No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring MAC Flapping-based Loop Detection for a VPLS Network

Configuring MAC Flapping-based Loop Detection for a VPLS Network

After MAC flapping-based loop detection is configured on a virtual private LAN service (VPLS) network, the devices can detect loops on AC-side interfaces or pseudo wires (PWs), and block interfaces or PWs or report alarms.

Usage Scenario

On a VPLS network, PWs are established over Multiprotocol Label Switching (MPLS) tunnels between virtual private network (VPN) sites to transparently transmit Layer 2 packets. When forwarding packets, the provider edges (PEs) learn the source MAC addresses of the packets, create MAC address entries, and establish mapping between the MAC addresses and AC-side interfaces and mapping between the MAC addresses and PWs. Due to redundant links, a PE may receive user packets with the same source MAC address through different interfaces, causing MAC address entry flapping or even damaging MAC address entries. In this situation, you can deploy MAC flapping-based loop detection on each PE and configure a blocking policy for AC-side interfaces to prevent such loops. The blocking policy can be either of the following:
  • Blocking interfaces based on their blocking priorities: If a device detects a loop, it blocks the interface with a lower blocking priority.
  • Blocking interfaces based on their trusted or untrusted states: If a device detects a loop, it blocks the untrusted interface.

MAC flapping-based loop detection can also detect PW-side loops. The principles of blocking PWs are similar to those of blocking AC-side interfaces.

After MAC flapping-based loop detection is configured on a device and the device receives packets with fake source MAC addresses from attackers, the device may mistakenly conclude that a loop has occurred and block an interface based on the configured blocking policy. Therefore, key user traffic may be blocked. It is recommended that you disable MAC flapping-based loop detection on properly running devices. If you have to use MAC flapping-based loop detection to detect whether links operate properly during site deployment, be sure to disable this function after this stage.

Pre-configuration Tasks

Before configuring MAC flapping-based loop detection on a PE on a VPLS network, configure VPLS on the PE. For details about VPLS configuration, see VPLS Configuration in NE20E Configuration Guide - VPN.

Configuration Procedures

Figure 12-2 Flowchart for configuring MAC flapping-based loop detection for a VPLS network

Enabling MAC Flapping-based Loop Detection

After MAC flapping-based loop detection is enabled on devices, the devices can detect loops based on MAC address entry flapping and block interfaces or pseudo wires (PWs) to eliminate the loops.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vsi vsi-name or bridge-domain bd-id

    The virtual switching instance (VSI) view or the bridge domain (BD) view is displayed.

  3. Run loop-detect eth-loop loop-times loop-times detect-cycle detect-cycle-time cycles cycles { alarm-only | retry-times retry-times block-time block-time }

    MAC flapping-based loop detection is enabled, and its parameters are configured.

    retry-times retry-times and block-time block-time must both be specified. For example, retry-times is specified as 2 and block-time as 100s. When detecting loops in the VSI, the device blocks interfaces using the following methods:
    1. When detecting a loop on an interface for the first time, the device keeps the interface blocked for 100s.
    2. During the first detection cycle (specified by detect-cycle-time) after the first blocking period ends (the blocked interface recovers), if the device detects a loop, it keeps the interface blocked for 2 x 100s.
    3. During the second detection cycle (specified by detect-cycle-time) after the second blocking period ends, if the device detects a loop, it keeps the interface blocked for 4 x 100s.
    4. During the third detection cycle (specified by detect-cycle-time) after the third blocking period ends, if the device detects a loop, it keeps the interface blocked permanently. The reason for the permanent blocking is that three loops occur after the first blocking period ends, which exceeds the maximum number of loops specified by retry-times.
    NOTE:

    If no loops are detected during detect-cycle-time*30, the blocking count is cleared. If a loop is detected later block-time is restored.

    NOTE:

    On an STP-capable Layer 2 network, packets with the same source MAC address may form loops. To prevent loops, an interface must be blocked, and an alarm must be reported to the NMS. To allow both STP and MAC flapping-based loop detection to be enabled, run the loop-detect eth-loop assist-stp enable command.

    STP and MAC flapping-based loop detection have different blocking principles and may block different interfaces on a network, leading to temporary traffic interruptions. Therefore, exercise caution when running the loop-detect eth-loop assist-stp enable command.

  4. Run commit

    The configuration is committed.

(Optional) Configuring a Blocking Policy

After deploying MAC flapping-based loop detection, you can configure a blocking policy for AC-side interfaces or PWs (AC is short for attachment circuit, and PW for pseudo wire).

Context

The blocking policies for AC-side interfaces and PWs are different.
  • MAC flapping-based loop detection has the following blocking policies:
    • Blocking interfaces based on their blocking priorities

      The blocking priority of an interface can be configured. When detecting a loop, a device blocks the interface with a lower blocking priority.

    • Blocking interfaces based on their trusted or untrusted states (accurate blocking)

      If a dynamic MAC address entry remains the same in the MAC address table within a specified period and is not deleted, the outbound interface in the MAC address entry is trusted. When detecting a loop, a device blocks an interface that is not trusted.

    After MAC flapping-based loop detection is deployed on a device and the device detects a loop, the device blocks an AC interface with a lower blocking priority by default. However, MAC address entries of interfaces without loops may change due to the impact from a remote loop, and traffic over the interfaces with lower blocking priorities is interrupted. To address this problem, deploy accurate blocking of MAC flapping-based loop detection. Accurate blocking determines trusted and untrusted interfaces by analyzing the frequency of MAC address entry flapping. When a MAC address entry changes repeatedly, accurate blocking can accurately locate and block the interface with a loop, which is an untrusted interface.

  • A device on which MAC flapping-based loop detection is deployed blocks PWs based only on the blocking priorities of the PWs. If the device detects a loop, it blocks the PW with a lower blocking priority.

NOTE:

If no blocking policies are configured, both AC-side interfaces and PWs are blocked based on their blocking priorities. If a loop occurs and the AC-side interfaces or PWs have the same blocking priority, the AC-side interfaces or PWs are all blocked.

Procedure

  • Configure a blocking policy for an AC-side interface.

    • Blocking interfaces based on their blocking priorities

      1. Run system-view

        The system view is displayed.

      2. Run interface interface-type interface-number

        The AC-side interface view is displayed.

      3. Run loop-detect eth-loop priority priority

        A blocking policy is configured for the AC-side interface.

      4. Run commit

        The configuration is committed.

    • Blocking interfaces based on their trusted or untrusted states (accurate blocking)

      1. Run system-view

        The system view is displayed.

      2. Run loop-detect eth-loop precise-block trust-port generate-time generate-time

        The interval for generating a trusted interface is configured.

      3. (Optional) Run loop-detect eth-loop precise-block policy no-block

        The device is configured not to block any interfaces with MAC address entry flapping in a virtual switching instance (VSI) or a bridge-domain (BD) if the device does not have any trusted interfaces.

      4. Run vsi vsi-name or bridge-domain bd-id

        The VSI view or the bridge domain (BD) view is displayed.

      5. Run loop-detect eth-loop precise-block enable

        Accurate blocking is enabled, and the device blocks only untrusted interfaces.

      6. Run commit

        The configuration is committed.

  • Configure a blocking policy for a PW.

    1. Run system-view

      The system view is displayed.

    2. Run vsi vsi-name

      The VSI view is displayed.

    3. Run pwsignal ldp

      The VSI-LDP view is displayed (LDP is short for Label Distribution Protocol).

    4. Run vsi-id vsi-id

      An ID is configured for the VSI.

    5. Run peer peer-address [ negotiation-vc-id vc-id ] [ tnl-policy policy-name ] [ upe ] [ ignore-standby-state ]

      A peer IP address is configured for the VSI.

    6. Run peer peer-address [ negotiation-vc-id vc-id ] pw pw-name

      The VSI-LDP-PW view is displayed.

    7. Run loop-detect eth-loop priority priority

      A blocking priority is configured for the PW.

    8. Run commit

      The configuration is committed.

Follow-up Procedure

After MAC flapping-based loop detection is configured, if an AC-side interface or PW is blocked due to a loop, the interface or PW does not forward user traffic. To unblock the interface or PW so that it can forward user traffic, run the reset loop-detect eth-loop command.

(Optional) Configuring Traffic Suppression of MAC Flapping-based Loop Detection

If a loop occurs on a network, the broadcast domain encounters broadcast storms. To prevent other broadcast domains from being affected, traffic suppression of MAC flapping-based loop detection must be enabled.

Context

Traffic suppression of MAC flapping-based loop detection is enabled by default. You can set a threshold for this function to allow the system to implement traffic suppression based on the threshold.

When the network topology becomes stable and no loops occur, disable this function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run loop-detect traffic-suppression threshold suppression-threshold

    A threshold is set for traffic suppression of MAC flapping-based loop detection.

    When the network topology becomes stable and no loops occur, run the loop-detect traffic-suppression disable command to disable this function.

  3. Run commit

    The configuration is committed.

Verifying the Configuration of MAC Flapping-based Loop Detection for a VPLS Network

After configuring MAC flapping-based loop detection for a virtual private LAN service (VPLS) network, verify the configuration.

Prerequisites

MAC flapping-based loop detection has been configured for a VPLS network.

Procedure

  • Run the display loop-detect eth-loop [ vsi vsi-name | bridge-domain bd-id ] command to check the configuration information of MAC flapping-based loop detection in a virtual switching instance (VSI) or a bridge-domain (BD).

Example

Run the display loop-detect eth-loop command to view the configuration information of MAC flapping-based loop detection in a VSI or a BD.

<HUAWEI> display loop-detect eth-loop
VLAN/VSI/BD      LTimes    DCycle      Cycles   Retry     Action              
------------------------------------------------------------------------------
vsi1             3         3           1        0         Alarm-only          
vsi2             3         3           2        0         Block 0 s           
vsi3             10        10          3        2         Block 20 s          
                                                                                
Total Items = 3 
                                                                               
Blocked Port:
---------------
                                                                               
VLAN/VSI         Block Port            Link-Block Port       Detect MAC        T
--------------------------------------------------------------------------------
vsi2             GE0/1/1.1                                   0000-c101-0402    1
vsi3             Eth-Trunk9.1(P)                             0000-c106-0102    0
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 16839

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next