More Related Content Similar to 08 (IDNOG01) ARP Guard in IXP by Eric Choy Similar to 08 (IDNOG01) ARP Guard in IXP by Eric Choy (20) More from Indonesia Network Operators Group More from Indonesia Network Operators Group (20) 08 (IDNOG01) ARP Guard in IXP by Eric Choy1. Reduce IXP Outage From 40 mins to
0 min
- ARP Guard in IXP
Eric Choi
Senior Product Manager, Product Management
Service Provider Group, APJ
2. The Problem Statement – Quick Recap
Information from the presentation “The Danger of Proxy ARP in IX environment
by Maksym Tulyuk @ AMSIX
http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
3. The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX
http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
7. The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX
http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
Start
End
8. The Problem Statement – Quick Recap
Information from the presentation provided by Maksym Tulyuk @ AMSIX
http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
Start
End
11. Can we avoid the outage when the problem happens
Information from the presentation provided by Maksym Tulyuk @ AMSIX
http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdfStop here
14. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
How to implement?
Can it be done using existing mechanism?
▪ ACL?
▪Secure ARP?
Solution
▪Checking all the ARP requests/replies entering the L2
interface against access list.
6/24/2014 14
15. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
• Syntax: [no] arp-guard-group <arp-guard-access-group|id>
• Syntax: [no] permit [src_ip_addr] [src_mac_addr]
• Syntax: [no] permit vlan [id] [src_ip_addr] any
• Syntax: [no] permit vlan [id] [src_ip_addr] [src_mac_addr]
• Description of parameters:
• arp-guard-group – Command in the global config mode to give ACL-like commands.
• arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
• permit – This command is used to specify the required set of rules for the associated ARP Guard group
Part I
15
16. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
arp-guard-group AS201
permit 20.0.0.2 0001:0002:0003:0004
arp-guard-group AS202
permit vlan 100 20.0.0.32 any
permit vlan 200 20.0.0.31 0001:0003:0003:0003
16
17. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
Syntax: [no] arp-guard <arp-guard-access-group> [log]
Description of parameters:
arp-guard – Command to enable ARP GUARD in the interface config mode.
arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
log – option to log the information about the dropped packet.
Part 2
17
18. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Show command
MLX(config-if-e1000-1/1)#show arp-guard counters port <port-id> [vlan
<vlan-id>]
MLX(config-if-e1000-1/1)#show arp-guard counters all
MLX(config-if-e1000-1/1)#clear arp-guard counters port <port-id> [vlan
<vlan-id>]
MLX(config-if-e1000-1/1)#clear arp-guard counters all
18
19. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Show command
Example
6/24/2014 19
MLX#show arp-guard statistics ethernet 1/1
Port Vlan-id Arp_pkts_captured Arp_pkts_forwarded Arp_pkts_dropped
1/1 (Def/Untag) 0 0 0
1/1 3 10000 9000 100
1/1 2 10000 9000 100
20. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Syslog
• If a “log” option is used on the arp-guard command, then a syslog
message is generated to log the error ARP packet. Syslog message would
contain the following: -
• Port name/id,
• arp-guard-group name
• vlan-id (if-any),
• MAC address and the IP address
20
21. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Syslog
Example
6/24/2014 21
SYSLOG: <14>Mar 14 1905 22:37:21 MLX-Dist1 ARP_GUARD DROP LOG:Violation
occured at time Mar 14 22:37:20: on Trunk port=4/1 having Access_Grp=AS201,
for the incoming packet with MAC_ADDR=0000.5822.bf78 IP_ADDR=1.1.1.2
VLAN: 1
22. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Example
MLX(config)#arp-guard-group AS303
MLX(config-arp-guard-group)#permit 30.0.0.31 0000:0003:0003:0004
MLX(config-arp-guard-group)#permit 30.0.0.32 any
MLX(config-arp-guard-group)#exit
MLX(config)#interface ethe 1/1
MLX(config-if)#arp-guard AS303 log
Port Based Deployment
22
23. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Example
MLX(config)#arp-guard-group AS202
MLX(config-arp-guard-group)#permit vlan 100 20.0.0.31 0000:0003:0003:0003
MLX(config-arp-guard-group)#permit vlan 101 20.0.0.32 any
MLX(config-arp-guard-group)#exit
MLX(config)#interface ethe 1/1
MLX(config-if)#arp-guard AS202 log
IXP WholeSale Using IX
23
24. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
LTE Backhaul Use Case
6/24/2014 24
eNB
PDN-GW
HSS
AAA
IMS Core
DNS
PCRF
SGW
MME
www
Internet
S1-MME
S2
S6b
S6a
SGi
S11
eNodeB
PDN-GW
HSS
AAA
IMS Core
DNS
PCRF
SGW
MME
www
Internet
eNodeB
S1-U
S1-MME
S1-U
L2 Network
25. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
Data Center Use Case
6/24/2014 25
Data Center
Interconnect
26. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only
ACKNOWLEDGEMENT
Raphael Ho
CheeYong Tay
Jimmy Halim
6/24/2014 26