Endpoint loop protection vs. rogue endpoint control policy

Johannes Luther · ‎02-07-2019

Hi board,

Quick question: I'm currently evaluation ACI (latest 3.x release) and I'm wondering what's the difference (and best practice) for endpoint loop protection vs. rogue endpoint control policy.

As far as I understood the whole thing, the rogue endpoint control policy covers all cases, which are also covered by endpoint loop protection.

Best practice papers recommends to enable both features with the exact same trigger values (which doesn't make sense, because it's not deterministric which feature is used effectively).

Furthermore, endpoint loop protection shuts down the whole port and rogue EP detection just "isolates" the affected single EP for the configured hold time.

So, question: Why should someone use endpoint loop protection if rogue EP detections is implemented?!

Why two features with the same purpose?

Someone has an idea?

PatrickH1 · ‎02-14-2019

Hi,

the Main difference between Endpoint loop protection and rogue endpoint is, that rogue endpoin Detection can detect IP moves, Endpoint loop protection can only detect MAC Moves.Same for the possible actions, when using Endpoint loop protection the possible actions are "Port disable" or "BD learn disabled on per Leaf level". When using rogue endpoin Detection the possible actio is, that that the leaf will programm a static entry to disable learning of the specific endpoint. I think Endpoint loop protection is more flexible because in some cases you do not what to disable a whole BD or Port, because some other Endpoints, EPGs, L3OUTs which are running on the same port should not be affected by the mechanism.

I hope this helps you, if yes, mark it as helpful :)

Kind Regards

Patrick