[ixpmanager] Experience with EVPN+VXLAN and port security in Arista?

Nick Hilliard (INEX) nick at inex.ie
Fri Apr 5 19:56:52 IST 2024


Hi Salvador

Yeah, moving away from STP is a good idea. There is only one advantage 
with STP and that is that it keeps you honest about not 
over-provisioning your core links (there's always a blocking link). 
Otherwise it's a major source of problems on IX fabrics.

EVPN+VXLAN works very well on Arista platforms.

I would recommend against using port security. The reason for this is 
that when a port comes up:

1. port comes up
2. frames are received on the port
3. the first frame received is punted to the switch CPU
4. the management plane then issues a command to program the port ACL to 
only accept traffic with srcmac = the srcmac of the first packet
5. port security is now active.

The problem is that there is a time gap between 2 and 4. During this 
time gap, frames can continue to be received on the port, and will be 
learned by the switch, and forwarded to the fabric.

On older switches, we found that this time gap could be as much as 50ms 
- 200ms, during which many packets could be transmitted.  We found this 
out when someone hard-looped the IXP connection at their end and 
reflected all the IXP traffic back to the IXP, which took the entire 
fabric down for 30 seconds because their port announced that it was the 
source of all MAC addresses on the IXP. Oops.

What you want is hard-coded layer 2 ACLs. This also works extremely well 
on Arista devices

Nick

Salvador Bertenbreiter via ixpmanager wrote on 05/04/2024 18:28:
> Hi guys,
> I hope you're doing well.  We have a Peering Fabric that has many sites 
> and we are facing some limitations with our current plain layer 2 model, 
> so we are looking to migrate it to a EVPN+VXLAN topology for better 
> scalability and better use of all the links (some of them currently 
> unused due to STP). However, during my research I have seen some 
> problems that some IXPs have suffered due to compatibility issues 
> between EVPN+VXLAN and port-security. Talking with some IXP operators 
> they have told me of some issues with EVPN+VXLAN and port-security in 
> Cisco devices. I was wondering if anyone has some real-world experience 
> with EVPN+VXLAN and port-security in Arista devices?
> 
> Here is one of the challenges I have found:
> https://www.youtube.com/watch?v=Wd3_pfxfmHo&pp=ygUIZXZwbiBpeHA%3D
> 
> Best regards,
> 
> Salvador
> 
> 
> _______________________________________________
> INEX IXP Manager mailing list
> ixpmanager at inex.ie
> Unsubscribe or change options here: https://www.inex.ie/mailman/listinfo/ixpmanager
> 


More information about the ixpmanager mailing list