MAC address entry
|
- Dynamic MAC address entries can be learned on an interface only after the interface is added to an existing VLAN.
- Each static MAC address entry can have only one outbound interface.
- By default, if a static MAC address is bound to an interface or the port security function is enabled on an interface, other interfaces will discard received packets with the source MAC address being the specific static MAC address or secure MAC address. However, on the CE12800E equipped with the FD-X series cards, other interfaces will properly forward packets with the source MAC address being the specific static MAC address or secure MAC address, if any of the following functions is configured on the device: EVPN, VBDIF interface configured with a MAC address, or a combination of M-LAG and VLANIF interface configured with MAC addresses.
- If there is a MAC address that is generated based on DHCP snooping binding entries, the MAC address cannot be configured as a static MAC address.
- The blackhole MAC address can be used as the source or destination MAC address. For the CE12800, the device forwards Layer 3 packets with the source MAC address as the blackhole MAC address.
- For CE12800, after TRILL is enabled, the blackhole MAC address cannot be configured. If the blackhole MAC address has been configured, enabling TRILL will cause the blackhole MAC address to become invalid.
- After EVN is configured, the aging time of MAC address entries is 30 minutes and cannot be modified.
- Dynamic MAC address entries on each card are aged independently, so MAC address entries on each card may be different.
By default, MAC addresses of VBDIF and VLANIF interfaces are dynamically allocated from the MAC address range of the system. You can also run the mac-address command to configure a static MAC address. When the device is connected to the load balancer or firewall or the if-match source-mac command is used on the device, Layer 3 traffic may fail to be forwarded. To address this issue, delete the configured MAC address of the interface.
On the , a maximum of eight virtual MAC addresses can be configured for VBDIF interfaces, VLANIF interfaces, and VRRP.
For FD, FDA, FG, FD1, FG1, SD series cards and ED-E, EG-E, and EGA-E series cards, when the reset mac-address command is used to clear MAC addresses of the VS in port mode, ignore the broadcast traffic that occurs instantly.
|
MAC address learning
|
- MAC address learning limiting rules are invalid for existing online users and valid for only new online users.
- If the VLANIF interface is not configured, the device can learn the local system MAC address.
- Disabling MAC address learning and limiting the number of learned MAC addresses are valid for a Layer 2 main interface and its Layer 2 sub-interfaces.
- The hardware learns MAC address entries at line speed. When many MAC address entries are learned in a short period of time, the number of MAC address entries in the hardware table is larger than the number of MAC address entries in the software table. When many MAC address entries are aged in a short period of time, the number of MAC address entries in the software table is larger than the number of MAC address entries in the hardware table. MAC address entries in the software and hardware tables keep consistent through synchronization.
- On the CE12800E equipped with the FD-X series cards,, if the number of MAC addresses learned in the VLAN reaches the upper limit or the MAC address learning function is disabled in the VLAN, the packet discarding function configured using the mac-address limit action discard command does not take effect on interfaces in the VLAN.
- Port security and MAC address limiting cannot be configured on an interface.
In V100R005C00 and earlier versions, the TRILL function cannot be configured simultaneously with any of the FCF, port security, MAC VLAN, blackhole MAC, MAC limit, disabling MAC address learning, URPF, DHCP snooping, or 802.1X functions. In V100R005C10 and later versions, the TRILL and preceding functions cannot be configured together by default. To use these functions together, run the trill adjacency-check disable command. The TRILL function takes precedence over the preceding functions. If the TRILL function is configured after the preceding functions are configured, only the TRILL function takes effect.
|
MAC address flapping detection
|
- To prevent uplink traffic interruption, do not configure the action performed when MAC address flapping is detected on upstream interfaces.
- In earlier versions of V100R006C00, MAC address flapping detection is inapplicable to TRILL, VPLS, VXLAN, and EVN networks. In V100R006C00 and later versions, MAC address flapping detection is inapplicable to only the VPLS network.
On a PE of an EVN network, earlier versions of V100R005C10 do not support MAC address flapping detection, and V100R005C10 and later versions support MAC address flapping detection. You can run the display mac-address flapping command to check MAC address flapping records. However, the alarm report function is not supported.
- The MAC address flapping detection function can only detect a single ring. When there are multiple rings, the MAC address flapping detection function detects only the first ring. That is, if two or more rings exist in a VLAN, the system reports only alarms about interfaces in the first ring, regardless of whether the port status in the first ring is Up or Down.
- The MAC address flapping detection function can only detect the first ring in a VLAN within the configurable aging time (5 minutes by default). For example, MAC address flapping between PortA and PortB. After PortA or Port B goes Down and MAC address flapping between PortC and PortD within the same aging time, the flapped interfaces in the alarm are still PortA and PortB.
By default, MAC address triggered ARP entry update is enabled. If MAC address flapping occurs for more than 10 times, MAC address triggered ARP entry update is disabled. After MAC address flapping is eliminated, MAC address triggered ARP entry update is enabled automatically.
For V200R002C50 and later versions, on models excluding the CE12800E equipped with the ED-E, EG-E, and EGA-E series cards, when MAC address flapping occurs on an interface, the system suppresses broadcast, multicast, and unknown unicast packets. In this case, the forwarding rate of the outbound interface is 1% of the bandwidth of the inbound interface. Packets are not suppressed in the following two situations: - The interface is configured with storm control and storm suppression.
- Multicast is enabled globally. In this situation, the system does not suppress multicast packets.
When MAC address flapping occurs in a VLAN or BD and the loop is not eliminated, if the interface is added to or removed from an Eth-Trunk, the values of Original-Port and Move-Ports in MAC address flapping records remain unchanged. After the loop is eliminated, delete MAC address flapping entries and perform detection again. This prevents the incorrect source and flapped interfaces from being detected, loop location, and punishment action (Error-Down state or storm control) from being delivered to the incorrect flapped interface.
- Port-based automatic local attack defense and traffic suppression associated with MAC address flapping take effect only on the ports specified in the Move-Port field.
|
Other features
|
- On the CE12800E that has the FD-X series cards installed, when the big-MAC or large ARP table mode is used and different MAC addresses and rates are used, the hash conflict of the MAC address table is serious and the hash conflict result is different each time. When a hash conflict occurs, the device may fail to learn many MAC addresses and some traffic can only be broadcast.
- The device cannot discard packets with all 0s.
- Static MAC address entries cannot be displayed on a card in offline state.
Multicast resources are shared by multiple services including VLAN, MAC, Eth-Trunk, M-LAG, Layer 2 protocol transparent transmission, Layer 3 physical interface, and multicast. If multicast resources in the system are insufficient for any of these services you are configuring, the system will display a configuration failure message. To solve this problem, you can delete some unnecessary service configuration, for example, delete unused VLANs.
- An alarm will be generated when the MAC address table usage reaches the threshold. In each VS, only the card where the MAC address table usage first exceeds the threshold is reported. On a single device, only the card where the MAC address table usage first exceeds the threshold is reported.
|
