MAC Move Protection - VPLS/H-VPLS

OcNOS SP : Key Features : Improved Routing : MAC Move Protection - VPLS/H-VPLS

Overview

MAC Move Protection is a Layer 2 feature for detecting and managing the movement of MAC addresses across various interfaces in Virtual Private LAN Service (VPLS) or Hierarchical VPLS (H-VPLS) networks.

In VPLS environments, MAC address moves can occur across Attachment Circuits (AC), Spoke-PWs, and Mesh-PWs. MAC Move Protection is particularly useful in detecting and responding to these movements within these different components.

Characteristics of MAC Move Protection - VPLS/H-VPLS

• Monitors MAC address movements across Attachment Circuits (AC), Spoke-PWs, and Mesh-PWs, detecting any moves between these components in a VPLS/H-VPLS topology.

• Enables detection settings across multiple VPLS instances, ensuring uniformity and reducing redundant configurations.

• Allows more granular control, enabling overrides for detection timers and error-disable actions on specific instances.

• Administrators can configure detection interval and move count threshold.

• When a MAC move is detected, this feature:

• Applies error-disable actions to ACs to prevent disruption.

• Brings down Spoke-PWs or Mesh-PWs, reducing impact on the network.

• Automatically restores components after the error-disable or operational down actions are triggered.

Benefits

• By detecting and managing unexpected MAC address moves, the feature helps prevent network loops, service disruptions, and performance degradation, ensuring stable VPLS connectivity.

• The action mechanism minimizes disruptions by intelligently deciding which components to block (AC, Spoke-PW, or Mesh-PW) based on priority, reducing the impact of MAC move events on the overall network.

• With syslog reporting and detailed CLI commands, network administrators can quickly identify and address MAC move issues.

• The ability to configure detection settings both globally and at the instance level provides flexibility in managing large-scale VPLS networks.

Prerequisites

• Define Interfaces and Loopback Addresses:

Configure Layer 2 interfaces, like port channel interfaces (e.g., po1), and assign specific IP addresses for proper identification and routing. Additionally, assign loopback IP addresses to establish essential points of connec-tivity. These configurations establish the efficient network routing and communication.

interface lo

ip address 127.0.0.1/8

ip address 2.2.2.2/32 secondary

ipv6 address ::1/128

interface xe14

ip address 30.1.1.2/24

• Configure IGP for Dynamic Routing:
Enable ISIS to facilitate dynamic routing on all nodes within the net-work. Define ISIS router instances to match loopback IP addresses and add network segments to ISIS areas for proper route distribution.Set up neighbor relationships using loopback IP addresses, ensuring efficient route advertisement and convergence for optimal network performance.

• ISIS Configuration:

router isis 1

is-type level-2-only

metric-style wide

microloop-avoidance level-2

mpls traffic-eng router-id 2.2.2.2

mpls traffic-eng level-2

capability cspf

dynamic-hostname

bfd all-interfaces

net 49.0000.0000.0002.00

passive-interface lo

interface xe14

mpls ldp-igp sync isis level-2

isis network point-to-point

ip router isis 1

• OSPF Configuration:

router ospf 1

ospf router-id 2.2.2.2

network 2.2.2.2/32 area 0.0.0.0

network 30.1.1.0/24 area 0.0.0.0!

interface xe14

ip ospf network point-to-point

Configuration

Topology

The sample topology for MAC Move Protection with CE-PE-Hub-Spoke architecture.

MAC Move Protection Topology Diagram

Configuring MAC Move Protection

Configure PE1 router as follows:

1. Configure router LDP.

PE1(config)#router ldp

PE1(config-router)# router-id 2.2.2.2

PE1(config-router)# transport-address ipv4 2.2.2.2

2. Configure targeted-peer under router LDP.

PE1(config-router)# targeted-peer ipv4 5.5.5.5

PE1(config-router-targeted-peer)# exit-targeted-peer-mode

3. Enable LDP and label-switching for core interface.

PE1(config)#interface xe14

PE1(config-if)# enable-ldp ipv4

PE1(config-if)#label-switching

4. Configure VPLS instance.

PE1(config)#mpls vpls vpls2000 2000

PE1(config-vpls)# signaling ldp

PE1(config-vpls-sig)# vpls-peer 5.5.5.5

PE1(config-vpls-sig)# exit-signaling

PE1(config-vpls)# exit-vpls

PE1(config)#

5. Configure sub-interface and attach vpls-instance to sub-interface.

PE1(config)#

PE1(config)#interface xe16.2000 switchport

PE1(config-if)# encapsulation dot1q 2000

PE1(config-if)# access-if-vpls

PE1(config-acc-if-vpls)# mpls-vpls vpls2000

PE1(config-acc-if-vpls)#

6. MAC-MOVE global configuration.

PE1(config)#vpls mac-move enable detect 10 10

PE1(config)#commit

PE1(config)#

7. Configure MAC-MOVE under VPLS instance.

PE1(config)#mpls vpls vpls2000 2000

PE1(config-vpls)# mac-move

PE1(config-vpls-mac-move)# detect 10 10

PE1(config-vpls-mac-move)# errdisable timeout-interval 120

PE1(config-vpls-mac-move)#commit

PE1(config-vpls-mac-move)#

PE1(config-vpls-mac-move)#exit

PE1(config)#

Configure the Hub Router:

1. Configure router LDP.

Hub(config)#router ldp

Hub(config-router)# router-id 5.5.5.5

Hub(config-router)# transport-address ipv4 5.5.5.5

2. Configure targeted-peer under router LDP.

Hub(config-router)# targeted-peer ipv4 2.2.2.2

Hub(config-router-targeted-peer)# exit-targeted-peer-mode

R5-P5(config-router)# targeted-peer ipv4 8.8.8.8

R5-P5(config-router-targeted-peer)#

3. Enable LDP and label-switching for core interface.

Hub(config)#interface xe1

Hub(config-if)# enable-ldp ipv4

Hub(config-if)#label-switching

Hub(config)#interface xe12

Hub(config-if)# enable-ldp ipv4

Hub(config-if)#label-switching

4. Configure VPLS instance.

Hub(config)#mpls vpls vpls2000 2000

Hub(config-vpls)# signaling ldp

Hub(config-vpls-sig)# vpls-peer 2.2.2.2

Hub(config-vpls-sig)# exit-signaling

Hub(config-vpls)# exit-vpls

Hub(config)#

5. Configure L2-ckt.

Hub (config)#mpls l2-circuit vc2000 2222 8.8.8.8 mode raw

Hub (config-pseudowire)#

6. Attach L2-ckt under VPLS instance.

Hub (config)#mpls vpls vpls2000 2000

Hub (config-vpls)#vpls-vc vc2000

Hub(config-vpls-spoke)#

7. MAC Move Protection global configuration.

Hub(config)#vpls mac-move enable detect 10 10

Hub(config)#commit

Hub(config)#

8. Configure MAC-MOVE under VPLS instance.

Hub(config)#mpls vpls vpls2000 2000

Hub(config-vpls)# mac-move

Hub(config-vpls-mac-move)# detect 10 10

Hub(config-vpls-mac-move)# errdisable timeout-interval 120

Hub(config-vpls-mac-move)# errdisable allow-mesh-pw-blocking

Hub(config-vpls-mac-move)#exit

Hub(config)#PE1(config)#

Configure Spoke Router as follows:

1. Configure router LDP.

Spoke(config)#router ldp

Spoke(config-router)# router-id 8.8.8.8

Spoke(config-router)# transport-address ipv4 8.8.8.8

2. Configure targeted-peer under router LDP.

Spoke(config-router)# targeted-peer ipv4 5.5.5.5

Spoke(config-router-targeted-peer)# exit-targeted-peer-mode

3. Enable LDP and label-switching for core interface.

Spoke(config)#interface xe12

Spoke(config-if)# enable-ldp ipv4

Spoke(config-if)#label-switching

4. Configure VPLS instance.

Spoke(config)#mpls vpls vpls2000 2000

Spoke(config-vpls)#

5. Configure L2-ckt.

Spoke(config)#mpls l2-circuit vc2000 2222 5.5.5.5 mode raw

Spoke(config-pseudowire)#

6. Attach L2-ckt under VPLS instance.

Spoke (config)#mpls vpls vpls2000 2000

Spoke(config-vpls)#vpls-vc vc2000

Spoke(config-vpls-spoke)#

7. MAC Move Protection global configuration

Spoke(config)#vpls mac-move enable detect 10 10

Spoke(config)#commit

Spoke(config)#

8. Configure MAC-MOVE under VPLS instance.

Spoke(config)#mpls vpls vpls2000 2000

Spoke(config-vpls)# mac-move

Spoke(config-vpls-mac-move)# detect 10 10

Spoke(config-vpls-mac-move)# errdisable timeout-interval 120

Spoke(config-vpls-mac-move)# errdisable allow-mesh-pw-blocking

Spoke(config-vpls-mac-move)#exit

Spoke(config)#PE1(config)#

Running Configuration on PE1 Router:

router ldp

router-id 2.2.2.2

targeted-peer ipv4 5.5.5.5

exit-targeted-peer-mode

transport-address ipv4 2.2.2.2

interface xe14

enable-ldp ipv4

mpls vpls vpls2000 2000

signaling ldp

vpls-peer 5.5.5.5

exit-signaling

mac-move

detect 10 10

errdisable timeout-interval 120

exit-mac-move

exit-vpls

interface xe16.2000 switchport

access-if-vpls

mpls-vpls vpls2000

learning limit prof1

Running Configuration on Hub Router:

router ldp

targeted-peer ipv4 2.2.2.2

exit-targeted-peer-mode

targeted-peer ipv4 8.8.8.8

exit-targeted-peer-mode

mpls l2-circuit vc2000 2222 8.8.8.8 mode raw

mpls vpls vpls2000 2000

vpls-vc vc2000

learning limit prof1

exit-spoke

signaling ldp

vpls-peer 2.2.2.2

exit-signaling

mac-move

detect 10 10

errdisable timeout-interval 120

errdisable allow-mesh-pw-blocking

exit-mac-move

exit-vpls

Running Configuration on Spoke Router:

router ldp

router-id 8.8.8.8

targeted-peer ipv4 5.5.5.5

exit-targeted-peer-mode

transport-address ipv4 8.8.8.8

mpls l2-circuit vc2000 2222 5.5.5.5 mode raw

mpls vpls vpls2000 2000

vpls-vc vc2000

exit-spoke

exit-signaling

mac-move

detect 10 10

errdisable timeout-interval 120

errdisable allow-mesh-pw-blocking

exit-mac-move

exit-vpls!

interface xe26.2000 switchport

access-if-vpls

mpls-vpls vpls2000

Validation

When mac move is seen on Hub:

-----------------------------------------------

HUB#2025 Jan 22 11:12:34.684 : HUB : NSM : NOTIF : [IFMGR_ERR_DISABLE_UP_4]: Mesh with Peer 2.2.2.2 on VPLS instance vpls2000 recovered from operational shutdown

2025 Jan 22 11:12:34.687 : HUB : NSM : NOTIF : [NSM_MPLS_VPLS_PEER_STATE_CHANGE_4]: VPLS vpls2000 ID 2000 peer 2.2.2.2 changed state to up

2025 Jan 22 11:12:34.695 : HUB : NSM : CRITI : [IFMGR_ERR_DISABLE_DOWN_2]: Mesh with peer 3.3.3.3 on VPLS instance vpls2000 shutdown successfully

2025 Jan 22 11:12:34.697 : HUB : NSM : CRITI : [NSM_MPLS_VPLS_PEER_STATE_CHANGE_2]: VPLS vpls2000 ID 2000 peer 3.3.3.3 changed state to down (Reason: VPLS peer errdisable)

2025 Jan 22 11:12:37.196 : HUB : HSL : CRITI : L2 movement detected 221 times : sample MAC : 0000:0000:0009 from PEER : 2.2.2.2

Hub#show mpls vpls vpls2000

Virtual Private LAN Service Instance: vpls2000, ID: 2000

SIG-Protocol: LDP

Attachment-Circuit: UP

Learning: Enabled

Control-Word: Enabled

Flow Label Status: Enabled, Direction: Both, Static: No

Group ID: 0, VPLS Type: Ethernet VLAN, Configured MTU: 5000

Description: none

service-tpid: dot1.q

Operating mode: Tagged

Svlan Id: 0

Svlan Tpid: 8100

MAC Withdrawal:

Configured interfaces:

Interface: xe2.2000

Status: Up

Subinterface Match Criteria(s) :

dot1q 2000

Mesh Peers:

2.2.2.2 (Type: Ethernet VLAN) (Negotiated - CW: Yes, FAT: No) (Up) (UpTime: 2d00h01m)

FEC signaling element: FEC128

3.3.3.3 (Type: Ethernet VLAN) (Negotiated - CW: Yes, FAT: No) (Up) (UpTime: 01:44:45)

FEC signaling element: FEC128

Spoke Peers:

vc2000 (Dn) (Reason: VPLS peer errdisable)

When mac move is cleared on Hub:

-------------------------------------------------

HUB#2025 Jan 22 11:17:34.697 : HUB : NSM : NOTIF : [IFMGR_ERR_DISABLE_UP_4]: Mesh with Peer 3.3.3.3 on VPLS instance vpls2000 recovered from operational shutdown

2025 Jan 22 11:17:34.700 : HUB : NSM : NOTIF : [NSM_MPLS_VPLS_PEER_STATE_CHANGE_4]: VPLS vpls2000 ID 2000 peer 3.3.3.3 changed state to up

Hub#show mpls vpls vpls2000

Virtual Private LAN Service Instance: vpls2000, ID: 2000

SIG-Protocol: LDP

Attachment-Circuit: UP

Learning: Enabled

Control-Word: Enabled

Flow Label Status: Enabled, Direction: Both, Static: No

Group ID: 0, VPLS Type: Ethernet VLAN, Configured MTU: 5000

Description: none

service-tpid: dot1.q

Operating mode: Tagged

Svlan Id: 0

Svlan Tpid: 8100

MAC Withdrawal:

Configured interfaces:

Interface: xe2.2000

Status: Up

Subinterface Match Criteria(s) :

dot1q 2000

Mesh Peers:

2.2.2.2 (Type: Ethernet VLAN) (Negotiated - CW: Yes, FAT: No) (Up) (UpTime: 2d00h01m)

FEC signaling element: FEC128

3.3.3.3 (Type: Ethernet VLAN) (Negotiated - CW: Yes, FAT: No) (Up) (UpTime: 01:44:45)

FEC signaling element: FEC128

Spoke Peers:

vc2000 (Dn) (Reason: VC on standby)

When mac move is seen on PE1:

----------------------------------------------------------

PE1#show mpls vpls vpls2001

Virtual Private LAN Service Instance: vpls2001, ID: 2001

SIG-Protocol: LDP

Attachment-Circuit: UP

Learning: Enabled

Control-Word: Enabled

Flow Label Status: Enabled, Direction: Both, Static: No

Group ID: 0, VPLS Type: Ethernet VLAN, Configured MTU: 5000

Description: none

service-tpid: dot1.q

Operating mode: Tagged

Svlan Id: 0

Svlan Tpid: 8100

MAC Withdrawal:

Configured interfaces:

Interface: xe16.2001

Status: Down

Subinterface Match Criteria(s) :

dot1q 2001

Mesh Peers:

3.3.3.3 (Type: Ethernet VLAN) (Negotiated - CW: Yes, FAT: Yes) (Up) (UpTime: 01:53:26)

FEC signaling element: FEC128

5.5.5.5 (Type: Ethernet VLAN) (Negotiated - CW: Yes, FAT: Yes) (Up) (UpTime: 2d00h09m)

FEC signaling element: FEC128

PE1#show interface brief | grep xe16.2001

xe16.2001 SUBINTERFACE -- -- down ED 10g -- No No

PE1#

CLI Commands

The MAC Move Protection introduces the following configuration commands.

vpls mac-move enable detect

Use this command to enable MAC address move detection within a VPLS environment with global configuration.

Use no parameter of this command to disable MAC address move detection

Command Syntax

vpls mac-move enable detect <1-1000> <5-300>

no vpls mac-move enable detect

Parameters

<1-1000>	Specifies the number of detected MAC address moves required to trigger an action. The default value is 5.
<5-300>	Specifies the time period (in seconds) within which the specified number of MAC address moves must occur for the move to be considered valid. The default value is 15 seconds.

Default

Disabled

Command Mode

CONFIG mode

Applicability

Introduced in OcNOS version 6.6.0.

Example

The following example is for configuration of MAC move protection using global configuration:

#configure terminal

(config)#vpls mac-move enable detect 10 40

(config)#commit

mac-move

Use this command to enable MAC address move detection within a VPLS environment with VPLS MAC MOVE mode.

Use no parameter of this command to disable MAC address move detection

Command Syntax

mac-move detect (<1-1000> | <5-300>) | errdisable (allow-mesh-pw-blocking | timeout-interval <0-86400>)

no mac-move

Parameters

<1-1000>	Specifies the number of detected MAC address moves required to trigger an action. The default value is 5.
<5-300>	Specifies the time period (in seconds) within which the specified number of MAC address moves must occur for the move to be considered valid. The default value is 15 seconds.
allow-mesh-pw-blocking	Allows blocking the Mesh Pseudowire (PW) instead of only disabling the MAC in case of an error.
<0-86400>	(Optional) Specifies the MAC move errdisable timeout interval, determining how long the affected MAC remains disabled before being re-enabled. The default value is 0 second.

Default

Disabled

Command Mode

VPLS MAC MOVE mode

Applicability

Introduced in OcNOS version 6.6.0.

Example

The following example is for configuration of MAC move protection for VPLS instance:

#configure terminal

(config)# mpls vpls vpls_test1 100

(config-vpls)#mac-move

(config-vpls-mac-move)# detect 10 60

(config-vpls-mac-move)# errdisable timeout interval 120

(config-vpls-mac-move)# errdisable allow-mesh-pw-blocking

(config-vpls-mac-move)# exit-mac-move

(config-vpls)# exit-vpls

show mpls vpls mac-move name

Use this command to display the MAC address move configuration and status for the VPLS instance.

Command Syntax

show mpls vpls mac-move name

Parameters

name	Specifies the name of VPLS instance.

Applicability

Introduced in OcNOS version 6.6.0.

Example

The following example is for configuration of MAC move protection:

#show mpls vpls mac-move name vpls26

Virtual Private LAN Service Instance: vpls26, ID:26

Mac Address Move Count Elapsed time

90:67:17:e2:46:74 29 00:17:35

Glossary

The following provides definitions for key terms or abbreviations and their meanings used throughout this document:

Key Terms/Acronym	Description
CLI	Command Line Interface
H-VPLS	Hierarchical Virtual Private LAN Service
IGP	Interior Gateway Protocol
ISIS	Intermediate System to Intermediate System
OSPF	Open Shortest Path First
BFD	Bidirectional Forwarding Detection
VPLS	Virtual Private LAN Service