Configuring Excessive MAC or IP Move Protection


Excessive MAC or IP moves necessitate numerous updates to vPort and Layer 3 tables over a short interval, which result in high CPU and disk utilization among other network problems. A MAC move is detected when two devices send the same MAC address on different interfaces on the same switch, or on different switches in a fabric with the same VLAN. An IP move is observed when an IP address oscillates between two MAC addresses.


Netvisor ONE version 6.0.1 offers protection against excessive MAC or IP moves by quarantining vPort and L3 entries, that is, by not updating the entries until MAC or IP move condition is resolved. When you enable the protection feature, if more than five IP moves or MAC moves are detected within an interval of 5s, Netvisor ONE performs the following:


  • Updates the excess-mac-move-detected or excess-ip-move-detected flags
  • Logs excess_mac_move or excess_ip_move message.


While sending the vPort or Layer 3 updates to other fabric nodes, the software skips the entries that have an excess move flag set, and thereby avoids sending a large number of updates.


The software then monitors the quarantined entries and if no MAC or IP moves are detected for a duration of 15s, Netvisor ONE performs the following:

  • Clears the excess-mac-move-detected or excess-ip-move-detected flags.
  • Logs clear_excess_mac_move or clear_excess_ip_move message.


Netvisor ONE can also protect the CPU from excessive traffic related to MAC or IP moves by regulating the punt rate of associated CoS (Class of Service) queues. MAC moves and IP moves are punted to the CPU from the smac-miss queue and the arp queue respectively. When excessive MAC or IP moves are detected, and if CPU utilization is above 70 percent, the software can limit the punt rate from smac-miss or arp queues by 50 percent.


To configure CoS queue protection, you must first enable extended queue setting by using the command:

CLI (network-admin@switch1) > system-settings-modify cpu-class-enable

Use the vport-settings-modify command to configure MAC and IP move protection. These protection schemes are disabled by default.

CLI (network-admin@switch1) > vport-settings-modify

vport-settings-modify

Modify vPort settings.

Specify one or more of the following options:

vport-disk-space vport-disk-space-number

Specify the amount of disk space for vPorts. The default is 500M.

stats-max-memory stats-max-memory-number

Specify the maximum memory for collecting vPort information. The default memory is 50M.

stats-log-enable|
stats-log-disable

Specify if you want to enable or disable logs for vPort statistics. Enabled by default.

stats-log-interval duration: #d#h#m#s

Specify the interval between logging events. The default is one minute.

stats-log-disk-space disk-space-number

Specify the amount of disk space for vPort logs. The default is 50M.

system-stats-log-enable|system-stats-log-
disable

Specify if you want to enable or disable logging for the system. Enabled by default.

system-stats-log-
interval duration: #d#h#m#s 

Specify the interval between logging events. The default is one minute.

system-stats-log-disk-
space disk-space-number

Specify the disk space for system statistics. The default is 50M.

excess-mac-move-protection-enable|no-excess-mac-move-protection-enable

Enable or disable excess MAC move protection.

excess-mac-move-queue-protect|no-excess-mac-move-queue-protect

Enable or disable excess MAC move queue protection.

excess-ip-move-protection-enable|no-excess-ip-move-protection-enable

Enable or disable excess IP move protection. 

excess-ip-move-queue-protect|no-excess-ip-move-queue-protect

Enable or disable excess IP move queue protection.


For example, to configure excess MAC move protection, use the command:

CLI (network-admin@switch1) > vport-settings-modify excess-mac-move-protection-enable


To enable excess MAC move CoS queue protection in order to limit the punt rate from the smac-miss queue to the CPU by 50 percent, use the command:

CLI (network-admin@switch1) > vport-settings-modify excess-mac-move-queue-protect

To configure excess IP move protection, use the command:

CLI (network-admin@switch1) > vport-settings-modify excess-ip-move-protection-enable


To enable excess IP move CoS queue protection in order to limit the punt rate from the arp queue to the CPU by 50 percent, use the command:

CLI (network-admin@switch1) > vport-settings-modify excess-ip-move-queue-protect


Use the vport-settings-show command to view the current status of various protection schemes:


CLI (network-admin@switch1) > vport-settings-show format all

switch:                         switch1

vport-disk-space:               500M

stats-max-memory:               50M

stats-log-enable:               yes

stats-log-interval:             1m

stats-log-disk-space:           50M

system-stats-max-memory:        50M

system-stats-log-enable:        yes

system-stats-log-interval:      1m

system-stats-log-disk-space:    50M

loop-prevent:                   enabled

excess-mac-move-protect-enable: yes

excess-mac-move-queue-protect:  yes

excess-mac-move-queue-state:    active

excess-ip-move-protect-enable:  yes

excess-ip-move-queue-protect:   yes

excess-ip-move-queue-state:     active


If queue protection is enabled, the fields excess-mac-move-queue-state and excess-ip-move-queue-state are set to active when MAC or IP moves are detected and CPU utilization is above 70 percent.


If excess MAC move is detected, the vport-show and l2-table-show outputs display the state of the corresponding entries with an excess-mac-move-detected flag. For example:


CLI (network-admin@switch) > vport-show vlan 100


owner   mac          vlan ip        num-ips ports state                           hostname migrate

------- ------------ ---- --------- ------- ----- ------------------------------- -------- -------

switch 00:x:x:x:x:x 100  100.0.0.1  2       126   active,excess-mac-move-detected  host    52840


CLI (network-admin@serpens-vle-1*) > l2-table-show vlan 100

mac               vlan ports state                           migrate

----------------- ---- ----- ------------------------------- -------

00:11:22:33:44:55 100  33    active,excess-mac-move-detected 56


If an excess IP move situation is detected, the l3-table-show output displays the state of the corresponding entry with an excess-ip-move-detected flag. For example:


CLI (network-admin@switch) > l3-table-show vlan 200


switch   mac         ip       vlan state

------ ------------ --------- ---- ------------------------------

switch 00:x:x:x:x:x 200.0.0.1 200  active,excess-ip-move-detected


You can view the log messages for excess MAC and IP move detection and resolution by using the command, log-system-show. For example:


CLI (network-admin@switch1) > log-system-show name excess_mac_move,excess_ip_move,clear_excess_mac_move,clear_excess_ip_move


category:         system

time:             2020-08-12,00:55:16.738453-07:00

name:             clear_excess_mac_move

code:             11525

level:            note

message:          Excess MAC move condition cleared for mac=00:01:02:03:04:05, vnet= vlan=100 vxlan=0

category:         system

time:             2020-08-12,00:55:26.463901-07:00

name:             clear_excess_ip_move

code:             11526

level:            note

message:          Excess IP move condition cleared for ip=200.0.0.1 vnet= vlan=200 vxlan=0

category:         system

time:             2020-08-12,00:57:33.577668-07:00

name:             excess_mac_move

code:             11523

level:            note

message:          Excess MAC moves detected for mac=00:01:02:03:04:05, vnet= vlan=100

category:         system

time:             2020-08-12,00:57:33.717490-07:00

name:             excess_ip_move

code:             11524

level:            note

message:          Excess IP moves detected for ip=200.0.0.1 vnet= vlan=200 vxlan=0


north
    keyboard_arrow_up
    keyboard_arrow_down
    description
    print
    feedback
    support
    business
    rss_feed
    south