Table of contents
MAC address flapping detection
foreword
- The application of Ethernet technology in the network is very extensive at present. However, the existence of various network attacks (such as attacks against ARP, DHCP and other protocols) not only prevents legitimate users from accessing network resources normally, but also poses a serious threat to network information security. Therefore, the security of Ethernet switching is becoming more and more more important.
- This section mainly introduces common Ethernet switching security technologies: including port isolation, port security, and MAC address flapping detection
port isolation
- In order to implement Layer 2 isolation between packets in an Ethernet switching network, users usually add different ports to different VLANs to implement Layer 2 broadcast domain isolation.
- In a large-scale network, there are many types of business requirements, and the layer 2 isolation of packets is only implemented through VLAN, which will waste limited VLAN resources.
- As shown in the figure below, due to certain business requirements, although PC1 and PC2 belong to the same VLAN, they are required not to communicate with each other at layer 2 (but allow communication at layer 3) . PC1 and PC3 cannot communicate with each other under any circumstances , but in VLAN3 The hosts in VLAN2 can access the hosts . So how to solve this problem?
Principle of Port Isolation Technology
Port isolation configuration commands
1. Enable port isolation function
By default, the port isolation function is disabled. If the group-id parameter is not specified, the default port isolation group is 1.
[Huawei-GigabitEthernet0/0/1] port-isolate enable [ group group-id ]2. Configure port isolation mode
By default, the port isolation mode is L2, the L2 port isolation mode is Layer 2 isolation and Layer 3 interoperability, and the all port isolation mode is Layer 2 and Layer 3 isolation.
[Huawei] port-isolate mode { l2 | all }3. Configure port unidirectional isolation
The am isolate command is used to configure unidirectional isolation between the current interface and the specified interface. After unidirectional isolation is configured on interface A and interface B, packets sent from interface A cannot reach interface B, but packets sent from interface B can reach interface A. By default, port unidirectional isolation is not configured.
[Huawei-GigabitEthernet0/0/1] am isolate {interface-type interface-number }&<1-8>Configuration example
Switch configuration is as follows
[Switch] vlan 2
[Switch] port-isolate mode all
[Switch] interface GigabitEthernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 2
[Switch-GigabitEthernet0/0/1] port-isolate enable group 2
[Switch] interface GigabitEthernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type access
[Switch-GigabitEthernet0/0/2] port default vlan 2
[Switch-GigabitEthernet0/0/2] port-isolate enable group 2
[Switch] interface GigabitEthernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type access
[Switch-GigabitEthernet0/0/3] port default vlan 2As shown in the figure: PC1, PC2 and PC3 belong to VLAN 2. By configuring port isolation, PC3 can communicate with PC1 and PC2, but PC1 and PC2 cannot communicate.
- Two-way isolation: The same port isolation group is isolated from each other , and the interfaces of different port isolation groups are not isolated. Port isolation is only for port isolation group members on the same device
- One-way isolation: to achieve isolation between interfaces of different port isolation groups
Port isolation configuration verification
1. Use the display port-isolate group-number command to view the ports in the port isolation group
[SW]display port-isolate group 2
The ports in isolate group 2:
GigabitEthernet0/0/1 GigabitEthernet0/0/2 MAC address entry
MAC address entry types include:
Dynamic MAC address entries : learned by the interface through the source MAC address in the packet, and the entries can be aged. After the system is reset, the interface board is hot-plugged, or the interface board is reset, the dynamic entries will be lost.
Static MAC address entry : manually configured by the user and delivered to each interface board, and the entry does not age out. After the system is reset, the interface board is hot-plugged, or the interface board is reset, the saved entries will not be lost. After an interface is statically bound to a MAC address, packets with the source MAC address received by other interfaces will be discarded.
Blackhole MAC address entry : manually configured by the user and delivered to each interface board, and the entry cannot be aged. After a blackhole MAC address is configured, packets with the source MAC address or destination MAC address of this MAC address will be discarded.
MAC address entry configuration
1. Configure static MAC entries
The specified VLAN must be created and joined to the bound port, and the specified MAC address must be a unicast MAC address, not a multicast or broadcast address
[Huawei] mac-address static mac-address interface-type interface-number vlan vlan-id
2. Configure black hole MAC entries
When the device receives a packet whose destination MAC address or source MAC address is a black hole address, it will directly discard it.
[Huawei] mac-address blackhole mac-address [ vlan vlan-id ]
3. Configure the aging time of dynamic MAC entries
[Huawei] mac-address aging-time {aging-time}
Disable MAC address learning function
1. Disable interface-based MAC address learning function
[Huawei-GigabitEthernet0/0/1] mac-address learning disable [ action { discard | forward } ]
By default, the MAC address learning function of an interface is enabled:
The default action of disabling the MAC address learning function is forward, that is, to forward packets.
When the configured action is discard , the source MAC address of the packet will be matched. When the interface and MAC address match the MAC address entry , the packet will be forwarded. If the interface and MAC address do not match the MAC address entry, the packet is discarded.
2. Turn off the VLAN-based MAC address learning function
[Huawei-vlan2] mac-address learning disable
By default, the MAC address learning function of a VLAN is enabled.
When configuring the interface-based and VLAN-based MAC address learning prohibition functions at the same time, the VLAN-based priority is higher than the interface-based priority configuration.
Limit the number of learned MAC addresses
1. Configure the number of learned MAC addresses based on the interface limit
. By default, the number of learned MAC addresses is not limited.
[ Huawei - GigabitEthernet0 / 0 / 1 ] mac - limit maximum max - num
2. When the number of configured MAC addresses reaches the limit, the default action for packets
is to discard
[ Huawei - GigabitEthernet0 / 0 / 1 ] mac - limit action { discard | forward }
3. Configure MACWhether to issue a warning when the address reaches the limit
[ Huawei - GigabitEthernet0 / 0 / 1 ] mac - limit alarm { disable | enable }
By default, an alarm is issued for packets that exceed the limit of the number of MAC address learning
4. Configure VLAN- based limit MAC addresses Number of learnings
[ Huawei - vlan2 ] mac - limit maximum max - num
By default, the number of learning MAC addresses is not limited
configuration verification
Run the dispaly mac-limit command to check whether the address learning limit rule is configured successfully
[Switch3]display mac-limit
MAC Limit is enabled
Total MAC Limit rule count : 2PORT VLAN / VSI / SI SLOT Maximum Rate ( ms ) Action Alarm
------------------------------------ ----------------------------------------
GE0 / 0 / 2 - - 100 - forward enable
- 20 - 100 - forward enable
Interface-based MAC address learning limit VLAN -
based MAC address learning limit
port security
- By deploying port security on a specific interface of the switch, you can limit the number of MAC addresses learned by the interface, and configure punishment measures when the limit is exceeded.
- Port security converts the dynamic MAC address learned by the interface into a secure MAC address (including secure dynamic MAC, secure static MAC, and StickyMAC) to prevent unauthorized users from communicating with the switch through the interface, thereby enhancing device security.
Principles of Port Security Technology
Secure MAC addresses are divided into the following categories:
The security MAC address is usually used in combination with security protection, and the common actions of pre-preface security protection
Restrict: Discards packets with non-existing source MAC addresses and reports an alarm.
Protect: Only discard packets with non-existing source MAC addresses, and do not report alarms.
Shutdown: The interface status is set to error-down, and an alarm is reported.
Application of Port Security Technology
Port Security Configuration Commands
1. Enable port security function
By default, port security is disabled
[Huawei-GigabitEthernet0/0/1] port-security enable
2. Configure the limit on the number of port security dynamic MAC address learning
[ Huawei - GigabitEthernet0 / 0 / 1 ] port - security max - mac - num max - number
By default, the number of secure MAC addresses learned by an interface is limited to 1
3. Manually configure secure static MAC address entries
[Huawei-GigabitEthernet0/0/1] port-security mac-address mac-address vlan vlan-id
4. Configure port security protection action
By default, the port security protection action is restrict
[Huawei-GigabitEthernet0/0/1] port-security protect-action { protect | restrict | shutdown }
5. Enable Sticky MAC function
By default, the sticky MAC function is disabled on an interface .
[ Huawei - GigabitEthernet0 / 0 / 1 ] port - security mac - address sticky
Configure the interface Sticky MAC learning limit number
[ Huawei - GigabitEthernet0 / 0 / 1 ] port - security max - mac - num max - number After the interface Sticky MAC function
is enabled , by default, the number of MAC addresses learned by an interface is limited to 1. Manually configure a sticky - mac entry [
Huawei-GigabitEthernet0/0/1] port-security mac-address sticky mac-address vlan vlan-id
Port Security Configuration Example: Secure Dynamic MAC Address
Switch1配置值如下
[Switch1] interface GigabitEthernet 0/0/1
[Switch1-GigabitEthernet 0/0/1] port-security enable
[Switch1-GigabitEthernet 0/0/1] port-security max-mac-num 1
[Switch1-GigabitEthernet 0/0/1] port-security protect-action restrict
[Switch1] interface GigabitEthernet 0/0/2
[Switch1-GigabitEthernet 0/0/2] port-security enable
[Switch1-GigabitEthernet 0/0/2] port-security max-mac-num 1
[Switch1-GigabitEthernet 0/0/2] port-security protect-action restrict
[Switch1] interface GigabitEthernet 0/0/3
[Switch1-GigabitEthernet 0/0/3] port-security enable
[Switch1-GigabitEthernet 0/0/3] port-security max-mac-num 2
[Switch1-GigabitEthernet 0/0/3] port-security protect-action shutdownVerify configuration
- Run the display mac-address security command to view dynamic security MAC entries
[Switch1]display mac-address security
MAC address table of slot 0:
----------------------------------------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
----------------------------------------------------------------------------------------------------------------
5489-98ac-71a9 1 - - GE0/0/3 security -
5489-98b1-7b30 1 - - GE0/0/1 security -
5489-9815-662b 1 - - GE0/0/2 security -
----------------------------------------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 3 MAC address flapping detection
- The switch supports the MAC address flapping detection mechanism, which is divided into the following two methods:
- VLAN-based MAC address flapping detection
- Configure the MAC address flapping detection function of a VLAN to detect whether all MAC addresses in a specified VLAN have flapped.
- When the MAC address drifts, you can configure specific actions, such as alarm, block interface or block MAC address
- Global MAC address flapping detection
- This function can detect whether all MAC addresses on the device have drifted.
- If drift occurs, the device will report an alarm to the network management system
- The user can also specify the processing action after the drift occurs, such as shutting down the interface or exiting the VLAN
MAC address flapping configuration commands
1. Configure the priority of learning MAC addresses on interfaces
By default, the priority of learning MAC addresses on an interface is 0, and the higher the value, the higher the priority.
[Huawei-GigabitEthernet0/0/1] mac-learning priority priority-id
2. Configure the packet processing action when MAC address flapping is prohibited to be discarded
By default, the processing action for packets when MAC address flapping is prohibited is forwarding.
[Huawei-GigabitEthernet0/0/1] mac-learning priority flapping-defend action discard
3. The configuration does not allow MAC address flapping on interfaces with the same priority
By default, MAC address flapping is allowed on interfaces with the same priority
[Huawei] undo mac-learning priority priority-id allow-flapping
4. Configure the MAC address flapping detection function
By default, the function of detecting MAC address flapping for all VLANs on the switch has been configured.
[Huawei-vlan2] mac-address flapping detection
5. Configure the whitelist for MAC address flapping detection
By default, no VLAN whitelist for MAC address flapping detection is configured.
[Huawei] mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
6. The processing action of the interface after the configuration drifts
By default, the processing action after the interface MAC address ticket is not configured
[Huawei-GigabitEthernet0/0/1] mac-address flapping action { quit-vlan | error-down }
7. Configure the MAC address flapping detection function
[Huawei-vlan2] loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times | alarm-only }
Configuration Example of MAC Address Flapping
1. The interface connected to the server on the SWitch
[Switch1] interface GigabitEthernet 0/0/1
[Switch1-GigabitEthernet 0/0/1] mac-leaning priority 3The MAC address learning priority configured on GE0/0/1 is higher than that of other interfaces. The default value of this priority is 0.
2. Configure the MAC address flapping detection function on the Switch, and configure the processing actions after the interface MAC address flapping.
[Switch2] mac-address flapping detection
[Switch2] mac-address flapping aging-time 500
[Switch2-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch2-GigabitEthernet0/0/2] mac-address flapping action error-down
[Switch2] error-down auto-recovery cause mac-address-flapping interval 500configuration verification
After the configuration is complete, the MAC address of GE0/0/1 on the Switch has migrated to GE0/0/2. Interface Ge0/0/2 closed
Use displsy mac-address flapping record
Switch2] display mac-address flapping record
S : start time
E : end time
(Q) : quit vlan
(D) : error down
---------------------------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum
---------------------------------------------------------------------------------------------------
S:2020-06-22 17:22:36 1 5489-9815-662b GE0/0/1 GE0/0/2(D) 83
E:2020-06-22 17:22:44
---------------------------------------------------------------------------------------------------
Total items on slot 0: 1