6.3 MAC地址漂移

1.基本概念

同一个MAC地址在交换机某个接口被学习到之后，又在相同VLAN的另一个接口学习到，这种现象被称为MAC地址迁移。

2.配置接口MAC地址学习优先级，以防止MAC地址漂移。

1）默认端口学习MAC地址优先级为0，PC2伪装PC1的MAC地址

2）查看MAC地址表

PC2>ping 192.168.1.3
[sw1]display mac-address 
5489-9877-4550 1           -      -      GE0/0/2         dynamic   0/-      

3）调整端口1优先级查看MAC地址表

[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]mac-learning priority 1
[sw1]undo mac-address
PC1>ping 192.168.1.3
[sw1]display mac-address 
5489-9877-4550 1           -      -      GE0/0/1         dynamic   0/- 

配置不允许相同的优先级接口MAC地址漂移
[sw1]undo mac-learning priority 0 allow-flapping

4.配置基于VLAN的MAC地址漂移检测

1）基本配置

[sw1]vlan 100
[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]port link-type access 
[sw1-GigabitEthernet0/0/2]port default vlan 100
[sw1]interface GigabitEthernet 0/0/2
[sw1-GigabitEthernet0/0/2]port link-type access 
[sw1-GigabitEthernet0/0/2]port default vlan 100

2）在VLAN10开启MAC地址漂移检测，如果检测到则仅仅产生告警信息。

[sw1]vlan 100
[sw1-vlan100]loop-detect eth-loop alarm-only 
PC1>ping 192.168.1.3 -t
PC2>ping 192.168.1.3 -t
Jan 24 2023 21:14:16-08:00 sw1 L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7 MAC move detected, VlanId = 100, flapping mac-address 5489-9877-4550 between port GE0/0/2 and port GE0/0/1.
Jan 24 2023 21:14:18-08:00 sw1 L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7 MAC move detected, VlanId = 100, MacAddress = 5489-9877-4550, Original-Port = GE0/0/2, Flapping port = GE0/0/1. Please check the network accessed to flapping port.

3）在VLAN检测到MAC地址漂移时，对产生漂移的接口进行阻塞。

[sw1]vlan 100
[sw1-vlan100]loop-detect eth-loop block-time 10 retry-times 2
PC1>ping 192.168.1.3 -t
PC2>ping 192.168.1.3 -t

[sw1]display loop-detect eth-loop   
PortName                 Vlan      Status          Expire(s)       Leave times     
GigabitEthernet0/0/1     100        Block forever         -               -    

4）使用以下命令解除端口阻塞

[sw1]reset loop-detect eth-loop vlan 100 interface GigabitEthernet 0/0/1

5）只阻塞MAC地址（关键字block-mac）

[sw1]vlan 100
[sw1-vlan100]loop-detect eth-loop block-mac block-time 10 retry-times 2
PC1>ping 192.168.1.3 -t
PC2>ping 192.168.1.3 -t
[sw1-vlan100]display loop-detect eth-loop
Mac Address              Vlan      Status          Expire(s)       Leave times  
5489-9877-4550           100        Block           1               0               
5489-9877-4550           100        Retry           20              0             
5489-9877-4550           100        Block forever        -               -          

6）使用以下命令解除阻塞

[sw1]reset loop-detect eth-loop vlan 100 mac-address 5489-9877-4550

5.基于全局MAC地址漂移检测（缺省命令）

1）全局开启MAC 地址漂移检测

[sw1]mac-address flapping detection
PC1>ping 192.168.1.3 -t
PC2>ping 192.168.1.3 -t
Jan 24 2023 21:41:13-08:00 sw1 L2IFPPI/4/MFLPVLANALARM:OID 1.3.6.1.4.1.2011.5.25.160.3.7 MAC move detected, VlanId = 1, MacAddress = 5489-9877-4550, Original-Port = GE0/0/2, Flapping port = GE0/0/1. Please check the network accessed to flapping port.

[sw1]display mac-address flapping record 
 S  : start time                                                                
 E  : end time                                                                  
(Q) : quit vlan                                                                 
(D) : error down                                                                
Move-Time             VLAN MAC-Address   Original-Port   Move-Ports      MoveNum
S:2023-01-24 21:41:11 1    5489-9877-4550 GE0/0/2         GE0/0/1         76   
E:2023-01-24 21:42:26     

2）配置MAC地址漂移检测VLAN白名单

[sw1]mac-address flapping detection exclude vlan 100

3）配置VLAN中MAC地址漂移检测的安全级别（高High、中Middle、低Low）

[sw1]mac-address flapping detection  vlan 100 security-level high

4）接口处理漂移动作及优先级

[sw1]mac-address flapping detection 
[sw1]interface GigabitEthernet 0/0/1
[sw1-GigabitEthernet0/0/1]mac-address flapping action error-down

5）恢复error-down接口

[sw1]error-dow auto-recovery cause mac-address-flapping interval 30