SR OS can combine a blackhole MAC address concept and the EVPN MAC duplication procedures to provide loop protection in EVPN networks. The feature is compliant with the MAC mobility and multi-homing functionality in RFC 7432. The config>service>vpls>bgp-evpn>mac-duplication>black-hole-dup-mac command enables the feature.
If enabled, there are no apparent changes in the MAC duplication; however, if a duplicated MAC is detected (for example, M1), then the router performs the following:
adds M1 to the duplicate MAC list
programs M1 in the FDB as a ‟Protected” MAC associated with a blackhole endpoint (where ‟type” is set to EvpnD:P and Source-Identifier is black-hole)
While the MAC type value remains EvpnD:P, the following additional operational details apply.
Incoming frames with MAC DA = M1 are discarded by the ingress IOM, regardless of the ingress endpoint type (SAP, SDP, or EVPN), based on an FDB MAC lookup.
Incoming frames with MAC SA = M1 are discarded by the ingress IOM or cause the router to bring down the SAP or SDP binding, depending on the restrict-protected-src setting on the SAP, SDP, or EVPN endpoint.
The following example shows an EVPN-MPLS service where black-hole-dup-mac is enabled and MAC duplication programs the duplicate MAC as a blackhole.
19 2016/12/20 19:45:59.69 UTC MINOR: SVCMGR #2331 Base
"VPLS Service 30 has MAC(s) detected as duplicates by EVPN mac-duplication
detection."
*A:PE-5# configure service vpls 30
*A:PE-5>config>service>vpls# info
----------------------------------------------
bgp
exit
bgp-evpn
evi 30
mac-duplication
detect num-moves 3 window 3
retry 6
black-hole-dup-mac
exit
mpls bgp 1
ingress-replication-bum-label
auto-bind-tunnel
resolution any
exit
no shutdown
exit
exit
stp
shutdown
exit
sap 1/1/1:30 create
no shutdown
exit
spoke-sdp 56:30 leaf-ac create
no shutdown
exit
no shutdown
----------------------------------------------
*A:PE-5# show service id 30 bgp-evpn
===============================================================================
BGP EVPN Table
===============================================================================
MAC Advertisement : Enabled Unknown MAC Route : Disabled
CFM MAC Advertise : Disabled
VXLAN Admin Status : Disabled Creation Origin : manual
MAC Dup Detn Moves : 3 MAC Dup Detn Window: 3
MAC Dup Detn Retry : 6 Number of Dup MACs : 1
MAC Dup Detn BH : Enabled
IP Route Advert : Disabled
EVI : 30
Ing Rep Inc McastAd: Enabled
Accept IVPLS Flush : Disabled
Send EVPN Encap : Enabled
-------------------------------------------------------------------------------
Detected Duplicate MAC Addresses Time Detected
-------------------------------------------------------------------------------
00:11:00:00:00:01 12/20/2016 19:46:00
-------------------------------------------------------------------------------
<snip>
...
*A:PE-5# show service id 30 fdb detail
===============================================================================
Forwarding Database, Service 30
===============================================================================
ServId MAC Source-Identifier Type Last Change
Age
-------------------------------------------------------------------------------
30 00:11:00:00:00:01 black-hole EvpnD:P 12/20/16 19:46:00
-------------------------------------------------------------------------------
No. of MAC Entries: 1
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================
If the retry time expires, the MAC is flushed from the FDB and the process starts again. The clear service id 30 evpn mac-dup-detect {ieee-address | all} command clears the duplicate blackhole MAC address.
The clear service id 30 fdb command clears learned MAC addresses; blackhole MAC addresses are not cleared.
Support for the black-hole-dup-mac command and the preceding associated loop detection procedures is as follows:
not supported on B-VPLS, I-VPLS, M-VPLS, or R-VPLS services
fully supported on EVPN-VXLAN and EVPN-MPLS VPLS services (including EVPN E-Tree)
fully supported with EVPN MAC mobility and EVPN-MPLS multi-homing