08 (idnog01) arp guard in ixp by eric choy
TRANSCRIPT
Reduce IXP Outage From 40 mins to 0 min - ARP Guard in IXP
Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ
The Problem Statement – Quick Recap
Information from the presentation “The Danger of Proxy ARP in IX environment by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
Computing Sciences Area 4
The Problem Statement – Quick Recap
Computing Sciences Area 5
The Problem Statement – Quick Recap
Computing Sciences Area 6
The Problem Statement – Quick Recap
The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
Start
End
The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
Start
End
Computing Sciences Area 9
Can we do better ?
Computing Sciences Area
How about ….
10
Can we avoid the outage when the problem happens
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf Stop here
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 12
Introducing ARP Guard Use Case 1
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 13
Introducing ARP Guard Use Case 2
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
How to implement?
Can it be done using existing mechanism?
▪ ACL?
▪Secure ARP?
Solution
▪Checking all the ARP requests/replies entering the L2 interface against access list.
6/24/2014 14
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
• Syntax: [no] arp-guard-group <arp-guard-access-group|id>
• Syntax: [no] permit [src_ip_addr] [src_mac_addr]
• Syntax: [no] permit vlan [id] [src_ip_addr] any
• Syntax: [no] permit vlan [id] [src_ip_addr] [src_mac_addr]
• Description of parameters:
• arp-guard-group – Command in the global config mode to give ACL-like commands.
• arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
• permit – This command is used to specify the required set of rules for the associated ARP Guard group
Part I
15
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
arp-guard-group AS201
permit 20.0.0.2 0001:0002:0003:0004
arp-guard-group AS202
permit vlan 100 20.0.0.32 any
permit vlan 200 20.0.0.31 0001:0003:0003:0003
16
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
Syntax: [no] arp-guard <arp-guard-access-group> [log]
Description of parameters:
arp-guard – Command to enable ARP GUARD in the interface config mode.
arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
log – option to log the information about the dropped packet.
Part 2
17
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Show command
MLX(config-if-e1000-1/1)#show arp-guard counters port <port-id> [vlan <vlan-id>]
MLX(config-if-e1000-1/1)#show arp-guard counters all
MLX(config-if-e1000-1/1)#clear arp-guard counters port <port-id> [vlan <vlan-id>]
MLX(config-if-e1000-1/1)#clear arp-guard counters all
18
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Show commandExample
6/24/2014 19
MLX#show arp-guard statistics ethernet 1/1 Port Vlan-id Arp_pkts_captured Arp_pkts_forwarded Arp_pkts_dropped 1/1 (Def/Untag) 0 0 0 1/1 3 10000 9000 100 1/1 2 10000 9000 100
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Syslog
• If a “log” option is used on the arp-guard command, then a syslog message is generated to log the error ARP packet. Syslog message would contain the following: -
• Port name/id,
• arp-guard-group name
• vlan-id (if-any),
• MAC address and the IP address
20
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
SyslogExample
6/24/2014 21
SYSLOG: <14>Mar 14 1905 22:37:21 MLX-Dist1 ARP_GUARD DROP LOG:Violation occured at time Mar 14 22:37:20: on Trunk port=4/1 having Access_Grp=AS201, for the incoming packet with MAC_ADDR=0000.5822.bf78 IP_ADDR=1.1.1.2 VLAN: 1
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Example
MLX(config)#arp-guard-group AS303
MLX(config-arp-guard-group)#permit 30.0.0.31 0000:0003:0003:0004
MLX(config-arp-guard-group)#permit 30.0.0.32 any
MLX(config-arp-guard-group)#exit
MLX(config)#interface ethe 1/1
MLX(config-if)#arp-guard AS303 log
Port Based Deployment
22
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Example
MLX(config)#arp-guard-group AS202
MLX(config-arp-guard-group)#permit vlan 100 20.0.0.31 0000:0003:0003:0003
MLX(config-arp-guard-group)#permit vlan 101 20.0.0.32 any
MLX(config-arp-guard-group)#exit
MLX(config)#interface ethe 1/1
MLX(config-if)#arp-guard AS202 log
IXP WholeSale Using IX
23
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
LTE Backhaul Use Case
6/24/2014 24
eNB
PDN-GW
HSSAAA
IMS CoreDNSPCRF
SGW
MME
www
InternetS1-MME
S2
S6b
S6a
SGi
S11
eNodeB
PDN-GW
HSSAAA
IMS CoreDNSPCRF
SGW
MME
www
Internet
eNodeB
S1-U
S1-MME
S1-U
L2 Network
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Data Center Use Case
6/24/2014 25
Data Center Interconnect
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
ACKNOWLEDGEMENT
Raphael Ho
CheeYong Tay
Jimmy Halim
6/24/2014 26
THANK YOU
Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ "email: [email protected]