Configuring Excessive MAC or IP Move Protection
Excessive MAC or IP moves necessitate numerous updates to vPort and Layer 3 tables over a short interval, which result in high CPU and disk utilization among other network problems. A MAC move is detected when two devices send the same MAC address on different interfaces on the same switch, or on different switches in a fabric with the same VLAN. An IP move is observed when an IP address oscillates between two MAC addresses.
Netvisor ONE version 6.0.1 offers protection against excessive MAC or IP moves by quarantining vPort and L3 entries, that is, by not updating the entries until MAC or IP move condition is resolved. When you enable the protection feature, if more than five IP moves or MAC moves are detected within an interval of 5s, Netvisor ONE performs the following:
- Updates the excess-mac-move-detected or excess-ip-move-detected flags
- Logs excess_mac_move or excess_ip_move message.
While sending the vPort or Layer 3 updates to other fabric nodes, the software skips the entries that have an excess move flag set, and thereby avoids sending a large number of updates.
The software then monitors the quarantined entries and if no MAC or IP moves are detected for a duration of 15s, Netvisor ONE performs the following:
- Clears the excess-mac-move-detected or excess-ip-move-detected flags.
- Logs clear_excess_mac_move or clear_excess_ip_move message.
Netvisor ONE can also protect the CPU from excessive traffic related to MAC or IP moves by regulating the punt rate of associated CoS (Class of Service) queues. MAC moves and IP moves are punted to the CPU from the smac-miss queue and the arp queue respectively. When excessive MAC or IP moves are detected, and if CPU utilization is above 70 percent, the software can limit the punt rate from smac-miss or arp queues by 50 percent.
To configure CoS queue protection, you must first enable extended queue setting by using the command:
CLI (network-admin@switch1) > system-settings-modify cpu-class-enable
Use the vport-settings-modify command to configure MAC and IP move protection. These protection schemes are disabled by default.
CLI (network-admin@switch1) > vport-settings-modify
vport-settings-modify |
Modify vPort settings. |
Specify one or more of the following options: |
|
vport-disk-space vport-disk-space-number |
Specify the amount of disk space for vPorts. The default is 500M. |
stats-max-memory stats-max-memory-number |
Specify the maximum memory for collecting vPort information. The default memory is 50M. |
stats-log-enable| |
Specify if you want to enable or disable logs for vPort statistics. Enabled by default. |
stats-log-interval duration: #d#h#m#s |
Specify the interval between logging events. The default is one minute. |
stats-log-disk-space disk-space-number |
Specify the amount of disk space for vPort logs. The default is 50M. |
system-stats-log-enable|system-stats-log- |
Specify if you want to enable or disable logging for the system. Enabled by default. |
system-stats-log- |
Specify the interval between logging events. The default is one minute. |
system-stats-log-disk- |
Specify the disk space for system statistics. The default is 50M. |
excess-mac-move-protection-enable|no-excess-mac-move-protection-enable |
Enable or disable excess MAC move protection. |
excess-mac-move-queue-protect|no-excess-mac-move-queue-protect |
Enable or disable excess MAC move queue protection. |
excess-ip-move-protection-enable|no-excess-ip-move-protection-enable |
Enable or disable excess IP move protection. |
excess-ip-move-queue-protect|no-excess-ip-move-queue-protect |
Enable or disable excess IP move queue protection. |
For example, to configure excess MAC move protection, use the command:
CLI (network-admin@switch1) > vport-settings-modify excess-mac-move-protection-enable
To enable excess MAC move CoS queue protection in order to limit the punt rate from the smac-miss queue to the CPU by 50 percent, use the command:
CLI (network-admin@switch1) > vport-settings-modify excess-mac-move-queue-protect
To configure excess IP move protection, use the command:
CLI (network-admin@switch1) > vport-settings-modify excess-ip-move-protection-enable
To enable excess IP move CoS queue protection in order to limit the punt rate from the arp queue to the CPU by 50 percent, use the command:
CLI (network-admin@switch1) > vport-settings-modify excess-ip-move-queue-protect
Use the vport-settings-show command to view the current status of various protection schemes:
CLI (network-admin@switch1) > vport-settings-show format all
switch: switch1
vport-disk-space: 500M
stats-max-memory: 50M
stats-log-enable: yes
stats-log-interval: 1m
stats-log-disk-space: 50M
system-stats-max-memory: 50M
system-stats-log-enable: yes
system-stats-log-interval: 1m
system-stats-log-disk-space: 50M
loop-prevent: enabled
excess-mac-move-protect-enable: yes
excess-mac-move-queue-protect: yes
excess-mac-move-queue-state: active
excess-ip-move-protect-enable: yes
excess-ip-move-queue-protect: yes
excess-ip-move-queue-state: active
If queue protection is enabled, the fields excess-mac-move-queue-state and excess-ip-move-queue-state are set to active when MAC or IP moves are detected and CPU utilization is above 70 percent.
If excess MAC move is detected, the vport-show and l2-table-show outputs display the state of the corresponding entries with an excess-mac-move-detected flag. For example:
CLI (network-admin@switch) > vport-show vlan 100
owner mac vlan ip num-ips ports state hostname migrate
------- ------------ ---- --------- ------- ----- ------------------------------- -------- -------
switch 00:x:x:x:x:x 100 100.0.0.1 2 126 active,excess-mac-move-detected host 52840
CLI (network-admin@serpens-vle-1*) > l2-table-show vlan 100
mac vlan ports state migrate
----------------- ---- ----- ------------------------------- -------
00:11:22:33:44:55 100 33 active,excess-mac-move-detected 56
If an excess IP move situation is detected, the l3-table-show output displays the state of the corresponding entry with an excess-ip-move-detected flag. For example:
CLI (network-admin@switch) > l3-table-show vlan 200
switch mac ip vlan state
------ ------------ --------- ---- ------------------------------
switch 00:x:x:x:x:x 200.0.0.1 200 active,excess-ip-move-detected
You can view the log messages for excess MAC and IP move detection and resolution by using the command, log-system-show. For example:
CLI (network-admin@switch1) > log-system-show name excess_mac_move,excess_ip_move,clear_excess_mac_move,clear_excess_ip_move
category: system
time: 2020-08-12,00:55:16.738453-07:00
name: clear_excess_mac_move
code: 11525
level: note
message: Excess MAC move condition cleared for mac=00:01:02:03:04:05, vnet= vlan=100 vxlan=0
category: system
time: 2020-08-12,00:55:26.463901-07:00
name: clear_excess_ip_move
code: 11526
level: note
message: Excess IP move condition cleared for ip=200.0.0.1 vnet= vlan=200 vxlan=0
category: system
time: 2020-08-12,00:57:33.577668-07:00
name: excess_mac_move
code: 11523
level: note
message: Excess MAC moves detected for mac=00:01:02:03:04:05, vnet= vlan=100
category: system
time: 2020-08-12,00:57:33.717490-07:00
name: excess_ip_move
code: 11524
level: note
message: Excess IP moves detected for ip=200.0.0.1 vnet= vlan=200 vxlan=0