Understanding MAC Flapping-based Loop Detection
MAC flapping-based loop detection is a method for detecting Ethernet loops based on the frequency of MAC address entry flapping. It eliminates loops on networks by blocking redundant links. On a virtual private LAN service (VPLS) network, MAC flapping-based loop detection can be applied to block attachment circuit (AC) interfaces and pseudo wires (PWs). This section describes AC interface blocking.
After MAC flapping-based loop detection is configured on a device and the device receives packets with fake source MAC addresses from attackers, the device may mistakenly conclude that a loop has occurred and block an interface based on the configured blocking policy. Therefore, key user traffic may be blocked. It is recommended that you disable MAC flapping-based loop detection on properly running devices. If you have to use MAC flapping-based loop detection to detect whether links operate properly during site deployment, be sure to disable this function after this stage.
-
If a device detects a specified number of MAC address entry flaps within a detection cycle, the device concludes that a loop has occurred. The detection cycle is configurable.
-
If a device concludes that a loop has occurred, it blocks an interface or PW for a specified period of time.
-
After an interface or a PW is blocked and then unblocked, if the total number of times that loops occur exceeds the configured maximum number, the interface or PW is permanently blocked.
An interface or PW that is permanently blocked can be unblocked only manually.
-
MAC flapping-based loop detection has the following blocking policies:
Blocking interfaces based on their blocking priorities
The blocking priority of an interface can be configured. When detecting a loop, a device blocks the interface with a lower blocking priority.
Blocking interfaces based on their trusted or untrusted states (accurate blocking)
If a dynamic MAC address entry remains the same in the MAC address table within a specified period and is not deleted, the outbound interface in the MAC address entry is trusted. When detecting a loop, a device blocks an interface that is not trusted.
A device on which MAC flapping-based loop detection is deployed blocks PWs based only on the blocking priorities of the PWs. If the device detects a loop, it blocks the PW with a lower blocking priority.
-
After MAC flapping-based loop detection is deployed on a device and the device detects a loop, the device blocks an AC interface with a lower blocking priority by default. However, MAC address entries of interfaces without loops may change due to the impact from a remote loop, and traffic over the interfaces with lower blocking priorities is interrupted. To address this problem, deploy accurate blocking of MAC flapping-based loop detection. Accurate blocking determines trusted and untrusted interfaces by analyzing the frequency of MAC address entry flapping. When a MAC address entry changes repeatedly, accurate blocking can accurately locate and block the interface with a loop, which is an untrusted interface.
In addition, MAC flapping-based loop detection can associate an interface with its sub-interfaces bound with virtual switching instances (VSIs). If a loop occurs in the VSI bound to a sub-interface, the sub-interface is blocked. However, a loop may also exist in a VSI bound to another sub-interface. If the loop is not eliminated in time, it will cause traffic congestion or even a network breakdown. To allow a device to inform the network administrator of loops, enable MAC flapping-based loop detection association on the interface of the sub-interfaces bound to VSIs. In this situation, if a sub-interface bound to a VSI is blocked due to a loop, its interface is also blocked and an alarm is generated. After that, all the other sub-interfaces bound with VSIs are blocked.