08 (IDNOG01) ARP Guard in IXP by Eric Choy
0 likes1,324 views
This document discusses using ARP guard to prevent outages at internet exchange points (IXPs) caused by proxy ARP. It provides examples of how to configure ARP guard on a Brocade device to check ARP requests and replies against access control lists, and describes how this could be implemented at an IXP or for other use cases like LTE backhaul or data centers. ARP guard works by dropping ARP packets that do not match the permitted IP/MAC address rules, preventing proxy ARP from associating the wrong MAC address with an IP.
![©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
• Syntax: [no] arp-guard-group <arp-guard-access-group|id>
• Syntax: [no] permit [src_ip_addr] [src_mac_addr]
• Syntax: [no] permit vlan [id] [src_ip_addr] any
• Syntax: [no] permit vlan [id] [src_ip_addr] [src_mac_addr]
• Description of parameters:
• arp-guard-group – Command in the global config mode to give ACL-like commands.
• arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
• permit – This command is used to specify the required set of rules for the associated ARP Guard group
Part I
15](https://image.slidesharecdn.com/08idnog01arpguardinixpbyericchoy-140625210344-phpapp02/85/08-IDNOG01-ARP-Guard-in-IXP-by-Eric-Choy-15-320.jpg)
![©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Configuration
Syntax: [no] arp-guard <arp-guard-access-group> [log]
Description of parameters:
arp-guard – Command to enable ARP GUARD in the interface config mode.
arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules.
log – option to log the information about the dropped packet.
Part 2
17](https://image.slidesharecdn.com/08idnog01arpguardinixpbyericchoy-140625210344-phpapp02/85/08-IDNOG01-ARP-Guard-in-IXP-by-Eric-Choy-17-320.jpg)
![©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA
Show command
MLX(config-if-e1000-1/1)#show arp-guard counters port <port-id> [vlan
<vlan-id>]
MLX(config-if-e1000-1/1)#show arp-guard counters all
MLX(config-if-e1000-1/1)#clear arp-guard counters port <port-id> [vlan
<vlan-id>]
MLX(config-if-e1000-1/1)#clear arp-guard counters all
18](https://image.slidesharecdn.com/08idnog01arpguardinixpbyericchoy-140625210344-phpapp02/85/08-IDNOG01-ARP-Guard-in-IXP-by-Eric-Choy-18-320.jpg)
08 (IDNOG01) ARP Guard in IXP by Eric Choy
- 1. Reduce IXP Outage From 40 mins to 0 min - ARP Guard in IXP Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ
- 2. The Problem Statement – Quick Recap Information from the presentation “The Danger of Proxy ARP in IX environment by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
- 3. The Problem Statement – Quick Recap Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf
- 4. Computing Sciences Area 4 The Problem Statement – Quick Recap
- 5. Computing Sciences Area 5 The Problem Statement – Quick Recap
- 6. Computing Sciences Area 6 The Problem Statement – Quick Recap
- 7. The Problem Statement – Quick Recap Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf Start End
- 8. The Problem Statement – Quick Recap Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdf Start End
- 9. Computing Sciences Area 9 Can we do better ?
- 10. Computing Sciences Area How about …. 10
- 11. Can we avoid the outage when the problem happens Information from the presentation provided by Maksym Tulyuk @ AMSIX http://ripe63.ripe.net/presentations/130-Proxy_ARP_RIPE_Nov2011.pdfStop here
- 12. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 12 Introducing ARP Guard Use Case 1
- 13. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA 13 Introducing ARP Guard Use Case 2
- 14. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only How to implement? Can it be done using existing mechanism? ▪ ACL? ▪Secure ARP? Solution ▪Checking all the ARP requests/replies entering the L2 interface against access list. 6/24/2014 14
- 15. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA Configuration • Syntax: [no] arp-guard-group <arp-guard-access-group|id> • Syntax: [no] permit [src_ip_addr] [src_mac_addr] • Syntax: [no] permit vlan [id] [src_ip_addr] any • Syntax: [no] permit vlan [id] [src_ip_addr] [src_mac_addr] • Description of parameters: • arp-guard-group – Command in the global config mode to give ACL-like commands. • arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules. • permit – This command is used to specify the required set of rules for the associated ARP Guard group Part I 15
- 16. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA Configuration arp-guard-group AS201 permit 20.0.0.2 0001:0002:0003:0004 arp-guard-group AS202 permit vlan 100 20.0.0.32 any permit vlan 200 20.0.0.31 0001:0003:0003:0003 16
- 17. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA Configuration Syntax: [no] arp-guard <arp-guard-access-group> [log] Description of parameters: arp-guard – Command to enable ARP GUARD in the interface config mode. arp-guard-access-group – name of the ARP Guard access-group, which contains the list of rules. log – option to log the information about the dropped packet. Part 2 17
- 18. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA Show command MLX(config-if-e1000-1/1)#show arp-guard counters port <port-id> [vlan <vlan-id>] MLX(config-if-e1000-1/1)#show arp-guard counters all MLX(config-if-e1000-1/1)#clear arp-guard counters port <port-id> [vlan <vlan-id>] MLX(config-if-e1000-1/1)#clear arp-guard counters all 18
- 19. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only Show command Example 6/24/2014 19 MLX#show arp-guard statistics ethernet 1/1 Port Vlan-id Arp_pkts_captured Arp_pkts_forwarded Arp_pkts_dropped 1/1 (Def/Untag) 0 0 0 1/1 3 10000 9000 100 1/1 2 10000 9000 100
- 20. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA Syslog • If a “log” option is used on the arp-guard command, then a syslog message is generated to log the error ARP packet. Syslog message would contain the following: - • Port name/id, • arp-guard-group name • vlan-id (if-any), • MAC address and the IP address 20
- 21. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only Syslog Example 6/24/2014 21 SYSLOG: <14>Mar 14 1905 22:37:21 MLX-Dist1 ARP_GUARD DROP LOG:Violation occured at time Mar 14 22:37:20: on Trunk port=4/1 having Access_Grp=AS201, for the incoming packet with MAC_ADDR=0000.5822.bf78 IP_ADDR=1.1.1.2 VLAN: 1
- 22. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA Example MLX(config)#arp-guard-group AS303 MLX(config-arp-guard-group)#permit 30.0.0.31 0000:0003:0003:0004 MLX(config-arp-guard-group)#permit 30.0.0.32 any MLX(config-arp-guard-group)#exit MLX(config)#interface ethe 1/1 MLX(config-if)#arp-guard AS303 log Port Based Deployment 22
- 23. ©2012 Brocade Communications Systems, Inc. CONFIDENTIAL — Discussion under NDA Example MLX(config)#arp-guard-group AS202 MLX(config-arp-guard-group)#permit vlan 100 20.0.0.31 0000:0003:0003:0003 MLX(config-arp-guard-group)#permit vlan 101 20.0.0.32 any MLX(config-arp-guard-group)#exit MLX(config)#interface ethe 1/1 MLX(config-if)#arp-guard AS202 log IXP WholeSale Using IX 23
- 24. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only LTE Backhaul Use Case 6/24/2014 24 eNB PDN-GW HSS AAA IMS Core DNS PCRF SGW MME www Internet S1-MME S2 S6b S6a SGi S11 eNodeB PDN-GW HSS AAA IMS Core DNS PCRF SGW MME www Internet eNodeB S1-U S1-MME S1-U L2 Network
- 25. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only Data Center Use Case 6/24/2014 25 Data Center Interconnect
- 26. © 2012 Brocade Communications Systems, Inc. CONFIDENTIAL—For Internal Use Only ACKNOWLEDGEMENT Raphael Ho CheeYong Tay Jimmy Halim 6/24/2014 26
- 27. THANK YOU Eric Choi Senior Product Manager, Product Management Service Provider Group, APJ " email: [email protected]