling Port Bridge

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000142081

Views: 259427

Downloads: 408

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next