Auto-learn MAC protect, together with the ability to restrict where the protected source MACs are allowed to enter the service, can be enabled within an EVPN-MPLS and EVPN-VXLAN VPLS and routed VPLS services, but not in PBB-EVPN services. The protection, using the auto-learn-mac-protect command (described in Auto-learn MAC protect), and the restrictions, using the restrict-protected-src [discard-frame] command, operate in the same way as in a non-EVPN VPLS service.
When auto-learn-mac-protect is enabled on an object, source MAC addresses learned on that object are marked as protected within the FDB.
When restrict-protected-src is enabled on an object and a protected source MAC is received on that object, the object is automatically shutdown (requiring the operator to shutdown then no shutdown the object to make it operational again).
When restrict-protected-src discard-frame is enabled on an object and a frame with a protected source MAC is received on that object, that frame is discarded.
In addition, the following behavioral differences are specific to EVPN services:
An implicit restrict-protected-src discard-frame command is enabled by default on SAPs, mesh-SDPs and spoke SDPs. As this is the default, it is not possible to configure this command in an EVPN service. This default state can be seen in the show output for these objects, for example on a SAP:
*A:PE# show service id 1 sap 1/1/9:1 detail
===============================================================================
Service Access Points(SAP)
===============================================================================
Service Id : 1
SAP : 1/1/9:1 Encap : q-tag
...
RestMacProtSrc Act : none (oper: Discard-frame)
A restrict-protected-src discard-frame can be optionally enabled on EVPN-MPLS/VXLAN destinations within EVPN services. When enabled, frames that have a protected source MAC address are discarded if received on any EVPN-MPLS/VXLAN destination in this service, unless the MAC address is learned and protected on an EVPN-MPLS/VXLAN destination in this service. This is enabled as follows:
configure
service
vpls <service id>
bgp-evpn
mpls bgp <instance>
[no] restrict-protected-src discard-frame
vxlan instance <instance> vni <vni-id>
[no] restrict-protected-src discard-frame
Auto-learned protected MACs are advertised to remote PEs in an EVPN MAC/IP advertisement route with the sticky bit set.
The source MAC protection action relating to the restrict-protected-src [discard-frame] commands also applies to MAC addresses learned by receiving an EVPN MAC/IP advertisement route with the sticky bit set from remote PEs. This causes remotely configured conditional static MACs and auto-learned protected MACs to be protected locally.
In all-active multihoming scenarios, if auto-learn-mac-protect is configured on all-active SAPs and restrict-protected-src discard-frame is enabled on EVPN-MPLS/VXLAN destinations, traffic from the CE that enters one multihoming PE and needs to be switched through the other multihoming PE is discarded on the second multihoming PE. Each multihoming PE protects the CE's MAC on its local all-active SAP, which results in any frames with the CE's MAC address as the source MAC being discarded as they are received on the EVPN-MPLS/VXLAN destination from the other multihoming PE.
Conditional static MACs, EVPN static MACs and locally protected MACs are marked as protected within the FDB, as shown in the example output.
*A:PE# show service fdb-mac
===============================================================================
Service Forwarding Database
===============================================================================
ServId MAC Source-Identifier Type Last Change
Age
-------------------------------------------------------------------------------
1 00:00:00:00:00:01 sap:1/1/9:1 LP/30 01/05/16 11:58:22
1 00:00:00:00:00:02 vxlan-1: EvpnS:P 01/05/16 11:58:23
10.1.1.2:1
1 00:00:00:00:01:01 sap:1/1/9:1 CStatic: 01/04/16 20:05:02
P
1 00:00:00:00:01:02 vxlan-1: EvpnS:P 01/04/16 20:18:02
10.1.1.2:1
-------------------------------------------------------------------------------
No. of Entries: 4
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static
===============================================================================
In this output:
the first MAC is locally protected using the auto-learn-mac-protect command
the second MAC has been protected using the auto-learn-mac-protect command on a remote PE
the third MAC is a locally configured conditional static MAC
the fourth MAC is a remotely configured conditional static MAC
The command auto-learn-mac-protect can be optionally extended with an exclude-list by using the following command:
auto-learn-mac-protect [exclude-list name]
This list refers to a mac-list <name> created under the config>service context and contains a list of MACs and associated masks.
When auto-learn-mac-protect [exclude-list name] is configured on a service object, dynamically learned MACs are excluded from being learned as protected if they match a MAC entry in the MAC list. Dynamically learned MAC SAs are protected only if they are learned on an object with ALMP configured and one of the following conditions is true:
there is no exclude list associated with the same object
there is an exclude-list but the MAC does not match any entry
The MAC lists can be used in multiple objects of the same or different service. When empty, ALMP does not exclude any learned MAC from protection on the object. This extension allows the mobility of specific MACs in objects where MACs are learned as protected.