Don't let MAC address drift become your nightmare: practical protection and detection methods

Overview of MAC Address Flapping

MAC address drift refers to the phenomenon that two ports in a VLAN on a switch learn the same MAC address, and the later learned MAC address table entry overwrites the original MAC address table entry.

When a MAC address frequently migrates between two ports, MAC address drift occurs.

Normally, a large number of MAC address drifts will not occur in a network in a short period of time. This phenomenon generally means that there is a loop in the network or there is a network attack.

Prevent MAC address drift

If MAC address drift is caused by a loop, the fundamental solution is to deploy anti-loop technology, such as STP, to eliminate the Layer 2 loop. If it is caused by other reasons such as network attacks, the following MAC address drift prevention features can be used:

1. Configure the interface MAC address learning priority

When MAC address drift occurs between two interfaces of a switch, you can increase the MAC address learning priority of one of the interfaces. The MAC address table entries learned by the higher-priority interface will overwrite the MAC address table entries learned by the lower-priority interface.

2. Configure to not allow MAC address drifting of interfaces with the same priority

When the MAC address priority of the port to which the forged network device is connected is the same as that of the secure network device, the MAC address table entry of the forged network device learned later will not overwrite the previous correct table entry.

• By default, the priority of interface MAC address learning is 0. The larger the value, the higher the priority. When the same MAC address is learned by two interfaces, the one with the higher MAC address learning priority will be retained, and the one with the lower MAC address learning priority will be overwritten.
• When the configuration does not allow MAC address drifting of interfaces with the same priority, if the security network device is powered off, the switch will still learn the MAC address of the forged network device, and when the network device is powered on again, it will not be able to learn the correct MAC address. Therefore, this feature should be used with caution. If the network device connected to the switch interface is a server, when the server is powered off, another interface learns the same MAC address as the server, and when the server is powered on again, it will not be able to learn the correct MAC address.

MAC address drift detection

The switch supports the MAC address drift detection mechanism, which is divided into the following two methods:

(1) VLAN-based MAC address drift detection:

• Configuring MAC address flapping detection for a VLAN can detect whether all MAC addresses in a specified VLAN have flapped.
• When MAC address flapping occurs, you can configure specified actions, such as alarm, blocking the interface, or blocking the MAC address.

(2) Global MAC address drift detection

• This function can detect whether all MAC addresses on the device have drifted.
• If drift occurs, the device will report an alarm to the network management system.
• The user can also specify the action to be taken after drift occurs, such as shutting down the interface or exiting the VLAN.

VLAN-based MAC address drift detection

After configuring VLAN-based MAC address flapping detection, if MAC address flapping occurs, you can configure the interface to take the following actions based on your needs:

• Send an alarm. When a MAC address drift is detected, an alarm is only sent to the network management.
• Interface blocking: When MAC address drift is detected, the interface is blocked according to the set blocking time and the interface's ability to send and receive messages is disabled.
• MAC address blocking: when MAC address drift is detected, only the current MAC address is blocked without blocking the physical interface. The communication of other MAC addresses under the current interface is not affected.

When configuring an interface to block:

• When MAC address drift is detected in VLAN2, the interface where the drift occurs is directly blocked.
• The interface will be blocked for 10 seconds (the duration is specified using the block-time keyword). When the interface is blocked, data cannot be sent or received normally.
• After 10 seconds, the interface will be released and re-detected. At this time, the interface can send and receive data normally. If no MAC address drift is detected within 20 seconds, the interface blockage will be completely unblocked; if MAC address drift is detected again within 20 seconds, the interface will be blocked again. This will be repeated twice (the number of times is specified using the retry-times keyword). If the switch can still detect MAC address drift on the interface, the interface will be permanently blocked.

Global MAC address drift detection

When a switch detects a MAC address drift, by default, it simply reports an alarm and does not take any other action. In actual network deployment, you can define the following actions after detecting a MAC address drift based on network requirements:

• error-down: When a port configured with MAC address flapping detection detects MAC address flapping, the corresponding interface state is set to error-down and no longer forwards data.
• quit-vlan: When a port configured with MAC address flapping detection detects MAC address flapping, it will quit the VLAN to which the current interface belongs.

• Huawei switches enable the global MAC address drift detection function by default. Therefore, the switch will perform MAC address drift detection on all VLANs on the device by default.
• In some scenarios, you need to exclude certain VLANs from MAC address flapping detection. You can configure a VLAN whitelist for MAC address flapping detection to achieve this.
• If an interface is set to Error-Down due to MAC address flapping, it will not automatically recover by default.
• To enable the Error-Down interface to recover automatically, run the following command in the system view:

 error-down auto-recovery cause mac-address-flapping interval time-value

• If an interface is set to leave the VLAN due to MAC address flapping, to implement automatic interface recovery, you can run the following command in the system view:

 mac-address flapping quit-vlan recover-time time-value

Introduction to MAC Address Flapping Configuration Commands

(1) Configure the priority of MAC address learning on an interface:

 [Huawei-GigabitEthernet0/0/1] mac-learning priority priority-id

By default, the priority of MAC address learning on an interface is 0. A larger value indicates a higher priority.

(2) When disabling MAC address flapping, set the action to discard the packet:

 [Huawei-GigabitEthernet0/0/1] mac-learning priority flapping-defend action discard

By default, the action for processing packets when MAC address flapping is prohibited is forwarding.

(3) Configure interfaces with the same priority not to allow MAC address drift:

 [Huawei] undo mac-learning priority priority-id allow-flapping

By default, MAC address flapping is allowed on interfaces with the same priority.

(4) Configure the MAC address flapping detection function.

 [Huawei-vlan2] mac-address flapping detection

By default, MAC address flapping detection is enabled for all VLANs on the switch.

(5) (Optional) Configure a VLAN whitelist for MAC address flapping detection:

 [Huawei] mac-address flapping detection exclude vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>

By default, no VLAN whitelist is configured for MAC address flapping detection.

”

(6) (Optional) Configure the action to be taken when the interface flaps:

 [Huawei-GigabitEthernet0/0/1] mac-address flapping action { quit-vlan | error-down }

By default, packets that exceed the limit on the number of learned MAC addresses are discarded.

(7) (Optional) Set the aging time for MAC address flapping entries:

 [Huawei] mac-address flapping aging-time aging-time

By default, the aging time of MAC address flapping entries is 300 seconds.

(8) Configure the MAC address flapping detection function:

 [Huawei-vlan2] loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times | alarm-only }

MAC Address Flapping Configuration Example

Experimental introduction:

• The basic network configuration has been completed. The network cable between Switch3 and Switch4 is incorrectly connected, resulting in a network loop.
• Configure MAC address flapping prevention on GE0/0/1 of Switch1 to prevent attacks by unauthorized users.
• Configure the MAC address flapping detection function on Switch2 to identify loops in the network and eliminate faults.

(1) On GE0/0/1, the interface connecting Switch1 to the server, set the MAC address learning priority to be higher than that of other interfaces. The default value is 0.

 [Switch1] interface GigabitEthernet 0/0/1 [Switch1-GigabitEthernet 0/0/1] mac-leaning priority 3

Configure MAC address flapping detection on Switch2 and configure the action to take when the interface MAC address flaps:

 [Switch2] mac-address flapping detection [Switch2] mac-address flapping aging-time 500 [Switch2-GigabitEthernet0/0/1] mac-address flapping action error-down [Switch2-GigabitEthernet0/0/2] mac-address flapping action error-down [Switch2] error-down auto-recovery cause mac-address-flapping interval 500

• When Switch3 and Switch4 are incorrectly connected, the MAC address of GE0/0/1 on Switch2 drifts to GE0/0/2, triggering the interface error-down state. GE0/0/2 is shut down.
• Run the display mac-address flapping record command to view flapping records.

Configuration verification After the configuration is complete, the MAC address of GE0/0/1 on Switch2 flaps to GE0/0/2, and then GE0/0/2 is shut down. You can use the display mac-address flapping record command to view the flapping record.

 [Switch2] display mac-address flapping record S : start time E : end time (Q) : quit vlan (D) : error down --------------------------------------------------------------------------------------------------- Move-Time VLAN MAC-Address Original-Port Move-Ports MoveNum --------------------------------------------------------------------------------------------------- S:2020-06-22 17:22:36 1 5489-9815-662b GE0/0/1 GE0/0/2(D) 83 E:2020-06-22 17:22:44 --------------------------------------------------------------------------------------------------- Total items on slot 0: 1