< Home

Configuring Static MAC Address Flapping Detection

Context

Secure MAC addresses are also static MAC address. When an interface receives a packet whose source MAC address exists in the static MAC address table on another interface, the interface discards this packet. This affects customer services. For example, if PC 1 connects to GE0/0/1 where the sticky MAC address function is enabled, the static MAC address table of GE0/0/1 includes PC 1's MAC address. After PC 1 is disconnected from GE0/0/1 and then connected to GE0/0/2, GE0/0/2 discards the packets from PC 1. In this situation, you can enable static MAC address flapping detection. The interface will then take the configured action for the GE0/0/2.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run port-security static-flapping protect

    Static MAC address flapping detection is enabled.

  3. Run interface interface-type interface-number

    The interface view is displayed.

  4. Run port-security enable

    Port security is enabled.

    By default, port security is disabled on an interface.

  5. (Optional) Run port-security protect-action { protect | restrict | shutdown }

    A port security action is configured.

    By default, the restrict action is used.

Follow-up Procedure

On a switch with static MAC address flapping detection configured, when an interface receives a packet whose source MAC address exists in the static MAC address table on another interface, the switch considers that static MAC address flapping has occurred and takes the configured port security action. There are three port security actions: restrict, protect, and shutdown.

Table 1 Port security actions

Action

Description

restrict

Discards the packet triggering the static MAC address flapping and generates a trap. This action is recommended.

protect

Discards the packet triggering the static MAC address flapping but does not generate a trap.

shutdown

Sets the interface state to error-down and generates a trap.

By default, an interface in error-down state can only be restored using the restart command in the interface view.

To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.
Parent Topic: Port Security Configuration
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >