Reduce IXP Outage From 40 mins to 0 min - ARP Guard in IXP

Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ

The Problem Statement – Quick Recap

Information from the presentation “The Danger of Proxy ARP in IX environment by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf

The Problem Statement – Quick Recap

Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf

Computing Sciences Area 4

The Problem Statement – Quick Recap

Computing Sciences Area 5

The Problem Statement – Quick Recap

Computing Sciences Area 6

The Problem Statement – Quick Recap

The Problem Statement – Quick Recap

Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf

Start

End

The Problem Statement – Quick Recap

Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf

Start

End

Computing Sciences Area 9

Can we do better ?

Computing Sciences Area

How about ….

10

Can we avoid the outage when the problem happens

Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf Stop here

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 12

Introducing ARP Guard Use Case 1

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 13

Introducing ARP Guard Use Case 2

© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

How to implement?

Can it be done using existing mechanism?

▪ ACL?

▪Secure ARP?

Solution

▪Checking all the ARP requests/replies entering the L2 interface against access list.

6/24/2014 14

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA

Configuration

• Syntax: [no] arp-guard-group <arp-guard-access-group|id>

• Syntax: [no] permit [src_ip_addr] [src_mac_addr]

• Syntax: [no] permit vlan [id] [src_ip_addr] any

• Syntax: [no] permit vlan [id] [src_ip_addr] [src_mac_addr]

• Description of parameters:

• arp-guard-group – Command in the global config mode to give ACL-like commands.

• arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.

• permit – This command is used to specify the required set of rules for the associated ARP Guard group

Part I

15

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA

Configuration

arp-guard-group AS201

permit 20.0.0.2 0001:0002:0003:0004

arp-guard-group AS202

permit vlan 100 20.0.0.32 any

permit vlan 200 20.0.0.31 0001:0003:0003:0003

16

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA

Configuration

Syntax: [no] arp-guard <arp-guard-access-group> [log] 

Description of parameters:

arp-guard – Command to enable ARP GUARD in the interface config mode.

arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.

log – option to log the information about the dropped packet.

Part 2

17

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA

Show command

MLX(config-if-e1000-1/1)#show arp-guard counters port <port-id> [vlan <vlan-id>]

MLX(config-if-e1000-1/1)#show arp-guard counters all

MLX(config-if-e1000-1/1)#clear arp-guard counters port <port-id> [vlan <vlan-id>]

MLX(config-if-e1000-1/1)#clear arp-guard counters all

18

© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

Show commandExample

6/24/2014 19

  MLX#show arp-guard statistics ethernet 1/1 Port Vlan-id Arp_pkts_captured Arp_pkts_forwarded Arp_pkts_dropped 1/1 (Def/Untag) 0 0 0 1/1 3 10000 9000 100 1/1 2 10000 9000 100

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA

Syslog

• If a “log” option is used on the arp-guard command, then a syslog message is generated to log the error ARP packet. Syslog message would contain the following: -

• Port name/id,

• arp-guard-group name

• vlan-id (if-any),

• MAC address and the IP address

20

© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

SyslogExample

6/24/2014 21

SYSLOG: <14>Mar 14 1905 22:37:21 MLX-Dist1 ARP_GUARD DROP LOG:Violation occured at time Mar 14 22:37:20: on Trunk port=4/1 having Access_Grp=AS201, for the incoming packet with MAC_ADDR=0000.5822.bf78 IP_ADDR=1.1.1.2 VLAN: 1 

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA

Example

MLX(config)#arp-guard-group AS303

MLX(config-arp-guard-group)#permit 30.0.0.31 0000:0003:0003:0004

MLX(config-arp-guard-group)#permit 30.0.0.32 any

MLX(config-arp-guard-group)#exit

MLX(config)#interface ethe 1/1

MLX(config-if)#arp-guard AS303 log

Port Based Deployment

22

©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA

Example

MLX(config)#arp-guard-group AS202

MLX(config-arp-guard-group)#permit vlan 100 20.0.0.31 0000:0003:0003:0003

MLX(config-arp-guard-group)#permit vlan 101 20.0.0.32 any

MLX(config-arp-guard-group)#exit

MLX(config)#interface ethe 1/1

MLX(config-if)#arp-guard AS202 log

IXP WholeSale Using IX

23

© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

LTE Backhaul Use Case

6/24/2014 24

eNB

PDN-GW

HSSAAA

IMS CoreDNSPCRF

SGW

MME

www

InternetS1-MME

S2

S6b

S6a

SGi

S11

eNodeB

PDN-GW

HSSAAA

IMS CoreDNSPCRF

SGW

MME

www

Internet

eNodeB

S1-U

S1-MME

S1-U

L2 Network

© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

Data Center Use Case

6/24/2014 25

Data Center Interconnect

© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only

ACKNOWLEDGEMENT

Raphael Ho

CheeYong Tay

Jimmy Halim

6/24/2014 26

THANK YOU

Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ "email: echoi@brocade.com