Hi, But do you want port-security to work for an l2 interface in a BD, or for an L3 interface. L2 and L3 interfaces manage the ‘learned’ MAC address very differently, therefore it would be a different mechanism to monitor/filter/munge/etc.
/neale From: Mohsen Meamarian <meamarian.moh...@gmail.com> Date: Thursday, 5 August 2021 at 11:13 To: Neale Ranns <ne...@graphiant.com> Cc: vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> Subject: Re: [vpp-dev] MAC Learning in vpp Hi , we want to write a port security script. In the first router work normally , all interfaces have ip addresses . then the user wants to set port security on an interface. and here we must enable learning mac features on that interface. For this requirement , we searched and found that when an interface is added to a bridge , a history of connected device mac addresses is formed that can be seen by running "sh l2fib all" command. we can set a limit on the learned mac address on that table too . The interface , GigabitEthernet2/6/0 , has its previous ip address . cisco can ping it well . but when we added GigabitEthernet2/6/0 to a bridge-domain it kept his ip address but Cisco cannot ping that.we don't want to create a multi-interface bridge-domain and use l2-forwarding.it<http://l2-forwarding.it>'s just a tool for make a memory of connected device's mac address . On Thu, Aug 5, 2021 at 12:46 PM Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> wrote: HI Mohsen, From: Mohsen Meamarian <meamarian.moh...@gmail.com<mailto:meamarian.moh...@gmail.com>> Date: Thursday, 5 August 2021 at 08:24 To: Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] MAC Learning in vpp Hi Neale, Thanks , I’m looking for another way because I have a problem with the bridge. Another way to do what? Do you want to do l2 forwarding or not? I have made a bridge with 2 interfaces, one as BVI and from loopback type and the other is GigabitEthernet2/0/6. I send a ping packet to the GigabitEthernet2/6/0 interface of my system via a Cisco router, although the destination MAC address that vpp detects in the trace is its own MAC address, but it doesn't pick up the packet. The trace file you sent shows VPP’s address as the source MAC of the received packet. The destination MAC is not in the l2fib, hence the drop. But that aside, you can’t ping an interface that does not have an IP address. It’s the BVI that has the IP address – it is the L3 interface here. /neale I attached my trace and bridge configuration. Also I got another error when uu-flood and flood of bridge-domain is enabled: l2 replication drop.I have tried both modes with BVI interface and without BVI interface. On Wed, Aug 4, 2021 at 4:29 PM Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> wrote: Hi Mohsen, Perhaps I misunderstood your intentions. MAC learning I was talking about is what a switch/bridge domain does to populate its forwarding tables to perform l2 forwarding. My old and limited experience with port-security was as a feature on l2 interface in a BD. If what you wanted was ARP for L3 interfaces, then we’re talking about IP neighbours. The size of the ip-neighbour DB (which is shared between ARP and ND entries) has only a global not a per-interface limit. DBGvpp# set ip neighbor-config ? set ip neighbor-config set ip neighbor-config ip4|ip6 [limit <limit>] [age <age>] [recycle|norecycle] there are no other means to control what IP neighbours are or aren’t learned. /neale From: Mohsen Meamarian <meamarian.moh...@gmail.com<mailto:meamarian.moh...@gmail.com>> Date: Wednesday, 4 August 2021 at 07:26 To: Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] MAC Learning in vpp Hi Neal, Thanks, Is there a way to view and limit learned MAC addresses for an interface without adding an interface to a bridge-domain? On Tue, Aug 3, 2021 at 12:15 PM Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> wrote: HI Mohsen, Learning in a BD is enabled by default – your trace shows learning on. You can turn in on or off through configuration on the BD or on the input interface. DBGvpp# set bridge-domain ? set bridge-domain learn set bridge-domain learn <bridge-domain-id> [disable] set bridge-domain learn-limit set bridge-domain learn-limit <bridge-domain-id> <learn-limit> or DBGvpp# set interface l2 ? set interface l2 learn set interface l2 learn <interface> [disable] Ping and ARP work with learning on. Note also in the commands above, there is a mechanism to limit the number of MACs that can be learnt in each BD. /neale From: Mohsen Meamarian <meamarian.moh...@gmail.com<mailto:meamarian.moh...@gmail.com>> Date: Tuesday, 3 August 2021 at 06:37 To: Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> Cc: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: Re: [vpp-dev] MAC Learning in vpp Thanks neale, What is the easiest way to enable learning on an interface while other functionality , including passing the ping and arp packets , work normally? I want l2_learn_process run for that interface so that I can write a function to do something like put a limiting on maximum connected devices with it's help. On Mon, Aug 2, 2021, 23:38 Neale Ranns <ne...@graphiant.com<mailto:ne...@graphiant.com>> wrote: HI Moshen, From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of Mohsen Meamarian via lists.fd.io<http://lists.fd.io> <meamarian.mohsen=gmail....@lists.fd.io<mailto:gmail....@lists.fd.io>> Date: Monday, 2 August 2021 at 18:45 To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> Subject: [vpp-dev] MAC Learning in vpp Hi friends, I want to implement port security in vpp. I assume that the l2learn_process function in l2_learn.c runs periodically when vpp is active and When a device is connected to my system , this function helps to learn it's mac. Is this assumption true ? No. l2_learn runs for all packets that are received on a link on which learning is enabled. You can see it in the trace you provided. It is learning in this VLIB node that will populated the l2fib. because when I run the sh l2fib command , it returns nothing. but when I set an interface as a bridge , the sh l2fib command returns something. my commands : create bridge-domain 2 arp-term 1 create loopback interface set int l2 bridge loop0 2 bvi set interface state loop0 up set interface l2 bridge GigabitEthernet0/8/0 2 show bridge-domain 2 detail show l2fib all but i have a problem here. vpp drop ping packet.Where can the problem come from? I attached my trace command result to this mail.I get " l2-flood: BVI L3 mac mismatch " error. That shows an ARP packet destined to a unicast MAC. That packet was flooded, suggesting an l2fib miss and unknown-unicast flooding is enabled. The dst MAC of the packet did not match the MAC of the BVI (the only other interface in the BD) so it was dropped. /neale
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19922): https://lists.fd.io/g/vpp-dev/message/19922 Mute This Topic: https://lists.fd.io/mt/84615988/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
