Proxy-ARP/ND MAC List for Dynamic Entries
This chapter provides information about Proxy-ARP/ND MAC List for Dynamic Entries.
Topics in this chapter include:
Applicability
This chapter was initially written based on SR OS Release 15.0.R4, but the CLI in the current edition is based on SR OS Release 21.2.R2. Proxy-Address Resolution Protocol/Neighbor Discovery (proxy-ARP/ND) MAC list for dynamic entries is supported in SR OS Release 15.0.R1, and later.
Overview
In some EVPN networks, the use of static proxy-ARP/ND entries is preferred to dynamically learned entries. For example, this is the case with some Internet eXchange Points (IXPs) that use EVPN and proxy-ARP/ND technologies. The MAC address in the static entry can be a MAC address from a list of n preregistered MAC addresses. The advantage is that—in case of a router or card failure—the hardware can be replaced, and no reconfiguration is required if the new MAC address is within a list of allowed MAC addresses.
In SR OS, these allow lists are called MAC lists. The associated proxy-ARP/ND entries will not be added upon configuration, but dynamically through a resolve procedure. This follows draft-ietf-bess-evpn-proxy-arp-nd.
When the dynamic proxy-ARP/ND IP address with its associated MAC list is configured, the system sends a resolve message to all its non-EVPN peers.
The resolve message is an ARP request for IPv4, or a Neighbor Solicitation (NS) message for IPv6.
The resolve message is sent at a configurable interval between 1 and 60 minutes; the default is 5 minutes.
The system keeps sending resolve messages until a dynamic entry is created for the proxy-ARP/ND IP address. This entry is only created when two conditions are met:
An ARP/Gratuitous Address Resolution Protocol (GARP) or Neighbor Advertisement (NA) is received for the configured IP address.
The associated MAC address belongs to the MAC list configured for the IP address. If the MAC list is empty or not configured, the system will never create an entry for the IP address.
When the dynamic proxy-ARP/ND IP entry is created, the system advertises an EVPN-MAC update to its EVPN peers. The sticky bit will be set depending on how the corresponding MAC address is learned. If the MAC address is learned on a SAP/SDP-binding with Auto-Learn MAC Protect (ALMP) enabled, the EVPN-MAC route will be advertised as static.
IXP with proxy-ARP/ND MAC list for dynamic entries shows an example of an IXP network that uses proxy-ARP/ND and a MAC list.
The ISP1 router with IP1 and MAC1 is connected to a PE in the core network that has proxy-ARP/ND enabled and a list of allowed MAC addresses. This MAC list contains four MAC addresses: MAC1 (for the hardware that is currently in use) and three MAC addresses for spares: MAC2, MAC3, and MAC4. The proxy-ARP/ND table will be populated as follows:
The PE floods a resolve message for the configured IP address for proxy-ARP/ND to its non-EVPN peers.
The ISP1 router that is connected to the network sends a GARP or ARP Reply message with IP1 and MAC1 that will be snooped by the PE.
The PE checks whether IP1 is configured as a dynamic proxy-ARP/ND entry and MAC1 is in the MAC list assigned to proxy-ARP/ND entry IP1.
If true, the IP1/MAC1 entry is created in the proxy-ARP/ND table and advertised in EVPN.
If the GARP message contains MAC5, which is not in the MAC allow list, no proxy-ARP/ND entry is created, and IP/MAC is not advertised. If no garp-flood-evpn is configured, the GARP containing MAC5 will be discarded.
If after the proxy-ARP/ND creation, the corresponding MAC address is flushed from the Forwarding Database (FDB), the entry goes inactive. After the age-time, the inactive entry will age out and the resolve process will restart.
MAC lists are configured with the following command:
*A:PE-2>config>service>proxy-arp-nd# mac-list ?
- mac-list <name> [create]
- no mac-list <name>
<name> : [32 chars max]
<create> : keyword
[no] mac - Configure proxy ARP/ND MAC address information
The MAC list contains the allowed MAC addresses and can be associated in one or more services with a proxy-ARP/ND IP address. A MAC list is associated with dynamic proxy-ARP IP 1.1.1.1 with the following command:
*A:PE-2>config>service>vpls>proxy-arp# dynamic 1.1.1.1 create ?
- dynamic <ip-address> [create]
- no dynamic <ip-address>
<ip-address> : a.b.c.d
<create> : keyword
[no] mac-list - Configure MAC list
resolve - Configure address resolve time in minutes
The configuration for proxy-ND is similar:
*A:PE-2>config>service>vpls>proxy-nd# dynamic 2001:db8::99 create ?
- dynamic <ipv6-address> [create]
- no dynamic <ipv6-address>
<ipv6-address> : x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
<create> : keyword
[no] mac-list - Configure MAC list
resolve - Configure address resolve time in minutes
The MAC list can be associated with multiple configured dynamic IP addresses:
In different services
In the same service, for proxy-ARP and proxy-ND
An empty MAC list can be configured and applied, but no proxy-ARP/ND entries will be created when the PE receives a GARP message containing a MAC address that is not in the allow list.
MAC lists can be modified at any time: MAC addresses can be added or removed even when the MAC lists are associated with configured dynamic IP addresses. If the MAC list changes, all the IP addresses associated with that MAC list will delete the proxy entries and restart the resolve process.
An existing dynamic proxy-ARP/ND entry IP1/MAC1 can be overridden when the system receives a GARP/ARP/NA for IP1 with another MAC address from the MAC list (IP1/MAC2). The system will first send a confirm message to check whether the old IP1/MAC1 is still reachable. Only when there is no answer, the entry IP1/MAC1 is replaced by IP1/MAC2. The existing dup-detect and confirm procedures are only applied for MAC address changes within the MAC list.
An existing dynamic proxy-ARP/ND entry IP1/MAC1 will be deleted when the system receives a GARP/ARP/NA IP1/MAC5 with a MAC address that is not contained in the MAC list. The GARP/ARP/NA message will be discarded and the resolve procedure is restarted.
Configuration
Example topology shows the example topology with three PEs. ISP router 1 is connected to PE-2. MAC1 is used; MAC2, MAC3, and MAC4 correspond to spares.
The initial configuration includes:
Cards, MDAs, ports
Router interfaces
IS-IS between the PEs (alternatively, OSPF can be used)
LDP between the PEs
BGP is enabled between the PEs for address family EVPN. The BGP configuration on PE-2 is as follows:
# on PE-2:
configure
router Base
autonomous-system 64500
bgp
rapid-withdrawal
split-horizon
rapid-update evpn
group "internal"
family evpn
peer-as 64500
neighbor 192.0.2.1
exit
neighbor 192.0.2.3
exit
exit
exit
VPLS 1 is configured on PE-2 as follows. The configuration on the other PEs is similar.
# on PE-2:
configure
service
vpls 1 name "EVI-1" customer 1 create
bgp
exit
bgp-evpn
evi 1
mpls bgp 1
ingress-replication-bum-label
auto-bind-tunnel
resolution any
exit
no shutdown
exit
exit
stp
shutdown
exit
sap 1/2/1:1 create
no shutdown
exit
sap 1/2/1:3 create
no shutdown
exit
no shutdown
exit
MAC list
The following MAC lists are configured on PE-2: ISP1 is an empty list; ISP2 is a MAC list containing four MAC addresses.
# on PE-2:
configure
service
proxy-arp-nd
mac-list "ISP1" create
exit
mac-list "ISP2" create
mac 00:ca:fe:99:02:01
mac 00:ca:fe:99:02:02
mac 00:ca:fe:99:02:03
mac 00:ca:fe:99:02:04
exit
The following command shows the configured MAC lists on PE-2, with the number of MAC addresses and the number of associations. None of the MAC lists has been associated with a proxy-ARP/ND IP entry, so the number of associations is zero.
*A:PE-2# show service proxy-arp-nd mac-list
===============================================================================
MAC List Information
===============================================================================
MAC List Name Last Change Num Macs Num Assocs
-------------------------------------------------------------------------------
ISP1 05/10/2021 14:25:45 0 0
ISP2 05/10/2021 14:28:40 4 0
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
The following command shows the MAC addresses that are configured in MAC list ISP2. The timestamps show that all four MAC addresses were configured simultaneously, but MAC lists can be modified at any time.
*A:PE-2# show service proxy-arp-nd mac-list "ISP2"
===============================================================================
MAC List MAC Addr Information
===============================================================================
MAC Addr Last Change
-------------------------------------------------------------------------------
00:ca:fe:99:02:01 05/10/2021 14:28:40
00:ca:fe:99:02:02 05/10/2021 14:28:40
00:ca:fe:99:02:03 05/10/2021 14:28:40
00:ca:fe:99:02:04 05/10/2021 14:28:40
-------------------------------------------------------------------------------
Number of Entries: 4
===============================================================================
MAC list associated with proxy-ARP/ND in VPLS
MAC lists can be associated with one or more services. An empty MAC list—such as ISP1—can be associated, but it is impossible to associate a non-existing MAC list with a service. The following error is raised when attempting to associate the non-existing MAC list ISP3 with proxy-ARP IP 1.1.1.1 in VPLS 1 on PE-2:
*A:PE-2>config>service>vpls>proxy-arp>dynamic$ mac-list "ISP3"
MINOR: SVCMGR #8372 Cannot modify dynamic configured proxy arp entry - invalid mac-list
MAC list ISP2 is associated with proxy-ARP IP 172.16.0.99 and with proxy-ND IP 2001:db8::99 in VPLS 1 on PE-2, as follows:
# on PE-2:
configure
service
vpls "EVI-1"
proxy-arp
dynamic-arp-populate
dynamic 172.16.0.99 create
mac-list ISP2
resolve 1
exit
no shutdown
exit
proxy-nd
dynamic-nd-populate
evpn-nd-advertise router
dynamic 2001:db8::99 create
mac-list ISP2
exit
no shutdown
exit
For proxy-ARP IP 172.16.0.99, the resolve interval is 1 minute, which is the minimum; for proxy-ND IP 2001:db::99, the resolve interval is the default of 5 minutes. In scaled environments, Nokia recommends using the default interval, or even configuring a longer interval. The proxy-ARP and proxy-ND tables can be populated with dynamic entries (dynamic-arp-populate/dynamic-nd-populate).
The following command shows all associations for MAC list ISP2: two associations are defined in VPLS 1: one for IP address 172.16.0.99 and another for IP address 2001:db8::99.
*A:PE-2# show service proxy-arp-nd mac-list "ISP2" associations
===============================================================================
MAC List Associations
===============================================================================
Service Id IP Addr
-------------------------------------------------------------------------------
1 172.16.0.99
1 2001:db8::99
-------------------------------------------------------------------------------
Number of Entries: 2
===============================================================================
Different dynamic proxy-ARP/ND entries
A distinction is made between regular dynamic entries and configured dynamic entries:
No IP address needs to be configured for regular dynamic proxy-ARP/ND entries. What only needs to be configured, is the option dynamic-arp-populate/dynamic-nd-populate.
IP address and MAC list need to be defined for configured proxy-ARP/ND entries.
Configured dynamic entries can override static and regular dynamic entries.
Regular dynamic proxy-ARP/ND entries can override configured dynamic entries.
EVPN entries cannot override configured dynamic entries, even though they can override regular dynamic entries.
Likewise, static entries can override regular dynamic entries, but they cannot override dynamic configured entries. The following error is raised when attempting to configure a static proxy-ARP entry for IP 172.16.0.99, which has already been configured as dynamic and associated with a MAC list.
*A:PE-2>config>service>vpls>proxy-arp# static 172.16.0.99 aa:bb:cc:99:02:02
MINOR: SVCMGR #8011 Cannot create static proxy arp entry - Dynamic configured entry exists
Debugging
Debugging for both proxy-ARP/ND IP entries is enabled on PE-2 as follows:
# on PE-2:
debug
service
id 1
proxy-arp ip 172.16.0.99
proxy-nd ip 2001:db8::99
exit
exit
exit
When the dynamic proxy-ARP IP 172.16.0.99 is configured with MAC list "ISP2", PE-2 floods a resolve message—in this case, an ARP request—to all its EVPN peers. Router ISP1 replies. PE-2 advertises an EVPN-MAC update to its EVPN peers PE-1 and PE-3. PE-2 adds a dynamic proxy-ARP entry for 172.16.0.99 with MAC address 00:ca:fe:99:02:01. Router ISP1 sends a GARP message. The following messages are logged:
49 2021/05/10 14:32:18.859 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 flood resolve"
50 2021/05/10 14:32:18.862 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn advertise"
51 2021/05/10 14:32:18.862 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Added"
54 2021/05/10 14:32:18.959 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Gratuitous Update"
For proxy-ND, the following messages are logged:
55 2021/05/10 14:32:19.859 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 flood resolve"
56 2021/05/10 14:32:19.862 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 mac: 00:ca:fe:99:02:01 evpn advertise"
57 2021/05/10 14:32:19.862 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:01 Added"
60 2021/05/10 14:32:19.959 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:01 Gratuitous Update"
The following command shows the proxy-ARP details for VPLS 1 on PE-2. The only proxy-ARP entry is for IP address 172.16.0.99 with MAC address 00:ca:fe:99:02:01.
*A:PE-2# show service id 1 proxy-arp detail
-------------------------------------------------------------------------------
Proxy Arp
-------------------------------------------------------------------------------
Admin State : enabled
Dyn Populate : enabled
Age Time : disabled Send Refresh : disabled
Table Size : 250 Total : 1
Static Count : 0 EVPN Count : 0
Dynamic Count : 1 Duplicate Count : 0
Dup Detect
-------------------------------------------------------------------------------
Detect Window : 3 mins Num Moves : 5
Hold down : 9 mins
Anti Spoof MAC : None
EVPN
-------------------------------------------------------------------------------
Garp Flood : enabled Req Flood : enabled
Static Black Hole : disabled
EVPN Route Tag : 0
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:01 dyn active 05/10/2021 14:32:19
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The following command shows the proxy-ND details for VPLS 1 on PE-2. The only proxy-ND entry if for IP address 2001:db8::99 with MAC address 00:ca:fe:99:02:01.
*A:PE-2# show service id 1 proxy-nd detail
-------------------------------------------------------------------------------
Proxy ND
-------------------------------------------------------------------------------
Admin State : enabled
Dyn Populate : enabled
Age Time : disabled Send Refresh : disabled
Table Size : 250 Total : 1
Static Count : 0 EVPN Count : 0
Dynamic Count : 1 Duplicate Count : 0
Dup Detect
-------------------------------------------------------------------------------
Detect Window : 3 mins Num Moves : 5
Hold down : 9 mins
Anti Spoof MAC : None
EVPN
-------------------------------------------------------------------------------
Unknown NS Flood : enabled ND Advertise : Router
Rtr Unsol NA Flood: enabled Host Unsol NA Fld : enabled
EVPN Route Tag : 0
-------------------------------------------------------------------------------
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address Mac Address Type Status Rtr/ Last Update
Host
-------------------------------------------------------------------------------
2001:db8::99 00:ca:fe:99:02:01 dyn active Rtr 05/10/2021 14:32:20
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The proxy-ARP in VPLS 1 contains the following dynamic entry.
*A:PE-2# show service id 1 proxy-arp dynamic
===============================================================================
Proxy ARP Dyn Cfg Summary
===============================================================================
IP Addr Mac List
-------------------------------------------------------------------------------
172.16.0.99 ISP2
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
The following command shows the association for dynamic proxy-ARP IP address 172.16.0.99, with the configured resolve time in minutes and the remaining resolve time in seconds.
*A:PE-2# show service id 1 proxy-arp dynamic 172.16.0.99
===============================================================================
Proxy ARP Dyn Cfg Detail
===============================================================================
IP Addr Mac List Resolve Time Remaining
(mins) Resolve Time
(secs)
-------------------------------------------------------------------------------
172.16.0.99 ISP2 1 0
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
The remaining resolve time is zero seconds because a dynamic proxy-ARP entry has been created and that suspends the resolve mechanism.
The proxy-ND in VPLS 1 contains the following dynamic entry.
*A:PE-2# show service id 1 proxy-nd dynamic
===============================================================================
Proxy ND Dyn Cfg Summary
===============================================================================
IP Addr Mac List
-------------------------------------------------------------------------------
2001:db8::99 ISP2
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
The following command shows the association for dynamic proxy-ND IP 2001:db8::99.
*A:PE-2# show service id 1 proxy-nd dynamic 2001:db8::99
===============================================================================
Proxy ND Dyn Cfg Detail
===============================================================================
IP Addr Mac List
Resolve Time(mins) Remaining Resolve Time(secs)
-------------------------------------------------------------------------------
2001:db8::99 ISP2
5 0
-------------------------------------------------------------------------------
Number of Entries: 1
===============================================================================
Tools command to trigger resolve procedure
The following tools command can be used to force the system to send a resolve message to its non-EVPN peers. The force option will trigger the resolve process even for existing entries in the proxy-ARP/ND table.
*A:PE-2# tools perform service id 1 proxy-arp dynamic-resolve ?
- dynamic-resolve all [force]
- dynamic-resolve <ip-address> [force]
<ip-address> : a.b.c.d
<all> : keyword
<force> : keyword
*A:PE-2# tools perform service id 1 proxy-nd dynamic-resolve ?
- dynamic-resolve all [force]
- dynamic-resolve <ipv6-address> [force]
<ipv6-address> : x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x - [0..FFFF]H
d - [0..255]D
<all> : keyword
<force> : keyword
Some examples:
*A:PE-2# tools perform service id 1 proxy-arp dynamic-resolve 172.16.0.99
*A:PE-2# tools perform service id 1 proxy-arp dynamic-resolve 172.16.0.99 force
*A:PE-2# tools perform service id 1 proxy-arp dynamic-resolve all
*A:PE-2# tools perform service id 1 proxy-arp dynamic-resolve all force
*A:PE-2# tools perform service id 1 proxy-nd dynamic-resolve 2001:db8::99
*A:PE-2# tools perform service id 1 proxy-nd dynamic-resolve 2001:db8::99 force
*A:PE-2# tools perform service id 1 proxy-nd dynamic-resolve all
*A:PE-2# tools perform service id 1 proxy-nd dynamic-resolve all force
Inactive proxy-ARP/ND entries
When the MAC address is flushed from the FDB, the proxy-ARP/ND entries become inactive.
*A:PE-2# clear service id 1 fdb mac 00:ca:fe:99:02:01
*A:PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:01 dyn inActv 05/10/2021 14:34:40
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
*A:PE-2# show service id 1 proxy-nd detail | match 2001:db8::99 pre-lines 7
post-lines 3
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address Mac Address Type Status Rtr/ Last Update
Host
-------------------------------------------------------------------------------
2001:db8::99 00:ca:fe:99:02:01 dyn inActv Rtr 05/10/2021 14:34:40
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
By default, aging is disabled, and the entries remain in the inactive status until the MAC address is learned again. However, if aging is enabled, the inactive proxy-ARP/ND entry will age out. After the entry is deleted, the system sends a resolve message. When the ISP1 router replies, the entry is created again in the proxy-ARP/ND table. The age time is configured in seconds with the following command:
*A:PE-2>config>service>vpls>proxy-arp# age-time ?
- age-time <seconds>
- no age-time
<seconds> : [60..86400]
# on PE-2:
configure
service
vpls "EVI-1"
proxy-arp
age-time 60
The following debug messages for proxy ARP IP 172.16.0.99 show that an EVPN-MAC withdraw message is sent (when the MAC address is flushed from the FDB) and—after time-out—the proxy-ARP entry is deleted. PE-2 sends a resolve message to all its non-EVPN peers. Router ISP1 replies and the proxy-ARP entry is created again; an EVPN-MAC update is sent to the EVPN peers. Similar debug messages occur for proxy-ND.
79 2021/05/10 14:34:47.107 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn withdraw"
86 2021/05/10 14:36:18.359 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Deleted"
88 2021/05/10 14:36:18.459 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 flood resolve"
89 2021/05/10 14:36:18.462 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn advertise"
90 2021/05/10 14:36:18.462 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Added"
95 2021/05/10 14:36:18.559 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 type: Dyn mac: 00:ca:fe:99:02:01 Gratuitous Update"
The following command shows that the entry is created again with active status.
*A:PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:01 dyn active 05/10/2021 14:37:19
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
MAC address replacement
When the system receives a GARP/ARP/NA for the same IP address, but with another MAC address from the MAC list, it will first send a confirm message to ensure that the old MAC address is not used anymore for the IP address. If the existing proxy-ARP/ND entry is IP1/MAC1 and a GARP/ARP/NA message is received for IP1/MAC4, the system sends an EVPN-MAC withdraw message for MAC1 and changes MAC1 to MAC4 for proxy-ARP/ND IP1, but the status is pending (pendng), as follows:
*A:PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:04 dyn pendng 05/10/2021 14:37:37
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
*A:PE-2# show service id 1 proxy-nd detail | match 2001:db8::99 pre-lines 7
post-lines 3
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address Mac Address Type Status Rtr/ Last Update
Host
-------------------------------------------------------------------------------
2001:db8::99 00:ca:fe:99:02:04 dyn pendng Rtr 05/10/2021 14:37:36
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The system sends a confirm message (unicast ARP request) for the old entry IP1/MAC1 to ensure that there is no duplication. When there is no reply from MAC1, there is no duplication. An EVPN-MAC route is advertised for MAC4. The status of the proxy-ARP entry IP1/MAC4 changes to active. The following debug messages are logged for proxy-ARP 172.16.0.99:
113 2021/05/10 14:37:34.570 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 evpn withdraw"
114 2021/05/10 14:37:34.570 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 Mac Change: 00:ca:fe:99:02:01->00:ca:fe:99:02:04 "
121 2021/05/10 14:37:34.759 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:01 confirm"
124 2021/05/10 14:38:04.759 UTC MINOR: DEBUG #2001 Base proxy arp
"proxy arp:
svc: 1 ip: 172.16.0.99 mac: 00:ca:fe:99:02:04 evpn advertise"
The final status of the proxy-ARP IP 172.16.0.99 is active, as follows:
*A:PE-2# show service id 1 proxy-arp detail | match 172.16.0.99 pre-lines 6
post-lines 3
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address Mac Address Type Status Last Update
-------------------------------------------------------------------------------
172.16.0.99 00:ca:fe:99:02:04 dyn active 05/10/2021 14:37:37
-------------------------------------------------------------------------------
Number of entries : 1
===============================================================================
The mechanism is similar for proxy-ND.
The behavior is different when the system receives a GARP/ARP/NA for the IP address with a MAC address that is not contained in the MAC list. The GARP/ARP/NA message is discarded and the proxy-ARP/ND entry deleted. The resolve procedure gets restarted.
Modified MAC list
MAC lists can be modified at any time, as follows:
# on PE-2:
configure
service
proxy-arp-nd
mac-list "ISP2" create
mac 00:ca:fe:99:02:05
*A:PE-2# show service proxy-arp-nd mac-list "ISP2"
===============================================================================
MAC List MAC Addr Information
===============================================================================
MAC Addr Last Change
-------------------------------------------------------------------------------
00:ca:fe:99:02:01 05/10/2021 14:28:40
00:ca:fe:99:02:02 05/10/2021 14:28:40
00:ca:fe:99:02:03 05/10/2021 14:28:40
00:ca:fe:99:02:04 05/10/2021 14:28:40
00:ca:fe:99:02:05 05/10/2021 14:39:29
-------------------------------------------------------------------------------
Number of Entries: 5
===============================================================================
The timestamps show when the different MAC addresses were added to the MAC list.
When the MAC list ISP2 is modified, proxy-ARP entry 172.16.0.99 and proxy-ND entry 2001:db8::99 will be deleted, an EVPN-MAC withdraw message will be sent, and the resolve procedure will be restarted. The following log messages occur for proxy-ND 2001:db8::99.
146 2021/05/10 14:39:29.205 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 mac: 00:ca:fe:99:02:04 evpn withdraw"
147 2021/05/10 14:39:29.205 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:04 Deleted"
151 2021/05/10 14:39:29.359 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 flood resolve"
154 2021/05/10 14:39:29.362 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 mac: 00:ca:fe:99:02:04 evpn advertise"
155 2021/05/10 14:39:29.362 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:04 Added"
159 2021/05/10 14:39:29.459 UTC MINOR: DEBUG #2001 Base proxy nd
"proxy nd:
svc: 1 ip: 2001:db8::99 type: Dyn mac: 00:ca:fe:99:02:04 Gratuitous Update"
Conclusion
MAC lists can be associated with configured dynamic proxy-ARP/ND IP addresses. The actual proxy entries will only be created after a GARP/ARP/NA message is received for the IP address and one of the MAC addresses from the MAC list.
This tool complements the SR OS EVPN proxy-ARP/ND solution for providers present at IXPs.