MAC Limit for VPLS and H-VPLS

OcNOS SP : Key Features : Improved Routing : MAC Limit for VPLS and H-VPLS

Overview

The MAC limit controls how many MAC addresses a system can learn, which is especially beneficial in Virtual Private LAN Service (VPLS) deployments. This control allows you to limit MAC addresses at more granular levels, such as the Access Circuit (AC) or Spoke-PW level, while maintaining the current VPLS instance-level limits.

Characteristics of MAC Move Protection - VPLS/H-VPLS

• Threshold-based control for the number of MAC addresses.

• Granular configuration options, including interface/subinterface/AC/Spoke-PW levels.

• Monitoring and enforcement with actions like logging or error-disable.

• Security benefits by preventing MAC flooding and limiting device access.

• Non-disruptive operation with logging, and optional error-disable with recovery options.

Benefits

• Prevents MAC flooding attacks, controls access to network segments.

• Improves network efficiency by managing memory and CPU usage.

• Granular configuration at interface, subinterface, AC, and Spoke-PW levels.

• Prevents MAC table overflows, ensuring stable traffic forwarding.

• Syslog alerts and watermark thresholds for proactive management.

• Logging doesn’t affect traffic, and error-disable includes recovery options.

• Helps networks grow efficiently without overloading devices.

Prerequisites

• Define Interfaces and Loopback Addresses:

Configure Layer 2 interfaces, like port channel interfaces (e.g., po1), and assign specific IP addresses for proper identification and routing. Additionally, assign loopback IP addresses to establish essential points of connec-tivity. These configurations establish the efficient network routing and communication.

interface lo

ip address 127.0.0.1/8

ip address 2.2.2.2/32 secondary

ipv6 address ::1/128

interface xe14

ip address 30.1.1.2/24

• Configure IGP for Dynamic Routing: Enable ISIS to facilitate dynamic routing on all nodes within the net-work. Define ISIS router instances to match loopback IP addresses and add network segments to ISIS areas for proper route distribution.Set up neighbor relationships using loopback IP addresses, ensuring efficient route advertisement and convergence for optimal network performance.

• ISIS Configuration:

router isis 1

is-type level-2-only

metric-style wide

microloop-avoidance level-2

mpls traffic-eng router-id 2.2.2.2

mpls traffic-eng level-2

capability cspf

dynamic-hostname

bfd all-interfaces

net 49.0000.0000.0002.00

passive-interface lo

interface xe14

mpls ldp-igp sync isis level-2

isis network point-to-point

ip router isis 1

• OSPF Configuration:

router ospf 1

ospf router-id 2.2.2.2

network 2.2.2.2/32 area 0.0.0.0

network 30.1.1.0/24 area 0.0.0.0!

interface xe14

ip ospf network point-to-point

Configuration

Topology

The sample topology for MAC Limit with CE-PE-Hub-Spoke architecture.

MAC Limit for H-VPLS Topology Diagram

Configuring MAC-Limit

Configure PE1 router as follows:

1. Configure router LDP.

PE1(config)#router ldp

PE1(config-router)# router-id 2.2.2.2

PE1(config-router)# transport-address ipv4 2.2.2.2

2. Configure targeted-peer under router LDP.

PE1(config-router)# targeted-peer ipv4 5.5.5.5

PE1(config-router-targeted-peer)# exit-targeted-peer-mode

3. Enable LDP and label-switching for core interface.

PE1(config)#interface xe14

PE1(config-if)# enable-ldp ipv4

PE1(config-if)#label-switching

4. Configure VPLS instance.

PE1(config)#mpls vpls vpls2000 2000

PE1(config-vpls)# signaling ldp

PE1(config-vpls-sig)# vpls-peer 5.5.5.5

PE1(config-vpls-sig)# exit-signaling

PE1(config-vpls)# exit-vpls

PE1(config)#

5. Configure sub-interface and attach vpls-instance to sub-interface.

PE1(config)#

PE1(config)#interface xe16.2000 switchport

PE1(config-if)# encapsulation dot1q 2000

PE1(config-if)# access-if-vpls

PE1(config-acc-if-vpls)# mpls-vpls vpls2000

PE1(config-acc-if-vpls)#

6. Configure mac-limit profile configuration.

PE1(config)#

PE1(config)#vpls mac-limit-profile prof1

PE1(config-vpls-mac-lim-profile)# learning-limit 5

PE1(config-vpls-mac-lim-profile)# action log-errdisable

PE1(config-vpls-mac-lim-profile)# errdisable-timeout 120

7. Configure mac-limit profile under AC sub-interface.

PE1(config)#

PE1(config)#interface xe16.2001 switchport

PE1(config-if)# access-if-vpls

PE1(config-acc-if-vpls)#learning limit prof1

PE1(config-acc-if-vpls)#exit

Configure the MAC-LIMIT on Hub Router:

1. Configure router LDP.

Hub(config)#router ldp

Hub(config-router)# router-id 5.5.5.5

Hub(config-router)# transport-address ipv4 5.5.5.5

2. Configure targeted-peer under router LDP.

Hub(config-router)# targeted-peer ipv4 2.2.2.2

Hub(config-router-targeted-peer)# exit-targeted-peer-mode

R5-P5(config-router)# targeted-peer ipv4 8.8.8.8

R5-P5(config-router-targeted-peer)#

3. Enable LDP and label-switching for core interface.

Hub(config)#interface xe1

Hub(config-if)# enable-ldp ipv4

Hub(config-if)#label-switching

Hub(config)#interface xe12

Hub(config-if)# enable-ldp ipv4

Hub(config-if)#label-switching

4. Configure VPLS instance.

Hub(config)#mpls vpls vpls2000 2000

Hub(config-vpls)# signaling ldp

Hub(config-vpls-sig)# vpls-peer 2.2.2.2

Hub(config-vpls-sig)# exit-signaling

Hub(config-vpls)# exit-vpls

Hub(config)#

5. Configure L2-ckt.

Hub (config)#mpls l2-circuit vc2000 2222 8.8.8.8 mode raw

Hub (config-pseudowire)#

6. Attach L2-ckt under vpls instance.

Hub (config)#mpls vpls vpls2000 2000

Hub (config-vpls)#vpls-vc vc2000

Hub(config-vpls-spoke)#

7. Configure mac-limit profile configuration.

HUB(config)#vpls mac-limit-profile prof1

HUB(config-vpls-mac-lim-profile)# learning-limit 5

HUB(config-vpls-mac-lim-profile)# action log-errdisable

HUB(config-vpls-mac-lim-profile)# errdisable-timeout 120

HUB(config-vpls-mac-lim-profile)#

8. Configure mac-limit profile under vpls instance.

HUB(config)#mpls vpls vpls2001 2001

HUB(config-vpls)#vpls-vc vc2000

HUB(config-vpls-spoke)# learning limit prof1

HUB(config-vpls-spoke)#

Configure the MAC-LIMIT on Spoke Router:

1. Configure router LDP.

Spoke(config)#router ldp

Spoke(config-router)# router-id 8.8.8.8

Spoke(config-router)# transport-address ipv4 8.8.8.8

2. Configure targeted-peer under router LDP.

Spoke(config-router)# targeted-peer ipv4 5.5.5.5

Spoke(config-router-targeted-peer)# exit-targeted-peer-mode

3. Enable LDP and label-switching for core interface.

Spoke(config)#interface xe12

Spoke(config-if)# enable-ldp ipv4

Spoke(config-if)#label-switching

4. Configure VPLS instance.

Spoke(config)#mpls vpls vpls2000 2000

Spoke(config-vpls)#

5. Configure L2-ckt.

Spoke(config)#mpls l2-circuit vc2000 2222 5.5.5.5 mode raw

Spoke(config-pseudowire)#

6. Attach L2-ckt under VPLS instance.

Spoke (config)#mpls vpls vpls2000 2000

Spoke(config-vpls)#vpls-vc vc2000

Spoke(config-vpls-spoke)#

7. Configure sub-interface and attach vpls-instance to sub-interface.

Spoke(config)#

Spoke(config)#interface xe26.2000 switchport

Spoke(config-if)# encapsulation dot1q 2000

Spoke(config-if)# access-if-vpls

Spoke(config-acc-if-vpls)# mpls-vpls vpls2000

Spoke(config-acc-if-vpls)#

8. Configure mac-limit profile configuration.

Spoke(config)#vpls mac-limit-profile R8

Spoke(config-vpls-mac-lim-profile)# learning-limit 10

Spoke(config-vpls-mac-lim-profile)# action log-errdisable

Spoke(config-vpls-mac-lim-profile)# errdisable-timeout 60

Spoke(config-vpls-mac-lim-profile)#

9. Configure mac-limit profile under vpls instance.

Spoke(config)#mpls vpls vpls2000 2000

Spoke(config-vpls)#vpls-vc vc2000

Spoke(config-vpls-spoke)#learning limit R8

Spoke(config-vpls-spoke)#

Running Configuration on PE1 Router:

vpls mac-limit-profile prof1

learning-limit 5

action log-errdisable

errdisable-timeout 120

router ldp

router-id 2.2.2.2

targeted-peer ipv4 5.5.5.5

exit-targeted-peer-mode

transport-address ipv4 2.2.2.2

interface xe14

enable-ldp ipv4

mpls vpls vpls2000 2000

signaling ldp

vpls-peer 5.5.5.5

exit-signaling

exit-vpls

interface xe16.2000 switchport

access-if-vpls

mpls-vpls vpls2000

learning limit prof1

Running Configuration on Hub Router:

vpls mac-limit-profile prof1

learning-limit 5

action log-errdisable

errdisable-timeout 120

router ldp

targeted-peer ipv4 2.2.2.2

exit-targeted-peer-mode

targeted-peer ipv4 8.8.8.8

exit-targeted-peer-mode

mpls l2-circuit vc2000 2222 8.8.8.8 mode raw

mpls vpls vpls2000 2000

vpls-vc vc2000

learning limit prof1

exit-spoke

signaling ldp

vpls-peer 2.2.2.2

exit-signaling

exit-vpls

Running Configuration on Spoke Router:

vpls mac-limit-profile R8

learning-limit 10

action log-errdisable

errdisable-timeout 60

router ldp

router-id 8.8.8.8

targeted-peer ipv4 5.5.5.5

exit-targeted-peer-mode

transport-address ipv4 8.8.8.8

mpls l2-circuit vc2000 2222 5.5.5.5 mode raw

mpls vpls vpls2000 2000

vpls-vc vc2000

learning limit R8

exit-spoke

exit-vpls

interface xe26.2000 switchport

access-if-vpls

mpls-vpls vpls2000

Validation

Verify vpls mesh are up between PE and Hub

PE1#show mpls vpls mesh

(m) - Service mapped over multipath transport

(e) - Service mapped over LDP ECMP

VPLS-ID Peer Addr Tunnel-Label In-Label Network-Intf Out-Label Lkps/St PW-INDEX SIG-Protocol Status UpTime

2000 5.5.5.5 31364 28162 xe14 26883 2/Up 4 LDP Active 2d10h36m

Hub#show mpls vpls mesh

(m) - Service mapped over multipath transport

(e) - Service mapped over LDP ECMP

VPLS-ID Peer Addr Tunnel-Label In-Label Network-Intf Out-Label Lkps/St PW-INDEX SIG-Protocol Status UpTime

2000 2.2.2.2 29446 26883 xe1 28162 2/Up 3 LDP Active 2d10h39m

Verify VPLS spoke are up between Hub and Spoke

Hub#show ldp mpls-l2-circuit

Transport Client VC VC Local Remote Destination Lo-cal Remote

VC ID Binding State Type VC Label VC Label Address PW Status PW Status

2222 VPLS:2000 UP Ethernet 26882 26886 8.8.8.8 Forwarding Forwarding

Hub#sho mpls vpls spoke

VPLS-ID Virtual Circuit Tunnel-Label In-Label Network-Intf Out-Label Lkps/St Secondary

2000 vc2000 29443 26882 ce4 26886 2/Up

---

Spoke#show ldp mpls-l2-circuit

Transport Client VC VC Local Remote Destination Lo-cal Remote

VC ID Binding State Type VC Label VC Label Address PW Status PW Status

2222 VPLS:2000 UP Ethernet 26886 26882 5.5.5.5 Forwarding Forwarding

Spoke#show mpls vpls spoke

VPLS-ID Virtual Circuit Tunnel-Label In-Label Network-Intf Out-Label Lkps/St Secondary

2000 vc2000 29440 26886 ce4 26882 2/Up ---

Verify MAC-LIMIT session on Hub and spoke:

Hub#show mpls vpls vpls2000

Virtual Private LAN Service Instance: vpls2000, ID: 2000

SIG-Protocol: LDP

Attachment-Circuit: UP

Learning: Enabled

Control-Word: Disabled

Flow Label Status: Disabled, Direction: None, Static: No

Group ID: 0, VPLS Type: Ethernet, Configured MTU: 1500

Description: none

service-tpid: dot1.q

Operating mode: Raw

Ignoring AC interface and spoke-VC state

Configured interfaces:

None

Mesh Peers:

2.2.2.2 (Peer VPLS Type: Ethernet) (Up) (UpTime: 2d10h47m)

3.3.3.3 (Peer VPLS Type: Ethernet) (Up) (UpTime: 2d10h56m)

Spoke Peers:

vc2000 (Up) (UpTime 00:05:48)

CLI Commands

The MAC Limit introduces the following configuration commands.

vpls mac-limit-profile

Use this command to set the MAC address learning limits which will be used to associate the AC or Spoke PW

for a specific VPLS MAC limit profile.

Use no parameter of this command to delete the VPLS MAC limit profile.

Command Syntax

no vpls mac-limit-profile

Parameters

<PROFILE_NAME>	Specifies the name of the MAC limit profile.
learning-limit <1-32767>	Specifies the maximum number of MAC addresses allowed to be learned on the interface. The default value is 32767.
high-watermark <1-100>	Specifies the high watermark (maximum number of MAC addresses) for logging purposes. The threshold is a numeric value and a percentage of the learning limit. The default value is 90%.
low-watermark <1-100>	Specifies the low watermark (minimum number of MAC addresses) for logging purposes. The threshold is a numeric value and a percentage of the learning limit. The default value is 70%.
action log-errdisable <0-86400>	Logs an event when the MAC limit is exceeded and disables MAC learning for the timeout period.The default value is 0.
action log-only	Logs when the MAC limit is exceeded without disabling MAC learning.
errdisable-timeout <0-86400>	Specifies the duration (in seconds) before MAC learning is re-enabled after being errdisabled. The default value is 0, meaning no automatic recovery.

Default

None

Command Mode

VPLS MAC Limit Profile Mode

Applicability

Introduced in OcNOS version 6.6.0.

Example

The following example is for creating a VPLS MAC limit profile and configuring with specific parameters to manage MAC address learning limits:

#configure terminal

(config)#vpls mac-limit-profile prof1

(config-vpls-mac-lim-profile)#learning-limit 50

(config-vpls-mac-lim-profile)#action log-errdisable

(config-vpls-mac-lim-profile)#high-watermark 60

(config-vpls-mac-lim-profile)#low-watermark 30

(config-vpls-mac-lim-profile)#errdisable-timeout 30

(config-vpls-mac-lim-profile)#commit

Glossary

The following provides definitions for key terms or abbreviations and their meanings used throughout this document:

Key Terms/Acronym	Description
CLI	Command Line Interface
H-VPLS	Hierarchical Virtual Private LAN Service
IGP	Interior Gateway Protocol
ISIS	Intermediate System to Intermediate System
OSPF	Open Shortest Path First
BFD	Bidirectional Forwarding Detection
VPLS	Virtual Private LAN Service