Correct MAC Address Entry Cannot Be Learned on the Device

Procedure

1. Check that the configurations on the interface are correct.

   Run the display mac-address command in any view to check whether the binding relationships between the MAC address, VLAN, and interface are correct.

   <HUAWEI> display mac-address
   Flags: * - Backup
   BD   : bridge-domain   Age : dynamic MAC learned time in seconds
   -------------------------------------------------------------------------------
   MAC Address    VLAN/VSI/BD                       Learned-From        Type      
   -------------------------------------------------------------------------------
   0025-9e80-2494 1/-/-                             10GE1/0/1            dynamic
   -------------------------------------------------------------------------------
   Total items: 1

   If not, re-configure the binding relationships between the MAC address, VLAN, and interface.

   If yes, go to step 2.

2. Check whether a loop on the network causes MAC address flapping.
   • Remove the loop from the network.

   If no loop exists, go to step 3.

3. Check that MAC address learning is enabled.

   Check whether MAC address learning is enabled in the interface view and the VLAN view.

   [~HUAWEI-10GE1/0/1] display this
   #
   interface 10GE1/0/1
    mac-address learning disable 
    port link-type trunk
    port trunk allow-pass vlan 10
   #
   return
   

   [~HUAWEI-vlan10] display this
   #
   vlan 10
    mac-address learning disable
   #
   return
   

   If the command output contains mac-address learning disable, MAC address learning is disabled on the interface or VLAN.

   • If MAC address learning is disabled, run the undo mac-address learning disable [ action { discard | forward } ] command in the interface view or undo mac-address learning disable in the VLAN view to enable MAC address learning.
   • If MAC address learning is enabled on the interface or vlan, go to step 4.
4. Check whether any blackhole MAC address entry or MAC address limiting is configured.

   If a blackhole MAC address entry or MAC address limiting is configured, the interface discards packets.

   • Blackhole MAC address entry

     Run the display mac-address blackhole command to check whether any blackhole MAC address entry is configured.

     <HUAWEI> display mac-address blackhole
     Flags: * - Backup  
     BD   : bridge-domain  Age : dynamic MAC learned time in seconds
     -------------------------------------------------------------------------------                                                     
     MAC Address    VLAN/VSI/BD   Learned-From        Type                Age                                                            
     -------------------------------------------------------------------------------                                                     
     0001-0001-0001 100/-/-       -                   blackhole           -                                          
     0002-0002-0002 200/-/-       -                   blackhole           -                                          
     -------------------------------------------------------------------------------                                                
     Total items: 2

     If a blackhole MAC address entry is displayed, run the undo mac-address blackhole command to delete it.

   • MAC address limiting on the interface or VLAN

     • Run the display this command in the interface view or VLAN view. If the command output contains mac-address limit maximum, the number of learned MAC addresses is limited. Run either of the following commands:
       • Run the undo mac-address limit command in the interface view or VLAN view to cancel MAC address limiting.
       • Run the mac-address limit command in the interface view or VLAN view to increase the maximum number of learned MAC address entries.
     • Run the display this command in the interface view. If the command output contains port-security maximum or port-security enable, the number of secure dynamic MAC addresses is limited on the interface. Run either of the following commands:

       By default, the limit on the number of secure dynamic MAC addresses is 1 after port security is enabled.

       • Run the undo port-security enable command in the interface view to disable port security.
       • Run the port-security maximum command in the interface view to increase the maximum number of secure dynamic MAC address entries on the interface.

   If the fault persists, go to step 5.

5. Check whether the number of learned MAC address entries has reached the maximum value supported by the switch.

   Run the display mac-address summary command to check the number of MAC address entries in the MAC address table.

   • If the number of learned MAC address entries has reached the maximum value supported by the switch, no MAC address entry can be created. Run the display mac-address command to view all MAC address entries.
     • If the number of MAC address entries learned on an interface is much larger than the number of devices on the network connected to the interface, a user on the network may maliciously update the MAC address table. Check the device connected to the interface:
       • If the interface is connected to a device, run the display mac-address command on the device to view its MAC address table. Locate the interface connected to the malicious user host based on the displayed MAC address entries. If the interface that you find is connected to another device, repeat this step until you find the user of the malicious user.
       • If the interface is connected to a computer, perform either of the following operations after obtaining permission from the administrator:
         • Disconnect the computer. When the attack stops, connect the computer to the network again.
         • Run the port-security enable command on the interface to enable port security or run the mac-address limit command to set the maximum number of MAC addresses that the interface can learn to 1.
       • If the interface is connected to a hub, perform either of the following operations:
         • Configure port mirroring or other tools to observe packets received by the interface. Analyze the packet types to locate the attacking computer. Disconnect the computer after obtaining permission from the administrator. When the attack stops, connect the computer to the hub again.
         • Disconnect computers connected to the hub one by one after obtaining permission from the administrator. If the fault is rectified after a computer is disconnected, the computer is the attacker. After it stops the attack, connect it to the hub again.
     • If the number of MAC addresses on the interface is equal to or smaller than the number of devices connected to the interface, the number of devices connected to the switch has exceeded the maximum supported by the switch. Adjust network deployment.