No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Users Fail to Access the Internet After MFF Is Configured

Users Fail to Access the Internet After MFF Is Configured

Fault Description

After MFF is configured, users cannot access the Internet.

Procedure

  1. Run the display mac-forced-forwarding vlan vlan-id command to check MFF information.

    • If the User IP and User MAC fields are empty, no user information is generated. Go to step 2.
    • If the Gateway MAC field is empty, no gateway MAC address is learned. Go to step 3.

  2. Check configurations to verify that MFF user information is generated.
    1. Check that user binding entries are generated.

      User Type Command Solution
      Dynamic user display user-bind dhcp snooping vlan vlan-id
      • If the user IP address does not match any of the binding entries, go to step b.
      • If the user IP address matches a binding entry, the user has gone online successfully. Go to step c.
      Static user display user-bind static vlan vlan-id
      • If the user IP address does not match any of the binding entries, go to step b.
      • If the user IP address matches a binding entry, the user has gone online successfully. Go to step c.

    2. Check that user configurations are correct.

      User Type Item Method Solution
      Dynamic user DHCP snooping is enabled on the user interface. Run the display this command in the user interface view to check whether the dhcp snooping enable command is configured. If not, run this command. You can also run the dhcp snooping enable command in the VLAN view if the user interface has been added to the VLAN.
      Check that the network interface is configured as the trusted interface. Run the display this command in the network interface view to check whether the dhcp snooping trusted command is configured. If not, run this command. You can also run the dhcp snooping trusted command in the VLAN view if the network interface has been added to the VLAN.
      Check that users can go online. Run the display user-bind dhcp snooping vlan vlan-id command to check whether DHCP snooping entries exist. If the user IP address does not match any of the DHCP snooping entries, the user cannot get online. Rectify the fault according to DHCP Clients Cannot Go Online Due to DHCP Snooping.
      Static user Check that a correct static gateway address is configured. Run the display this command in the MFF-enabled VLAN view to check whether the mac-forced-forwarding static-gateway ip-address command is configured and whether the static user address is on the same network segment as the static gateway address. If the mac-forced-forwarding static-gateway ip-address command is not configured or the static gateway address is on a different network segment than the static user address, run the mac-forced-forwarding static-gateway ip-address command to configure a static gateway that resides on the same network segment as the static user.
      Check whether the static user is correctly configured. Run the display user-bind static vlan vlan-id command in the system view to check whether a binding entry maps the specified static user. If no such binding entry exists, run the user-bind static command to configure a binding entry mapping the static user.

      If the fault persists, go to step c.

    3. Check that MFF configurations are correct.

      • Run the display this command in the user interface view to check whether the interface is added to the MFF-enabled VLAN. If not, add it to the MFF-enabled VLAN.
      • Run the display this command in the network interface view to check whether the mac-forced-forwarding network-port command is configured. If not, run this command.

  3. Verify that the device can learn the gateway address.
    1. Check that the link between the device and the gateway works properly.

      Ping the gateway from the device to check whether the route between them is reachable.
      • If the ping operation fails, rectify the route fault.
      • If the ping succeeds, go to step b.

    2. Check whether ARP reply packets are discarded.

      • Run the display this command in the interface view, VLAN view, and system view to check whether a rate limit is set for ARP packets.

        If the display this command output contains "arp anti-attack rate-limit", the rate limit is too small, which means ARP reply packets may be discarded. Run the arp anti-attack rate-limit command to increase the rate limit.

      • Run the mac-forced-forwarding gateway-detect command in the MFF-enabled VLAN view to enable timed gateway address detection, so that the gateway MAC address is obtained by retransmitting an ARP request packet.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 29430

Downloads: 97

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next