Hi Sergiu,

 I think I owe you the full picture of our problem. We run an Internet Exchange and we were using "feature port-security" for years to secure port from MAC address flood/hijack/spoof. When we bought Nexus 9300 we realized, this feature is not officially supported with VxLAN fabric (even vPC fabric peering has an issue with port-security as it runs internally on VxLAN, but that is a different story). Not able to use the "port-security feature" I was looking for alternative options securing the customer ports.

Option 1) MAC ACL on port - this makes sense to use, but even when MAC ACL is applied on the port, l2fm is still learning ALL MACs sent to that port, no matter how ACL looks like. EVPN is redistributing all MACs across the fabric. Only the traffic is blocked by ACL.

Option 2) Static MAC address configuration with port+VLAN - This is very tricky! It is similar behavior as what "feature port-security" does. In both cases MAC address is exported to EVPN with a "sticky/static flag" instructing all VTEPs in the domain, this MAC cannot be moved. This is an example of the message when you try to move "secured" MAC across VxLAN fabric:

2021 Jun 25 07:13:34 HOSTNAME %L2RIB-2-L2RIB_LOCAL_LEARNT_MAC_PRESENT_AS_REMOTE_STATIC: Locally learnt MAC 1111.1116.be74 in topology: 1500 already present as remote static

 

Unfortunately, this can happen when two customers will have a MAC collision (very rare, but it can happen, when a loop occurs).

The story continues, and here is where it starts to be interesting

Remote VTEP saying a message above will learn MAC in a collision from its Layer2 side (coming from clients) and will try to move MAC towards itself. Due to the "sticky/static" flag, it cannot move this MAC. Instead, this MAC will STAY! learned from the Layer2 side and will never age out. This is causing traffic blackholing for that MAC because all VTEPs see MAC on the original VTEP, but the local switch sees the MAC from a new location, which is its Layer2 network.

We opened a BUG https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz21740 but unfortunately, Cisco is still not acknowledging this as a BUG and officially this is an "enhancement request".

We created a small script solving this issue, but it is still a workaround - available here https://github.com/nixcz/cisco-nexus-9300-evpn-fix

So please be careful using static MAC entries.

3) VACL - same a MAC PACL.

If you will find any way how to limit MACs on port let me know I will appreciate that, I haven't found any.

Marian

Hi Sergiu,

 I'm glad you're interested. You are right, F&L will probably work, but my concern is VxLAN with port-security anyway. As per documentation:

• Port security is not supported on switchport interfaces that carry traffic for VXLAN enabled VLANs

And because this is also a problem with Fabric-Peering where EVPN is not used, I assume port-security is not an EVPN thing, but a VxLAN problem.

With fabric-peering, there is one more issue - if you have an orphan port in a fabric-peering setup, all traffic is always being forwarded to only one switch in a pair when port-security is enabled on this orphan port. Both switches are advertising their own PIP as a next-hop to EVPN for MACs on the orphan port. Remote VTEP does have two BGP next-hops for this route and has to perform the best-path selection. Because all parameters are the same, the decision will potentially end up on the IP address of the next-hop, therefore lower IP will have priority and all traffic is forwarded to only the first switch in a pair (with lower IP). In case the customer is connected to the second switch physically, its traffic needs to be redirected. This is usually not a problem when we are talking about low traffic, but if there is a customer with 100Gbit/s of the traffic, it will load the uplinks a lot.

Cheers and stay safe, Marian