08 (IDNOG01) ARP Guard in IXP by Eric Choy
-
Upload
indonesia-network-operators-group -
Category
Education
-
view
284 -
download
0
Transcript of 08 (IDNOG01) ARP Guard in IXP by Eric Choy
![Page 1: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/1.jpg)
Reduce IXP Outage From 40 mins to 0 min - ARP Guard in IXP
Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ
![Page 2: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/2.jpg)
The Problem Statement – Quick Recap
Information from the presentation “The Danger of Proxy ARP in IX environment by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
![Page 3: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/3.jpg)
The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
![Page 4: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/4.jpg)
Computing Sciences Area 4
The Problem Statement – Quick Recap
![Page 5: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/5.jpg)
Computing Sciences Area 5
The Problem Statement – Quick Recap
![Page 6: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/6.jpg)
Computing Sciences Area 6
The Problem Statement – Quick Recap
![Page 7: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/7.jpg)
The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
Start
End
![Page 8: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/8.jpg)
The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
Start
End
![Page 9: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/9.jpg)
Computing Sciences Area 9
Can we do better ?
![Page 10: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/10.jpg)
Computing Sciences Area
How about ….
10
![Page 11: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/11.jpg)
Can we avoid the outage when the problem happens
Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf Stop here
![Page 12: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/12.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 12
Introducing ARP Guard Use Case 1
![Page 13: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/13.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 13
Introducing ARP Guard Use Case 2
![Page 14: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/14.jpg)
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
How to implement?
Can it be done using existing mechanism?
▪ ACL?
▪Secure ARP?
Solution
▪Checking all the ARP requests/replies entering the L2 interface against access list.
6/24/2014 14
![Page 15: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/15.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
• Syntax: [no] arp-guard-group <arp-guard-access-group|id>
• Syntax: [no] permit [src_ip_addr] [src_mac_addr]
• Syntax: [no] permit vlan [id] [src_ip_addr] any
• Syntax: [no] permit vlan [id] [src_ip_addr] [src_mac_addr]
• Description of parameters:
• arp-guard-group – Command in the global config mode to give ACL-like commands.
• arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
• permit – This command is used to specify the required set of rules for the associated ARP Guard group
Part I
15
![Page 16: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/16.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
arp-guard-group AS201
permit 20.0.0.2 0001:0002:0003:0004
arp-guard-group AS202
permit vlan 100 20.0.0.32 any
permit vlan 200 20.0.0.31 0001:0003:0003:0003
16
![Page 17: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/17.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
Syntax: [no] arp-guard <arp-guard-access-group> [log]
Description of parameters:
arp-guard – Command to enable ARP GUARD in the interface config mode.
arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
log – option to log the information about the dropped packet.
Part 2
17
![Page 18: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/18.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Show command
MLX(config-if-e1000-1/1)#show arp-guard counters port <port-id> [vlan <vlan-id>]
MLX(config-if-e1000-1/1)#show arp-guard counters all
MLX(config-if-e1000-1/1)#clear arp-guard counters port <port-id> [vlan <vlan-id>]
MLX(config-if-e1000-1/1)#clear arp-guard counters all
18
![Page 19: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/19.jpg)
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Show commandExample
6/24/2014 19
MLX#show arp-guard statistics ethernet 1/1 Port Vlan-id Arp_pkts_captured Arp_pkts_forwarded Arp_pkts_dropped 1/1 (Def/Untag) 0 0 0 1/1 3 10000 9000 100 1/1 2 10000 9000 100
![Page 20: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/20.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Syslog
• If a “log” option is used on the arp-guard command, then a syslog message is generated to log the error ARP packet. Syslog message would contain the following: -
• Port name/id,
• arp-guard-group name
• vlan-id (if-any),
• MAC address and the IP address
20
![Page 21: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/21.jpg)
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
SyslogExample
6/24/2014 21
SYSLOG: <14>Mar 14 1905 22:37:21 MLX-Dist1 ARP_GUARD DROP LOG:Violation occured at time Mar 14 22:37:20: on Trunk port=4/1 having Access_Grp=AS201, for the incoming packet with MAC_ADDR=0000.5822.bf78 IP_ADDR=1.1.1.2 VLAN: 1
![Page 22: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/22.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Example
MLX(config)#arp-guard-group AS303
MLX(config-arp-guard-group)#permit 30.0.0.31 0000:0003:0003:0004
MLX(config-arp-guard-group)#permit 30.0.0.32 any
MLX(config-arp-guard-group)#exit
MLX(config)#interface ethe 1/1
MLX(config-if)#arp-guard AS303 log
Port Based Deployment
22
![Page 23: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/23.jpg)
©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Example
MLX(config)#arp-guard-group AS202
MLX(config-arp-guard-group)#permit vlan 100 20.0.0.31 0000:0003:0003:0003
MLX(config-arp-guard-group)#permit vlan 101 20.0.0.32 any
MLX(config-arp-guard-group)#exit
MLX(config)#interface ethe 1/1
MLX(config-if)#arp-guard AS202 log
IXP WholeSale Using IX
23
![Page 24: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/24.jpg)
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
LTE Backhaul Use Case
6/24/2014 24
eNB
PDN-GW
HSSAAA
IMS CoreDNSPCRF
SGW
MME
www
InternetS1-MME
S2
S6b
S6a
SGi
S11
eNodeB
PDN-GW
HSSAAA
IMS CoreDNSPCRF
SGW
MME
www
Internet
eNodeB
S1-U
S1-MME
S1-U
L2 Network
![Page 25: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/25.jpg)
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Data Center Use Case
6/24/2014 25
Data Center Interconnect
![Page 26: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/26.jpg)
© 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
ACKNOWLEDGEMENT
Raphael Ho
CheeYong Tay
Jimmy Halim
6/24/2014 26
![Page 27: 08 (IDNOG01) ARP Guard in IXP by Eric Choy](https://reader033.fdocuments.us/reader033/viewer/2022052900/5561ec47d8b42ab1068b53be/html5/thumbnails/27.jpg)
THANK YOU
Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ "email: [email protected]