loop-detect eth-loop (VSI View)

Function

The loop-detect eth-loop command enables MAC flapping-based loop detection and configures loop detection parameters.

The undo loop-detect eth-loop command disables the function.

By default, MAC flapping-based loop detection is disabled.

Format

loop-detect eth-loop loop-times loop-times detect-cycle detect-cycle-time cycles cycles [ retry-times retry-times block-time block-time | alarm-only ]

undo loop-detect eth-loop

Parameters

Parameter Description Value
loop-times loop-times

Specifies the number of MAC address entry flaps allowed in a detection cycle.

If a device detects more MAC address entry flaps than the number specified by loop-times within the detection cycle specified by detect-cycle-time, the device concludes that a loop has occurred.

When a blocking priority is configured for an interface bound to a VSI, a VLAN or a BD using the loop-detect eth-loop priority priority command:

If priority is 1 and the number of MAC address entry flaps detected in a detect-cycle-time is greater than or equal to the configured loop-times, a loop has occurred.

If priority is greater than 1 and the number of MAC address entry flaps detected in a detect-cycle-time is greater than the configured loop-times, a loop has occurred.

The value is an integer ranging from 3 to 1000.
detect-cycle detect-cycle-time

Specifies a detection cycle.

The value is an integer ranging from 3 to 30, in seconds.
cycles cycles

Specifies the number of detection cycles. If a device detects loops within the consecutive detection cycles, the device blocks an interface or a PW or just reports an alarm.

If cycles cycles is not specified and the device detects MAC address entry flapping for more times than that specified in loop-times within the detection cycle, the device concludes that a loop has occurred. If cycles cycles is specified and the device detects MAC address entry flapping for more times than that specified in loop-times within a detection cycle (the first one) and the consecutive detection cycles specified by cycles, the device concludes that a loop has occurred.

When configuring MAC flapping-based loop detection on multiple devices in a VSI, a VLAN or a BD, specify different values for cycles cycles so that each device blocks an interface or PW in a different detection cycle. This configuration prevents the devices from blocking different interfaces on a loop and avoids the impact on traffic forwarding.

The value is an integer ranging from 1 to 15.
retry-times retry-times

Specifies the number of times when loops are allowed to occur.

After an interface is unblocked, if the number of times when loops occur exceeds retry-times, the interface is blocked permanently.

If neither alarm-only or retry-times is configured, the system blocks an interface or a PW permanently when detecting a loop.

If retry-times is 0, interfaces are not blocked permanently. Instead, the blocking period is doubled each time the interface is blocked, up to a maximum of five times. For example:

In a scenario where detect-cycle-time is 3s, loop-times is 30, cycles is 1, block-time is 10s, and retry-times is 0, if a MAC address of an interface in a VSI, a VLAN or a BD flaps more than 10 times per second within 3s, the interface is blocked for 10s (as specified in block-time), and then recovers. Each subsequent time the interface is blocked, block-time doubles up to a maximum of 320s.

The value is an integer ranging from 0 to 5.
block-time block-time

Specifies the blocking time for interfaces.

The value is an integer ranging from 10 to 65535, in seconds.
alarm-only

Only alarm when the loop occurs.

-

Views

VSI-AUTO view, VSI-BVSI view, VSI-DEFAULT view, VSI-STATIC view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
mflp write

Usage Guidelines

Usage Scenario

When CEs are dual-homed to a virtual private LAN service (VPLS) network or primary and secondary pseudo wires (PWs) exist on the network, loops may occur, causing broadcast storms. In this situation, you can run the loop-detect eth-loop command to configure MAC flapping-based loop detection on devices of the VPLS network. When detecting a loop, a device blocks an AC-side interface or a PW to avoid broadcast storms.

retry-times retry-times and block-time block-time must both be specified. For example, retry-times is specified as 2 and block-time as 100s. When detecting loops in the VSI, the device blocks interfaces using the following methods:

1.When detecting a loop on an interface for the first time, the device keeps the interface blocked for 100s.

2.During the first detection cycle (specified by detect-cycle-time) after the first blocking period ends (the blocked interface recovers), if the device detects a loop, it keeps the interface blocked for 2 x 100s.

3.During the second detection cycle (specified by detect-cycle-time) after the second blocking period ends, if the device detects a loop, it keeps the interface blocked for 4 x 100s.

4.During the third detection cycle (specified by detect-cycle-time) after the third blocking period ends, if the device detects a loop, it keeps the interface blocked permanently. The reason for the permanent blocking is that three loops occur after the first blocking period ends, which exceeds the maximum number of loops specified by retry-times.

5.If no loops are detected during detect-cycle-time*30, the blocking count is cleared. If a loop is detected later block-time is restored.

Configuration Impact

After MAC flapping-based loop detection is configured on a device and the device receives packets with forged source MAC addresses from attackers, the device may incorrectly conclude that a loop has occurred and block an interface based on the configured blocking policy. As a result, traffic destined for the interface is affected.

Precautions

When MAC flapping-based loop detection works with the Spanning Tree Protocol (STP), they may take effect at the same time. Traffic is interrupted when they block different interfaces. By default, MAC flapping-based loop detection cannot work with the Spanning Tree Protocol (STP) on devices except when the loop-detect eth-loop assist-stp enable command is configured in the system view.

After the loop-detect eth-loop loop-times loop-times detect-cycle detect-cycle-time command is run to enable MAC flapping-based loop detection, the upstream interface board learns MAC addresses. In the configured detection period, if the loop-times or detect-cycle-time parameter is modified, the previous statistics are cleared. Number of times that MAC flapping occurs is re-collected.

After MAC flapping-based loop detection is configured on a device and the device receives packets with fake source MAC addresses from attackers, the device may mistakenly conclude that a loop has occurred and block an interface based on the configured blocking policy. Therefore, key user traffic may be blocked. It is recommended that you disable MAC flapping-based loop detection on properly running devices. If you have to use MAC flapping-based loop detection to detect whether links operate properly during site deployment, be sure to disable this function after this stage.

Each time when the system detects a loop, the system records a log and reports an alarm to the NMS.

A maximum of 32 sub-interfaces can be blocked in the same a VSI.

If a blocking priority for MAC flapping-based loop detection is configured on an interface bound to a VSI, a VLAN or a BD using the loop-detect eth-loop priority priority command, the detection cycle is as follows:

  • If priority is 1, the detection cycle is calculated as follows: Detection cycle = 1 x detect-cycle-time × cycles
  • If priority is 2, the detection cycle is calculated as follows: Detection cycle = 4 x detect-cycle-time × cycles
  • If priority is 3, the detection cycle is calculated as follows: Detection cycle = 8 x detect-cycle-time × cycles
  • If priority is 4, the interface is never blocked, and the MAC flapping-based loop detection function does not take effect.

    High-priority interfaces have a longer detection time, and low-priority interfaces are preferentially blocked if the MAC flapping based-loop detection function detects a loop.

    If MAC flapping-based loop detection and VPLS multi-homing (VPLS multi-homing enables data packets to be blocked on the backup PE's AC interface, preventing loops) have been deployed, the AC interfaces of both the master and backup PEs may be blocked because the backup PE's AC interface does not block Layer 2 protocol packets.

Example

# Configure MAC flapping-based loop detection in a VSI.
<HUAWEI> system-view
[~HUAWEI] mpls lsr-id 1.1.1.1
[*HUAWEI] mpls
[*HUAWEI-mpls] quit
[*HUAWEI] mpls l2vpn
[*HUAWEI-l2vpn] quit
[*HUAWEI] vsi company1
[*HUAWEI-vsi-company1] loop-detect eth-loop loop-times 3 detect-cycle 10 cycles 3
Parent Topic: MAC Flapping-based Loop Detection Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >