No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Bridge Domain-based MAC Address Table

Configuring a Bridge Domain-based MAC Address Table

A MAC address table contains static, blackhole, and dynamic MAC address entries. A MAC address table can be correctly configured to help a device to forward traffic.

Usage Scenario

Each device maintains a MAC address table, also called a MAC table, which is used to forward traffic. EVC devices learn MAC addresses based on bridge domains.

On virtual private LAN service (VPLS) networks, multiple bridge domains can transmit traffic of the same virtual switch instance (VSI), and traffic in various bridge domains are distinguished using bridge domain IDs. Bridge domain-based MAC address learning helps devices isolate broadcast domains in a VSI and prevents the learned MAC address entries from changing in the VSI.

  • MAC address table generation

    • Automatically generated MAC address entries

      A device learns source MAC addresses, generates MAC address entries, and adds the entries to a MAC address table. To adapt to a changing network, the MAC address table needs to be updated constantly. The entries automatically generated in a MAC address table are not always valid. Each entry has a life cycle. The entry that is not updated till its life cycle ends will be deleted. This life cycle is called aging time. If the entry is updated before its life cycle expires, the aging time of the entry restarts.

    • Manually configured MAC address entries

      When a device automatically learns all source MAC addresses carried in packets to build a MAC address table, it does not check whether the packets are sent by authorized users or hackers, which poses security threats. If hackers set the source MAC addresses of attack packets to the MAC addresses of authorized users and access a device through interfaces different from the interfaces that authorized users access, the device learns incorrect MAC address entries. As a result, the packets that should be forwarded to authorized users are forwarded to hackers. To improve interface security, a network administrator can manually add specified MAC address entries to the MAC address table. The MAC addresses of user devices are bound to access interfaces to prevent unauthorized users from obtaining data. Manually configured MAC address entries take precedence over dynamically generated entries.

  • MAC address entry types

    • Dynamic entries: learned and stored by interface boards. Dynamic entries age after a specified period of time elapses. After a device resets, an interface board is hot swapped, or the interface board resets, dynamic MAC address entries are lost.

      A device automatically learns source MAC addresses and adds them to a MAC address table. The device must be enabled to learn source MAC addresses.

    • Static entries: configured manually and delivered to interface boards. Static entries do not age. The configured static MAC address entries will not be lost even if the device is reset, an interface board on the device is hot swapped, or the interface board is reset.

      On a network with unchanged users or a device is connected to an important server, to prevent hacker attacks on devices or the server, a static MAC address can be configured and added to a MAC address table.

    • Static blackhole MAC address entries: configured manually and delivered to interface boards. Blackhole MAC address entries are used to discard frames with specified destination MAC addresses. Blackhole entries do not age. The configured blackhole MAC address entries will not be lost even if the device is reset, an interface board on the device is hot swapped, or the interface board is reset.

      To prevent invalid MAC address entries (unauthorized users, for example) from using the MAC address table space and prevent hackers from attacking a device or network using forged MAC addresses, configure MAC addresses of untrusted users as blackhole MAC addresses. A device discards packets destined for static blackhole MAC addresses.

  • Limit on MAC address learning

    If hackers forge MAC addresses to attack user devices or networks through a device, the device learns the forged MAC address entries and adds the entries to the MAC address table, which causes a MAC address table overflow. As a result, the device cannot learn MAC address entries of authorized users. The MAC address learning limit function allows you to set the maximum number of MAC addresses that a device can learn and the rate at which a device learns MAC addresses. This function helps prevent attacks using forged MAC addresses and limit the number of users that can access the device.

  • Aging time for dynamically learned MAC addresses

    As the network topology changes, devices keep learning MAC addresses. To prevent a MAC address table overflow, an aging time can be set for dynamically learned MAC address entries. Dynamically learned MAC addresses are deleted if they are not updated after the specified aging time elapses.

Manually configured MAC address entries take precedence over dynamically generated entries. Static and static blackhole MAC address entries can overwrite dynamic MAC address entries, but cannot be overwritten by dynamic MAC address entries.

Pre-configuration Tasks

Before configuring a bridge domain-based MAC address table, create a bridge domain.

Configuration Procedures

Perform one or more of the following configurations as required.

Configuring a Static MAC Address Entry

On a network with unchanged users or a device is connected to an important server, to prevent hacker attacks on devices or the server, a static MAC address can be configured and added to a MAC address table.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-address static mac-address interface-type interface-number .subinterface-number bridge-domain bd-id { default | untag | vid pe-vid [ ce-vid { ce-vid | default } ] }

    A static MAC address entry based on a bridge domain is configured. The following parameters can be configured in this command as required:

    • default: enables default encapsulation on the EVC Layer 2 sub-interface.
    • vid pe-vid: enables dot1q encapsulation on the EVC Layer 2 sub-interface.
    • vid pe-vid ce-vid { ce-vid | default }: enables QinQ encapsulation on the EVC Layer 2 sub-interface.
    • untag: enables untagged encapsulation on the EVC Layer 2 sub-interface.

  3. Run commit

    The configuration is committed.

Configuring a Static Blackhole MAC Address Entry

To prevent invalid MAC address entries (unauthorized users, for example) from using the MAC address table space and prevent hackers from attacking a device or network using forged MAC addresses, configure MAC addresses of untrusted users as blackhole MAC addresses. A device discards packets destined for static blackhole MAC addresses.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run mac-address blackhole mac-address bridge-domain bd-id

    A static blackhole MAC entry based on a bridge domain is configured.

  3. Run commit

    The configuration is committed.

Adjusting Dynamic MAC Address Learning Parameters

Dynamic MAC address learning parameters can be adjusted to improve device security.

Context

Table 10-3 describes dynamic MAC address learning parameters.

Table 10-3 Dynamic MAC address learning parameters

Parameters of Dynamic MAC Address Learning

Description

Usage Scenario

Aging time of dynamic MAC address entries

Dynamic address entries age after an aging timer expires.

The shorter the aging time, the more adaptive a device becomes to the changing network topology.

As the network topology changes, devices keep learning MAC addresses. To prevent a MAC address table overflow, an aging time can be set for dynamic MAC address entries. These entries will be deleted after the aging time elapses.

Limit on MAC address learning

-

On insecure networks, devices are prone to attacks using forged MAC addresses. Because the capacity of a MAC address table on a device is limited, a hacker can forge a great number of source MAC addresses to a device. Upon receipt, the device adds the MAC addresses to the dynamic MAC address table, resulting in a dynamic MAC address table overflow. As a result, the device cannot learn more source MAC addresses carried in valid packets.

The maximum number of MAC addresses a device can learn can be set, which helps control the number of access users. If the number of learned MAC addresses reaches the upper limit, the device can be configured to discards packets carrying new MAC addresses, which prevents MAC address attacks and improves network security.

Steps 3 and 4 can be performed in a random order. Perform one or more steps as required.

Before you correctly set the maximum number of MAC addresses that a device can learn, run the reset mac-address [ mac-address ] bridge-domain bd-id command to delete all learned MAC addresses.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run bridge-domain bd-id

    The bridge domain view is displayed.

  3. Run mac-address aging-time seconds

    The aging time of dynamic MAC addresses is set.

  4. Run mac-limit { action { discard | forward } | maximum max [ rate interval ] } *

    A MAC address learning limit rule is configured.

  5. Run commit

    The configuration is committed.

Checking the Configurations

After configuring a bridge domain-based MAC address table, you can check the configurations, including the aging time for dynamic MAC addresses in the bridge domain and the limit on the number of MAC addresses that a device can learn.

Prerequisites

The bridge domain-based MAC address table has been configured.

Procedure

  • Run the display mac-address [ mac-address ] bridge-domain bd-id [ verbose ] command to check all MAC address entries in a specified BD.
  • Run the display mac-address static { bridge-domain bd-id | interface-type interface-number }* [ verbose ] command to check all static MAC address entries in a specified BD.
  • Run the display mac-address blackhole bridge-domain bd-id [ verbose ] command to check all static blackhole MAC address entries in a specified BD.
  • Run the display mac-address dynamic [ slot slot-id ] bridge-domain bd-id [ verbose | last-change ] command to check all dynamically learned MAC address entries in a specified BD.
  • Run the display mac-address aging-time bridge-domain command to check the aging time for dynamic MAC address entries in a specified bridge domain.
  • Run the display mac-limit [ bridge-domain bd-id ] command to check rules for dynamically learned MAC addresses in a BD.

Example

Run the display mac-address bridge-domain bd-id command to view all MAC address entries, including static, blackhole, and dynamic MAC address entries, in a bridge domain.

<HUAWEI> display mac-address bridge-domain 10
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/BD/    PEVLAN CEVLAN Port      Type       LSP/LSR-ID
               VSI/SI/EVPN                                    MAC-Tunnel
-------------------------------------------------------------------------------
0001-0001-0001 BD 10       10     -      GE0/1/1.1 static     -
0003-0003-0003 BD 10       -      -      -    blackhole  -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 2

MAC address table of slot 1:
-------------------------------------------------------------------------------
MAC Address    VLAN/BD/    PEVLAN CEVLAN Port      Type       LSP/LSR-ID
               VSI/SI/EVPN                                    MAC-Tunnel
-------------------------------------------------------------------------------
38ea-d911-0400 BD 10       -      -      GE0/1/1.4 dynamic    3/1
38ea-d911-0300 BD 10       -      -      GE0/1/1.4 dynamic    3/1
38ea-d911-0401 BD 10       -      -      GE0/1/1.4 dynamic    3/1
-------------------------------------------------------------------------------
Total matching items on slot 1 displayed = 3

Run the display mac-address static bridge-domain bd-id verbose command to view static MAC address entries. The command output helps you verify the static MAC address entry configuration.

<HUAWEI> display mac-address static bridge-domain 10 verbose
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address: 0001-0001-0001      VLAN/BD/VSI/SI/EVPN: BD 10
Port       : GE0/1/1.1           Type               : static
PEVLAN     : 10                  CEVLAN             : -
Aging time : -                   LSP/MAC_Tunnel     : -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1

Run the display mac-address blackhole bridge-domain bd-id verbose command to view static blackhole MAC address entries. The command output helps you verify the blackhole MAC address entry configuration.

<HUAWEI> display mac-address blackhole bridge-domain 10 verbose
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address: 0003-0003-0003      VLAN/BD/VSI/SI/EVPN: BD 10
Port       : -                   Type               : blackhole
PEVLAN     : -                   CEVLAN             : -
Aging time : -                   LSP/MAC_Tunnel     : -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1

Run the display mac-address dynamic bridge-domain bd-id verbose command to view dynamic MAC address entries. The command output contains the location where dynamic MAC address entries are stored, the bridge domain to which dynamic MAC address entries belong, and source interfaces of dynamic MAC address entries.

<HUAWEI> display mac-address dynamic bridge-domain 10 verbose
MAC address table of slot 1:
-------------------------------------------------------------------------------
MAC Address: 38ea-d911-0400      VLAN/BD/VSI/SI/EVPN: BD 10
Port       : GE0/1/1.4           Type               : dynamic
PEVLAN     : -                   CEVLAN             : -
TrustFlag  : -                   TrustPort          : -
Peer IP    : -                   VC-ID              : -
Aging time : 300                 LSP/MAC_Tunnel     : 3/1

MAC Address: 38ea-d911-0300      VLAN/BD/VSI/SI/EVPN: BD 10
Port       : GE0/1/1.4           Type               : dynamic
PEVLAN     : -                   CEVLAN             : -
TrustFlag  : -                   TrustPort          : -
Peer IP    : -                   VC-ID              : -
Aging time : 300                 LSP/MAC_Tunnel     : 3/1

MAC Address: 38ea-d911-0401      VLAN/BD/VSI/SI/EVPN: BD 10
Port       : GE0/1/1.4           Type               : dynamic
PEVLAN     : -                   CEVLAN             : -
TrustFlag  : -                   TrustPort          : -
Peer IP    : -                   VC-ID              : -
Aging time : 300                 LSP/MAC_Tunnel     : 3/1
-------------------------------------------------------------------------------
Total matching items on slot 3 displayed = 1
Run the display mac-address dynamic [ slot slot-id ] bridge-domain bd-id last-change command to view the date and time when the dynamically learned MAC address entries in a BD were last updated.
<HUAWEI> display mac-address dynamic bridge-domain 10 last-change
MAC address table of slot 3:
-------------------------------------------------------------------------------
MAC Address    VLAN/BD/    PEVLAN CEVLAN Port/Peerip     Type      Last Change
               VSI/SI/EVPN
-------------------------------------------------------------------------------
0001-0001-0064 BD 10       -      -      GE0/3/6         dynamic   Jan 25 2018 11:44:37
0001-0001-0063 BD 10       -      -      GE0/3/6         dynamic   Jan 25 2018 11:44:37
0001-0001-0062 BD 10       -      -      GE0/3/6         dynamic   Jan 25 2018 11:44:37
0001-0001-0061 BD 10       -      -      GE0/3/6         dynamic   Jan 25 2018 11:44:37
0001-0001-0060 BD 10       -      -      GE0/3/6         dynamic   Jan 25 2018 11:44:37

-------------------------------------------------------------------------------
Total matching items on slot 3 displayed = 5

Run the display mac-address aging-time bridge-domain command to view the aging time for dynamic MAC address entries in each bridge domain.

<HUAWEI> display mac-address aging-time bridge-domain
  Bridge-domain                   Aging Time(sec)
  10                              90
  20                              600
Run the display mac-limit command to view the maximum number of MAC addresses that an EVC Layer 2 sub-interface in a specific bridge domain can learn, the number of learned MAC addresses, and the interval at which an EVC Layer 2 sub-interface learns MAC addresses.
<HUAWEI> display mac-limit bridge-dmain 10
Bridge-domain 10 MAC limit:
  Maximum MAC count 100, used count 3 rate 100(ms)
  Action: forward, Alarm: disable
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055378

Views: 16985

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next