No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access 01

This is ME60 V800R010C10SPC500 Configuration Guide - LAN Access and MAN Access
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring MAC Flapping-based Loop Detection for a VLAN

Configuring MAC Flapping-based Loop Detection for a VLAN

After MAC flapping-based loop detection is configured on a virtual private LAN service (VLAN) network, the devices can detect loops on AC-side interfaces or pseudo wires (PWs), and block interfaces or PWs or report alarms.

Usage Scenario

Generally, redundant links are used on an Ethernet network to provide link backup and enhance network reliability. Redundant links, however, may produce loops and cause broadcast storms and MAC address entry flapping. As a result, the communication quality deteriorates, and communication services may even be interrupted. To eliminate loops on the network, the spanning tree protocols or Layer 2 loop detection technology was introduced. If you want to apply a spanning tree protocol, the protocol must be supported and you need to configure it on each user network device. If you want to apply the Layer 2 loop detection technology, user network devices must allow Layer 2 loop detection packets to pass. Therefore, the spanning tree protocols or the Layer 2 loop detection technology cannot be used to eliminate loops on user networks with unknown connections or user networks that do not support the spanning tree protocols or Layer 2 loop detection technology.

MAC flapping-based loop detection is introduced to address this problem. It does not require protocol packet negotiation between devices. A device independently checks whether a loop occurs on the network based on MAC address entry flapping.

You can deploy MAC flapping-based loop detection on network edge devices and configure a blocking policy for interfaces to prevent loops. The blocking policy can be either of the following:

  • Blocking interfaces based on their blocking priorities: If a device detects a loop, it blocks the interface with a lower blocking priority.
  • Blocking interfaces based on their trusted or untrusted states: If a device detects a loop, it blocks the untrusted interface.

After MAC flapping-based loop detection is configured on a device and the device receives packets with fake source MAC addresses from attackers, the device may mistakenly conclude that a loop has occurred and block an interface based on the configured blocking policy. Therefore, key user traffic may be blocked. It is recommended that you disable MAC flapping-based loop detection on properly running devices. If you have to use MAC flapping-based loop detection to detect whether links operate properly during site deployment, be sure to disable this function after this stage.

Pre-configuration Tasks

Before configuring MAC flapping-based loop detection on a PE on a VLAN network, configure VLAN on the PE. For details about VLAN configuration, see VLAN Configuration in ME60 Configuration Guide - LAN Access and MAN Access.

Configuration Procedures

Figure 12-3 Flowchart for configuring MAC flapping-based loop detection for a VLAN network

Enabling MAC Flapping-based Loop Detection

After MAC flapping-based loop detection is enabled on devices, the devices can detect loops based on MAC address entry flapping and block interfaces or pseudo wires (PWs) to eliminate the loops.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vlan vlan-id

    The VLAN view is displayed.

  3. Run loop-detect eth-loop loop-times loop-times detect-cycle detect-cycle-time cycles cycles { alarm-only | retry-times retry-times block-time block-time }

    MAC flapping-based loop detection is enabled, and its parameters are configured.

    retry-times retry-times and block-time block-time must both be specified. For example, retry-times is specified as 2 and block-time as 100s. When detecting loops in the VSI, the device blocks interfaces using the following methods:
    1. When detecting a loop on an interface for the first time, the device keeps the interface blocked for 100s.
    2. During the first detection cycle (specified by detect-cycle-time) after the first blocking period ends (the blocked interface recovers), if the device detects a loop, it keeps the interface blocked for 2 x 100s.
    3. During the second detection cycle (specified by detect-cycle-time) after the second blocking period ends, if the device detects a loop, it keeps the interface blocked for 4 x 100s.
    4. During the third detection cycle (specified by detect-cycle-time) after the third blocking period ends, if the device detects a loop, it keeps the interface blocked permanently. The reason for the permanent blocking is that three loops occur after the first blocking period ends, which exceeds the maximum number of loops specified by retry-times.
    NOTE:

    If no loops are detected during detect-cycle-time*30, the blocking count is cleared. If a loop is detected later block-time is restored.

    NOTE:

    On an STP-capable Layer 2 network, packets with the same source MAC address may form loops. To prevent loops, an interface must be blocked, and an alarm must be reported to the NMS. To allow both STP and MAC flapping-based loop detection to be enabled, run the loop-detect eth-loop assist-stp enable command.

    STP and MAC flapping-based loop detection have different blocking principles and may block different interfaces on a network, leading to temporary traffic interruptions. Therefore, exercise caution when running the loop-detect eth-loop assist-stp enable command.

  4. Run commit

    The configuration is committed.

(Optional) Configuring Interface Blocking Priorities

You can configure blocking priorities for interfaces so that a specific interface is preferentially blocked when a loop is detected.

Context

  • MAC flapping-based loop detection has the following blocking policies:
    • Blocking interfaces based on their blocking priorities

      The blocking priority of an interface can be configured. When detecting a loop, a device blocks the interface with a lower blocking priority.

    • Blocking interfaces based on their trusted or untrusted states (accurate blocking)

      If a dynamic MAC address entry remains the same in the MAC address table within a specified period and is not deleted, the outbound interface in the MAC address entry is trusted. When detecting a loop, a device blocks an interface that is not trusted.

    Configure a blocking priority for a PE's interface.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The Ethernet interface view is displayed. The interface must be a VLAN's interface that has MAC flapping-based loop detection configured.

  3. Run loop-detect eth-loop priority priority

    A blocking priority is configured for the VLAN's interface.

  4. Run commit

    The configuration is committed.

(Optional) Configuring the Accurate Loop Blocking Function

Accurate loop blocking determines trusted and untrusted interfaces by analyzing the frequency of MAC address entry flapping. When a MAC address entry changes repeatedly, accurate blocking can accurately locate and block the untrusted interface with a loop.

Context

After MAC flapping-based loop detection is deployed on a device and the device detects a loop, the device blocks an AC interface with a lower blocking priority by default. However, MAC address entries of interfaces without loops may change due to the impact from a remote loop, and traffic over the interfaces with lower blocking priorities is interrupted. To address this problem, deploy accurate blocking of MAC flapping-based loop detection. Accurate blocking determines trusted and untrusted interfaces by analyzing the frequency of MAC address entry flapping. When a MAC address entry changes repeatedly, accurate blocking can accurately locate and block the interface with a loop, which is an untrusted interface.

If boards that do not support the accurate loop blocking function reside on a device and only MAC address change information about these boards is received in the last loop detection interval, interfaces on a VLAN are blocked based on their blocking priorities. In this situation, the accurate loop blocking function does not work.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run loop-detect eth-loop precise-block trust-port generate-time generate-time

    The interval for generating a trusted interface is configured.

  3. (Optional) Run loop-detect eth-loop precise-block policy no-block

    The blocking policy is specified for the local device that does not have trusted interfaces when MAC addresses change.

  4. Run vlan vlan-id

    The VLAN view is displayed.

  5. Run loop-detect eth-loop precise-block enable

    The accurate loop blocking function is enabled, and the device blocks only untrusted interfaces.

  6. Run commit

    The configuration is committed.

Follow-up Procedure

After MAC flapping-based loop detection is configured, if an interface on a VLAN is blocked due to a loop, the interface does not forward user traffic. To unblock the interface so that it can forward user traffic, run the reset loop-detect eth-loop command.

(Optional) Configuring Traffic Suppression of MAC Flapping-based Loop Detection

If a loop occurs on a network, the broadcast domain encounters broadcast storms. To prevent other broadcast domains from being affected, traffic suppression of MAC flapping-based loop detection must be enabled.

Context

Traffic suppression of MAC flapping-based loop detection is enabled by default. You can set a threshold for this function to allow the system to implement traffic suppression based on the threshold.

When the network topology becomes stable and no loops occur, disable this function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run loop-detect traffic-suppression threshold suppression-threshold

    A threshold is set for traffic suppression of MAC flapping-based loop detection.

    When the network topology becomes stable and no loops occur, run the loop-detect traffic-suppression disable command to disable this function.

  3. Run commit

    The configuration is committed.

Verifying the Configuration of MAC Flapping-based Loop Detection for a VLAN Network

After configuring MAC flapping-based loop detection for a virtual local area network (VLAN) network, verify the configuration.

Prerequisites

MAC flapping-based loop detection has been configured for a VLAN network.

Procedure

  • Run the display loop-detect eth-loop [ vsi vsi-name | bridge-domain bd-id | vlan vlan-id ] command to check the configuration information of MAC flapping-based loop detection in a virtual switching instance (VSI) or a bridge-domain (BD).

Example

Run the display loop-detect eth-loop [ vsi vsi-name | bridge-domain bd-id | vlan vlan-id ] command to view the configuration information of MAC flapping-based loop detection in a VLAN.

<HUAWEI> display loop-detect eth-loop vlan 1
VLAN/VSI/BD      LTimes    DCycle      Cycles   Retry     Action              
------------------------------------------------------------------------------
VLAN 1           3         3           1        1         Block 123 s         
 
Total Items = 1

Blocked Port: 
---------------

VLAN/VSI/BD      Block Port            Link-Block Port       Detect MAC        T
--------------------------------------------------------------------------------
VLAN 1           Eth0/1/0                                    0000-0000-0000    0
VLAN 1           Eth0/1/2                                    0000-0000-0000    0
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059440

Views: 29237

Downloads: 21

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next