Proxy-ARP/ND MAC List for Dynamic Entries
This chapter provides information about Proxy-ARP/ND MAC List for Dynamic Entries.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 15.0.R4, but the MD-CLI in the current edition is based on SR OS Release 21.2.R2. Proxy-Address Resolution Protocol/Neighbor Discovery (proxy-ARP/ND) MAC list for dynamic entries is supported in SR OS Release 15.0.R1, and later.
Overview
In some EVPN networks, the use of static proxy-ARP/ND entries is preferred to dynamically learned entries. For example, this is the case with some Internet eXchange Points (IXPs) that use EVPN and proxy-ARP/ND technologies. The MAC address in the static entry can be a MAC address from a list of n preregistered MAC addresses. The advantage is that—in case of a router or card failure—the hardware can be replaced, and no reconfiguration is required if the new MAC address is within a list of allowed MAC addresses.
In SR OS, these allow lists are called MAC lists. The associated proxy-ARP/ND entries will not be added upon configuration, but dynamically through a resolve procedure. This follows draft-ietf-bess-evpn-proxy-arp-nd.
-
When the dynamic proxy-ARP/ND IP address with its associated MAC list is configured, the system sends a resolve message to all its non-EVPN peers.
-
The resolve message is an ARP request for IPv4, or a Neighbor Solicitation (NS) message for IPv6.
-
The resolve message is sent at a configurable interval between 1 and 60 minutes; the default is 5 minutes.
-
The system keeps sending resolve messages until a dynamic entry is created for the proxy-ARP/ND IP address. This entry is only created when two conditions are met:
-
An ARP/Gratuitous Address Resolution Protocol (GARP) or Neighbor Advertisement (NA) is received for the configured IP address.
-
The associated MAC address belongs to the MAC list configured for the IP address. If the MAC list is empty or not configured, the system will never create an entry for the IP address.
-
When the dynamic proxy-ARP/ND IP entry is created, the system advertises an EVPN-MAC update to its EVPN peers. The sticky bit will be set depending on how the corresponding MAC address is learned. If the MAC address is learned on a SAP/SDP-binding with Auto-Learn MAC Protect (ALMP) enabled, the EVPN-MAC route will be advertised as static.
IXP with proxy-ARP/ND MAC list for dynamic entries shows an example of an IXP network that uses proxy-ARP/ND and a MAC list.
The ISP1 router with IP1 and MAC1 is connected to a PE in the core network that has proxy-ARP/ND enabled and a list of allowed MAC addresses. This MAC list contains four MAC addresses: MAC1 (for the hardware that is currently in use) and three MAC addresses for spares: MAC2, MAC3, and MAC4. The proxy-ARP/ND table will be populated as follows:
-
The PE floods a resolve message for the configured IP address for proxy-ARP/ND to its non-EVPN peers.
-
The ISP1 router that is connected to the network sends a GARP or ARP Reply message with IP1 and MAC1 that will be snooped by the PE.
-
The PE checks whether IP1 is configured as a dynamic proxy-ARP/ND entry and MAC1 is in the MAC list assigned to proxy-ARP/ND entry IP1.
-
If true, the IP1/MAC1 entry is created in the proxy-ARP/ND table and advertised in EVPN.
-
If the GARP message contains MAC5, which is not in the MAC allow list, no proxy-ARP/ND entry is created, and IP/MAC is not advertised. If proxy-arp>evpn>flood>gratuitous-arp false is configured, the GARP containing MAC5 will be discarded.
-
If after the proxy-ARP/ND creation, the corresponding MAC address is flushed from the Forwarding Database (FDB), the entry goes inactive. After the age-time, the inactive entry will age out and the resolve process will restart.
MAC lists are configured with the following command:
[ex:/configure service proxy-arp-nd mac-list]
A:admin@PE-2# list "ISP1" ?
list
apply-groups - Apply a configuration group at this level
apply-groups-exclude - Exclude a configuration group at this level
mac - Add a list entry for mac
The MAC list contains the allowed MAC addresses and can be associated in one or more services with a proxy-ARP/ND IP address. A MAC list is associated with dynamic proxy-ARP IP 1.1.1.1 with the following command:
[ex:/configure service vpls "EVI-1" proxy-arp dynamic-arp]
A:admin@PE-2# ip-address 1.1.1.1 ?
ip-address
apply-groups - Apply a configuration group at this level
apply-groups-exclude - Exclude a configuration group at this level
mac-list - MAC list for the dynamic entry
resolve-retry-time - Frequency at which the resolve messages are sent
The configuration for proxy-ND is similar:
[ex:/configure service vpls "EVI-1" proxy-nd dynamic-neighbor]
A:admin@PE-2# ip-address 2001:db8::99 ?
ip-address
apply-groups - Apply a configuration group at this level
apply-groups-exclude - Exclude a configuration group at this level
mac-list - MAC list for the dynamic entry
resolve-retry-time - Frequency at which the resolve messages are sent
-
The MAC list can be associated with multiple configured dynamic IP addresses:
-
In different services
-
In the same service, for proxy-ARP and proxy-ND
-
-
An empty MAC list can be configured and applied, but no proxy-ARP/ND entries will be created when the PE receives a GARP message containing a MAC address that is not in the allow list.
-
MAC lists can be modified at any time: MAC addresses can be added or removed even when the MAC lists are associated with configured dynamic IP addresses. If the MAC list changes, all the IP addresses associated with that MAC list will delete the proxy entries and restart the resolve process.
An existing dynamic proxy-ARP/ND entry IP1/MAC1 can be overridden when the system receives a GARP/ARP/NA for IP1 with another MAC address from the MAC list (IP1/MAC2). The system will first send a confirm message to check whether the old IP1/MAC1 is still reachable. Only when there is no answer, the entry IP1/MAC1 is replaced by IP1/MAC2. The existing duplicate-detect and confirm procedures are only applied for MAC address changes within the MAC list.
An existing dynamic proxy-ARP/ND entry IP1/MAC1 will be deleted when the system receives a GARP/ARP/NA IP1/MAC5 with a MAC address that is not contained in the MAC list. The GARP/ARP/NA message will be discarded and the resolve procedure is restarted.
Configuration
Example topology shows the example topology with three PEs. ISP router 1 is connected to PE-2. MAC1 is used; MAC2, MAC3, and MAC4 correspond to spares.
The initial configuration includes:
-
Cards, MDAs, ports
-
Router interfaces
-
IS-IS between the PEs (alternatively, OSPF can be used)
-
LDP between the PEs
BGP is enabled between the PEs for address family EVPN. The BGP configuration on PE-2 is as follows:
# on PE-2:
configure {
router "Base" {
autonomous-system 64500
bgp {
rapid-withdrawal true
split-horizon true
rapid-update {
evpn true
}
group "internal" {
peer-as 64500
family {
evpn true
}
}
neighbor "192.0.2.1" {
group "internal"
}
neighbor "192.0.2.3" {
group "internal"
}
}
VPLS 1 is configured on PE-2 as follows. The configuration on the other PEs is similar.
# on PE-2:
configure {
service {
vpls "EVI-1" {
admin-state enable
service-id 1
customer "1"
bgp 1 {
}
bgp-evpn {
evi 1
mpls 1 {
admin-state enable
ingress-replication-bum-label true
auto-bind-tunnel {
resolution any
}
}
}
sap 1/2/1:1 {
}
sap 1/2/1:3 {
}
}
MAC list
The following MAC lists are configured on PE-2: ISP1 is an empty list; ISP2 is a MAC list containing four MAC addresses.
# on PE-2:
configure {
service {
proxy-arp-nd {
mac-list {
list "ISP1" {
}
list "ISP2" {
mac 00:ca:fe:99:02:01 { }
mac 00:ca:fe:99:02:02 { }
mac 00:ca:fe:99:02:03 { }
mac 00:ca:fe:99:02:04 { }
}
}
The following command shows the configured MAC lists on PE-2, with the number of MAC addresses and the number of associations. None of the MAC lists has been associated with a proxy-ARP/ND IP entry, so the number of associations is zero.
[/]
A:admin@PE-2# show service proxy-arp-nd mac-list
===============================================================================
MAC List Information
===============================================================================
MAC List Name Last Change Num Macs Num Assocs
-------------------------------------------------------------------------------
ISP1 05/11/2021 13:58:23 0 0
ISP2 05/11/2021 14:03:41 4 0
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
The following command shows the MAC addresses that are configured in MAC list ISP2. The timestamps show that all four MAC addresses were configured simultaneously, but MAC lists can be modified at any time.
[/]
A:admin@PE-2# show service proxy-arp-nd mac-list name "ISP2"
===============================================================================
MAC List MAC Addr Information
===============================================================================
MAC Addr Last Change
-------------------------------------------------------------------------------
00:ca:fe:99:02:01 05/11/2021 14:03:41
00:ca:fe:99:02:02 05/11/2021 14:03:41
00:ca:fe:99:02:03 05/11/2021 14:03:41
00:ca:fe:99:02:04 05/11/2021 14:03:41
-------------------------------------------------------------------------------
Number of Entries: 4
===============================================================================
MAC list associated with proxy-ARP/ND in VPLS
MAC lists can be associated with one or more services. An empty MAC list—such as ISP1—can be associated, but it is impossible to associate a non-existing MAC list with a service. The following error is raised when attempting to associate the non-existing MAC list ISP3 with proxy-ARP IP 1.1.1.1 in VPLS 1 on PE-2:
*[ex:/configure service vpls "EVI-1" proxy-arp dynamic-arp ip-address 1.1.1.1]
A:admin@PE-2# mac-list "ISP3"
*[ex:/configure service vpls "EVI-1" proxy-arp dynamic-arp ip-address 1.1.1.1]
A:admin@PE-2# commit
MINOR: MGMT_CORE #224: configure service vpls "EVI-1" proxy-arp dynamic-arp ip-address 1.1.1.1 mac-list - Entry does not exist - configure service proxy-arp-nd mac-list list "ISP3"
MAC list ISP2 is associated with proxy-ARP IP 172.16.0.99 and with proxy-ND IP 2001:db8::99 in VPLS 1 on PE-2, as follows:
# on PE-2:
configure {
service {
vpls "EVI-1" {
proxy-arp {
admin-state enable
dynamic-populate true
dynamic-arp {
ip-address 172.16.0.99 {
mac-list "ISP2"
resolve-retry-time 1
}
}
}
proxy-nd {
admin-state enable
dynamic-populate true
dynamic-neighbor {
ip-address 2001:db8::99 {
mac-list "ISP2"
}
}
}
For proxy-ARP IP 172.16.0.99, the resolve interval is 1 minute, which is the minimum; for proxy-ND IP 2001:db::99, the resolve interval is the default of 5 minutes. In scaled environments, Nokia recommends using the default interval, or even configuring a longer interval. The proxy-ARP and proxy-ND tables can be populated with dynamic entries (dynamic-populate true).
The following command shows all associations for MAC list ISP2: two associations are defined in VPLS 1: one for IP address 172.16.0.99 and another for IP address 2001:db8::99.
[/]
A:admin@PE-2# show service proxy-arp-nd mac-list name "ISP2" associations
===============================================================================
MAC List Associations
===============================================================================
Service Id IP Addr
-------------------------------------------------------------------------------
1 172.16.0.99
1 2001:db8::99
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
Different dynamic proxy-ARP/ND entries
A distinction is made between regular dynamic entries and configured dynamic entries:
-
No IP address needs to be configured for regular dynamic proxy-ARP/ND entries. What only needs to be configured, is the option dynamic-populate true.
-
IP address and MAC list need to be defined for configured proxy-ARP/ND entries.
Configured dynamic entries can override static and regular dynamic entries.
Regular dynamic proxy-ARP/ND entries can override configured dynamic entries.
EVPN entries cannot override configured dynamic entries, even though they can override regular dynamic entries.
Likewise, static entries can override regular dynamic entries, but they cannot override dynamic configured entries. The following error is raised when attempting to configure a static proxy-ARP entry for IP 172.16.0.99, which has already been configured as dynamic and associated with a MAC list.
*[ex:/configure service vpls "EVI-1" proxy-arp static-arp ip-address 172.16.0.99]A:admin@PE-2# commit
MINOR: MGMT_CORE #258: configure service vpls "EVI-1" proxy-arp dynamic-arp ip-address 172.16.0.99 - Unique values required - configure service vpls "EVI-1" proxy-arp static-arp ip-address 172.16.0.99
Debugging
Debugging for both proxy-ARP/ND IP entries is enabled—in classic CLI—on PE-2 as follows:
# on PE-2:
debug
service
id 1
proxy-arp ip 172.16.0.99
proxy-nd ip 2001:db8::99
exit
exit
exit
When the dynamic proxy-ARP IP 172.16.0.99 is configured with MAC list "ISP2", PE-2 floods a resolve message—in this case, an ARP request—to all its EVPN peers. Router ISP1 replies. PE-2 advertises an EVPN-MAC update to its EVPN peers PE-1 and PE-3. PE-2 adds a dynamic proxy-ARP entry for 172.16.0.99 with MAC address 00:ca:fe:99:02:01. Router ISP1 sends a GARP message. The following messages are logged:
29 2021/05/11 14:11:39.920 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 flood resolve"
31 2021/05/11 14:11:39.922 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn advertise"
32 2021/05/11 14:11:39.922 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Added"
37 2021/05/11 14:11:40.020 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Gratuitous Update"
For proxy-ND, the following messages are logged:
30 2021/05/11 14:11:39.920 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 flood resolve"
33 2021/05/11 14:11:39.922 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 mac: 00:ca:fe:99:02:01 evpn advertise"
34 2021/05/11 14:11:39.922 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:01 Added"
38 2021/05/11 14:11:40.020 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:01 Gratuitous Update"
The following command shows the proxy-ARP details for VPLS 1 on PE-2. The only proxy-ARP entry is for IP address 172.16.0.99 with MAC address 00:ca:fe:99:02:01.
[/]
A:admin@PE-2# show service id 1 proxy-arp detail
-------------------------------------------------------------------------------
Proxy Arp
-------------------------------------------------------------------------------
Admin State : enabled
Dyn Populate : enabled
Age Time : disabled Send Refresh : disabled
Table Size : 250 Total : 1
Static Count : 0 EVPN Count : 0
Dynamic Count : 1 Duplicate Count : 0
Dup Detect
-------------------------------------------------------------------------------
Detect Window : 3 mins Num Moves : 5
Hold down : 9 mins
Anti Spoof MAC : None
EVPN
-------------------------------------------------------------------------------
Garp Flood : enabled Req Flood : enabled
Static Black Hole : disabled
EVPN Route Tag : 0
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:01 dyn active 05/11/2021 14:11:40
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The following command shows the proxy-ND details for VPLS 1 on PE-2. The only proxy-ND entry if for IP address 2001:db8::99 with MAC address 00:ca:fe:99:02:01.
[/]
A:admin@PE-2# show service id 1 proxy-nd detail
-------------------------------------------------------------------------------
Proxy ND
-------------------------------------------------------------------------------
Admin State : enabled
Dyn Populate : enabled
Age Time : disabled Send Refresh : disabled
Table Size : 250 Total : 1
Static Count : 0 EVPN Count : 0
Dynamic Count : 1 Duplicate Count : 0
Dup Detect
-------------------------------------------------------------------------------
Detect Window : 3 mins Num Moves : 5
Hold down : 9 mins
Anti Spoof MAC : None
EVPN
-------------------------------------------------------------------------------
Unknown NS Flood : enabled ND Advertise : Router
Rtr Unsol NA Flood: enabled Host Unsol NA Fld : enabled
EVPN Route Tag : 0
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address Mac Address Type Status Rtr/ Last Update
Host
-------------------------------------------------------------------------------
2001:db8::99 00:ca:fe:99:02:01 dyn active Rtr 05/11/2021 14:11:40
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The proxy-ARP in VPLS 1 contains the following dynamic entry.
[/]
A:admin@PE-2# show service id 1 proxy-arp dynamic
===============================================================================
Proxy ARP Dyn Cfg Summary
===============================================================================
IP Addr Mac List
-------------------------------------------------------------------------------
172.16.0.99 ISP2
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
The following command shows the association for dynamic proxy-ARP IP address 172.16.0.99, with the configured resolve time in minutes and the remaining resolve time in seconds.
[/]
A:admin@PE-2# show service id 1 proxy-arp dynamic ip-address 172.16.0.99
===============================================================================
Proxy ARP Dyn Cfg Detail
===============================================================================
IP Addr Mac List Resolve Time Remaining
(mins) Resolve Time
(secs)
-------------------------------------------------------------------------------
172.16.0.99 ISP2 1 0
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
The remaining resolve time is zero seconds because a dynamic proxy-ARP entry has been created and that suspends the resolve mechanism.
The proxy-ND in VPLS 1 contains the following dynamic entry.
[/]
A:admin@PE-2# show service id 1 proxy-nd dynamic
===============================================================================
Proxy ND Dyn Cfg Summary
===============================================================================
IP Addr Mac List
-------------------------------------------------------------------------------
2001:db8::99 ISP2
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
The following command shows the association for dynamic proxy-ND IP 2001:db8::99.
[/]
A:admin@PE-2# show service id 1 proxy-nd dynamic ipv6-address 2001:db8::99
===============================================================================
Proxy ND Dyn Cfg Detail
===============================================================================
IP Addr Mac List
Resolve Time(mins) Remaining Resolve Time(secs)
-------------------------------------------------------------------------------
2001:db8::99 ISP2
5 0
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
Tools command to trigger resolve procedure
The following tools command can be used to force the system to send a resolve message to its non-EVPN peers. The force option will trigger the resolve process even for existing entries in the proxy-ARP/ND table.
[/]
A:admin@PE-2# tools perform service id 1 proxy-arp dynamic-resolve ?
dynamic-resolve all [force]
dynamic-resolve <IP address> [force]
[ip-address] (<ipv4-address> | <ipv6-address>)
<ipv4-address> - <d.d.d.d>
<ipv6-address> - (<x:x:x:x:x:x:x:x>|<x:x:x:x:x:x:d.d.d.d>)
[ip-address] - ipv4 address '<d.d.d.d>' or ipv6 address
'(<x:x:x:x:x:x:x:x>|<x:x:x:x:x:x:d.d.d.d>)'
all - <keyword>
force - <keyword>
[/]
A:admin@PE-2# tools perform service id 1 proxy-nd dynamic-resolve ?
dynamic-resolve all [force]
dynamic-resolve <ipv6 address> [force]
[ipv6-address] <ipv6-address>
x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
Attribute ipv6-address for dynamic-resolve
[ipv6-address] - Attribute ipv6-address for dynamic-resolve
all - <keyword>
force - <keyword>
Some examples:
[/]
A:admin@PE-2# tools perform service id 1 proxy-arp dynamic-resolve 172.16.0.99
[/]
A:admin@PE-2# tools perform service id 1 proxy-arp dynamic-resolve 172.16.0.99
force
[/]
A:admin@PE-2# tools perform service id 1 proxy-arp dynamic-resolve all
[/]
A:admin@PE-2# tools perform service id 1 proxy-arp dynamic-resolve all force
[/]
A:admin@PE-2# tools perform service id 1 proxy-nd dynamic-resolve 2001:db8::99
[/]
A:admin@PE-2# tools perform service id 1 proxy-nd dynamic-resolve 2001:db8::99
force
[/]
A:admin@PE-2# tools perform service id 1 proxy-nd dynamic-resolve all
[/]
A:admin@PE-2# tools perform service id 1 proxy-nd dynamic-resolve all force
Inactive proxy-ARP/ND entries
When the MAC address is flushed from the FDB, the proxy-ARP/ND entries become inactive.
[/]
A:admin@PE-2# clear service id 1 fdb mac 00:ca:fe:99:02:01
[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:01 dyn inActv 05/11/2021 14:16:37
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match 2001:db8::99 pre-lines 7
post-lines 3
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address Mac Address Type Status Rtr/ Last Update
Host
-------------------------------------------------------------------------------
2001:db8::99 00:ca:fe:99:02:01 dyn inActv Rtr 05/11/2021 14:16:37
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
By default, aging is disabled, and the entries remain in the inactive status until the MAC address is learned again. However, if aging is enabled, the inactive proxy-ARP/ND entry will age out. After the entry is deleted, the system sends a resolve message. When the ISP1 router replies, the entry is created again in the proxy-ARP/ND table. The age time is configured in seconds with the following command:
[ex:/configure service vpls "EVI-1" proxy-arp]
A:admin@PE-2# age-time ?
age-time (<number> | <keyword>)
<number> - <60..86400> - seconds
<keyword> - never - seconds
Default - never
Aging timer for proxy entries, where entries are flushed upon timer expiry
# on PE-2:
configure {
service {
vpls "EVI-1" {
proxy-arp {
age-time 60
}
proxy-nd {
age-time 60
}
The following debug messages for proxy ARP IP 172.16.0.99 show that an EVPN-MAC withdraw message is sent (when the MAC address is flushed from the FDB) and—after time-out—the proxy-ARP entry is deleted. PE-2 sends a resolve message to all its non-EVPN peers. Router ISP1 replies and the proxy-ARP entry is created again; an EVPN-MAC update is sent to the EVPN peers. Similar debug messages occur for proxy-ND.
57 2021/05/11 14:16:48.589 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn withdraw"
62 2021/05/11 14:18:33.620 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Deleted"
64 2021/05/11 14:18:33.720 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 flood resolve"
65 2021/05/11 14:18:33.722 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn advertise"
66 2021/05/11 14:18:33.722 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Added"
71 2021/05/11 14:18:33.820 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Gratuitous Update"
The following command shows that the entry is created again with active status.
[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:01 dyn active 05/11/2021 14:19:34
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
MAC address replacement
When the system receives a GARP/ARP/NA for the same IP address, but with another MAC address from the MAC list, it will first send a confirm message to ensure that the old MAC address is not used anymore for the IP address. If the existing proxy-ARP/ND entry is IP1/MAC1 and a GARP/ARP/NA message is received for IP1/MAC4, the system sends an EVPN-MAC withdraw message for MAC1 and changes MAC1 to MAC4 for proxy-ARP/ND IP1, but the status is pending (pendng), as follows:
[/]A:admin@PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:04 dyn pendng 05/11/2021 14:23:32
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match 2001:db8::99 pre-lines 7
post-lines 3
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address Mac Address Type Status Rtr/ Last Update
Host
-------------------------------------------------------------------------------
2001:db8::99 00:ca:fe:99:02:04 dyn pendng Rtr 05/11/2021 14:23:31
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The system sends a confirm message (unicast ARP request) for the old entry IP1/MAC1 to ensure that there is no duplication. When there is no reply from MAC1, there is no duplication. An EVPN-MAC route is advertised for MAC4. The status of the proxy-ARP entry IP1/MAC4 changes to active. The following debug messages are logged for proxy-ARP 172.16.0.99:
151 2021/05/11 14:23:29.394 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn withdraw"
152 2021/05/11 14:23:29.394 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 Mac Change: 00:ca:fe:99:02:01->00:ca:fe:99:02:04 "
157 2021/05/11 14:23:29.520 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 confirm"
160 2021/05/11 14:23:59.520 CEST MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:04 evpn advertise"
The final status of the proxy-ARP IP 172.16.0.99 is active, as follows:
[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:04 dyn active 05/11/2021 14:24:34
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The mechanism is similar for proxy-ND.
The behavior is different when the system receives a GARP/ARP/NA for the IP address with a MAC address that is not contained in the MAC list. The GARP/ARP/NA message is discarded and the proxy-ARP/ND entry deleted. The resolve procedure gets restarted.
Modified MAC list
MAC lists can be modified at any time, as follows:
# on PE-2:
configure {
service {
proxy-arp-nd {
mac-list {
list "ISP2" {
mac 00:ca:fe:99:02:05 { }
[/]A:admin@PE-2# show service proxy-arp-nd mac-list name "ISP2"
===============================================================================
MAC List MAC Addr Information
===============================================================================
MAC Addr Last Change
-------------------------------------------------------------------------------
00:ca:fe:99:02:01 05/11/2021 14:03:41
00:ca:fe:99:02:02 05/11/2021 14:03:41
00:ca:fe:99:02:03 05/11/2021 14:03:41
00:ca:fe:99:02:04 05/11/2021 14:03:41
00:ca:fe:99:02:05 05/11/2021 14:25:23
-------------------------------------------------------------------------------
Number of Entries: 5
===============================================================================
The timestamps show when the different MAC addresses were added to the MAC list.
When the MAC list ISP2 is modified, proxy-ARP entry 172.16.0.99 and proxy-ND entry 2001:db8::99 will be deleted, an EVPN-MAC withdraw message will be sent, and the resolve procedure will be restarted. The following log messages occur for proxy-ND 2001:db8::99.
182 2021/05/11 14:25:23.153 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 mac: 00:ca:fe:99:02:04 evpn withdraw"
183 2021/05/11 14:25:23.153 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:04 Deleted"
187 2021/05/11 14:25:23.320 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 flood resolve"
190 2021/05/11 14:25:23.322 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 mac: 00:ca:fe:99:02:04 evpn advertise"
191 2021/05/11 14:25:23.322 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:04 Added"
195 2021/05/11 14:25:23.420 CEST MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:04 Gratuitous Update"
Conclusion
MAC lists can be associated with configured dynamic proxy-ARP/ND IP addresses. The actual proxy entries will only be created after a GARP/ARP/NA message is received for the IP address and one of the MAC addresses from the MAC list.
This tool complements the SR OS EVPN proxy-ARP/ND solution for providers present at IXPs.