Hi , we want to write a port security script. In the first router work normally , all interfaces have ip addresses . then the user wants to set port security on an interface. and here we must enable learning mac features on that interface. For this requirement , we searched and found that when an interface is added to a bridge , a history of connected device mac addresses is formed that can be seen by running "sh l2fib all" command. we can set a limit on the learned mac address on that table too . The interface , GigabitEthernet2/6/0 , has its previous ip address . cisco can ping it well . but when we added GigabitEthernet2/6/0 to a bridge-domain it kept his ip address but Cisco cannot ping that.we don't want to create a multi-interface bridge-domain and use l2-forwarding.it's just a tool for make a memory of connected device's mac address .
On Thu, Aug 5, 2021 at 12:46 PM Neale Ranns <ne...@graphiant.com> wrote: > > > HI Mohsen, > > > > *From: *Mohsen Meamarian <meamarian.moh...@gmail.com> > *Date: *Thursday, 5 August 2021 at 08:24 > *To: *Neale Ranns <ne...@graphiant.com> > *Cc: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > *Subject: *Re: [vpp-dev] MAC Learning in vpp > > Hi Neale, > > Thanks , I’m looking for another way because I have a problem with the > bridge. > > > > Another way to do what? Do you want to do l2 forwarding or not? > > > > I have made a bridge with 2 interfaces, one as BVI and from loopback type > and the other is GigabitEthernet2/0/6. I send a ping packet to the > GigabitEthernet2/6/0 interface of my system via a Cisco router, although > the destination MAC address that vpp detects in the trace is its own MAC > address, but it doesn't pick up the packet. > > > > The trace file you sent shows VPP’s address as the source MAC of the > received packet. The destination MAC is not in the l2fib, hence the drop. > > But that aside, you can’t ping an interface that does not have an IP > address. It’s the BVI that has the IP address – it is the L3 interface here. > > > > /neale > > > > I attached my trace and bridge configuration. Also I got another error > when uu-flood and flood of bridge-domain is enabled: l2 replication drop.I > have tried both modes with BVI interface and without BVI interface. > > > > On Wed, Aug 4, 2021 at 4:29 PM Neale Ranns <ne...@graphiant.com> wrote: > > Hi Mohsen, > > > > Perhaps I misunderstood your intentions. MAC learning I was talking about > is what a switch/bridge domain does to populate its forwarding tables to > perform l2 forwarding. My old and limited experience with port-security was > as a feature on l2 interface in a BD. > > If what you wanted was ARP for L3 interfaces, then we’re talking about IP > neighbours. The size of the ip-neighbour DB (which is shared between ARP > and ND entries) has only a global not a per-interface limit. > > DBGvpp# set ip neighbor-config ? > > set ip neighbor-config set ip neighbor-config ip4|ip6 > [limit <limit>] [age <age>] [recycle|norecycle] > > there are no other means to control what IP neighbours are or aren’t > learned. > > > > /neale > > > > > > *From: *Mohsen Meamarian <meamarian.moh...@gmail.com> > *Date: *Wednesday, 4 August 2021 at 07:26 > *To: *Neale Ranns <ne...@graphiant.com> > *Cc: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > *Subject: *Re: [vpp-dev] MAC Learning in vpp > > Hi Neal, > > Thanks, Is there a way to view and limit learned MAC addresses for an > interface without adding an interface to a bridge-domain? > > > > On Tue, Aug 3, 2021 at 12:15 PM Neale Ranns <ne...@graphiant.com> wrote: > > HI Mohsen, > > > > Learning in a BD is enabled by default – your trace shows learning on. You > can turn in on or off through configuration on the BD or on the input > interface. > > DBGvpp# set bridge-domain ? > > set bridge-domain learn set bridge-domain learn > <bridge-domain-id> [disable] > > set bridge-domain learn-limit set bridge-domain learn-limit > <bridge-domain-id> <learn-limit> > > > > or > > > > DBGvpp# set interface l2 ? > > set interface l2 learn set interface l2 learn > <interface> [disable] > > > > Ping and ARP work with learning on. > > > > Note also in the commands above, there is a mechanism to limit the number > of MACs that can be learnt in each BD. > > > > /neale > > > > > > *From: *Mohsen Meamarian <meamarian.moh...@gmail.com> > *Date: *Tuesday, 3 August 2021 at 06:37 > *To: *Neale Ranns <ne...@graphiant.com> > *Cc: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > *Subject: *Re: [vpp-dev] MAC Learning in vpp > > Thanks neale, > > What is the easiest way to enable learning on an interface while other > functionality , including passing the ping and arp packets , work normally? > > > > I want l2_learn_process run for that interface so that I can write a > function to do something like put a limiting on maximum connected devices > with it's help. > > > > > > On Mon, Aug 2, 2021, 23:38 Neale Ranns <ne...@graphiant.com> wrote: > > > > HI Moshen, > > > > *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Mohsen > Meamarian via lists.fd.io <meamarian.mohsen=gmail....@lists.fd.io> > *Date: *Monday, 2 August 2021 at 18:45 > *To: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > *Subject: *[vpp-dev] MAC Learning in vpp > > Hi friends, > > I want to implement port security in vpp. I assume that the > l2learn_process function in l2_learn.c runs periodically when vpp is active > and When a device is connected to my system , this function helps to learn > it's mac. Is this assumption true ? > > > > No. l2_learn runs for all packets that are received on a link on which > learning is enabled. You can see it in the trace you provided. It is > learning in this VLIB node that will populated the l2fib. > > > > because when I run the sh l2fib command , it returns nothing. but when I > set an interface as a bridge , the sh l2fib command returns something. my > commands : > > > > create bridge-domain 2 arp-term 1 > create loopback interface > set int l2 bridge loop0 2 bvi > set interface state loop0 up > set interface l2 bridge GigabitEthernet0/8/0 2 > > show bridge-domain 2 detail > show l2fib all > > > > but i have a problem here. vpp drop ping packet.Where can the problem come > from? > > > > I attached my trace command result to this mail.I get " l2-flood: BVI L3 > mac mismatch " error. > > > > That shows an ARP packet destined to a unicast MAC. That packet was > flooded, suggesting an l2fib miss and unknown-unicast flooding is enabled. > The dst MAC of the packet did not match the MAC of the BVI (the only other > interface in the BD) so it was dropped. > > > > /neale > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19921): https://lists.fd.io/g/vpp-dev/message/19921 Mute This Topic: https://lists.fd.io/mt/84615988/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
