A blackhole MAC is a local FDB record. It is similar to a conditional static MAC; it is associated with a black-hole (similar to a VPRN blackhole static-route in VPRNs) instead of a SAP or SDP binding. A blackhole MAC can be added by using the following command:
config>service>vpls# static-mac mac
mac <ieee-address> [create] black-hole
The static blackhole MAC can have security applications (for example, replacement of MAC filters) for specific MACs. When used in combination with restrict-protected-src, the static blackhole MAC provides a simple and scalable way to filter MAC DA or SA in the data plane, regardless of how the frame arrived at the system (using SAP or SDP bindings or EVPN endpoints).
For example, when a specified static-mac mac 00:00:ca:fe:ca:fe create black-hole is added to a service, the following behavior occurs:
The configured MAC is created as a static MAC with a black-hole source identifier.
*A:PE1# show service id 1 fdb detail
===============================================================================
Forwarding Database, Service 1
===============================================================================
ServId MAC Source-Identifier Type Last Change
Age
-------------------------------------------------------------------------------
1 00:ca:ca:ba:ca:01 eES: Evpn 06/29/15 23:21:34
01:00:00:00:00:71:00:00:00:01
1 00:ca:ca:ba:ca:06 eES: Evpn 06/29/15 23:21:34
01:74:13:00:74:13:00:00:74:13
1 00:ca:00:00:00:00 sap:1/1/1:2 CStatic:P 06/29/15 23:20:58
1 00:ca:fe:ca:fe:00 black-hole CStatic:P 06/29/15 23:20:00
1 00:ca:fe:ca:fe:69 eMpls: EvpnS:P 06/29/15 20:40:13
192.0.2.69:262133
-------------------------------------------------------------------------------
No. of MAC Entries: 5
-------------------------------------------------------------------------------
Legend: L=Learned O=Oam P=Protected-MAC C=Conditional S=Static
===============================================================================
After it has been successfully added to the FDB, the blackhole MAC is treated like any other protected MAC, as follows:
The blackhole MAC is added as protected (CStatic:P) and advertised in EVPN as static.
SAP or SDP bindings or EVPN endpoints, where the restrict-protected-src discard-frame is enabled, discard frames where MAC SA is equal to blackhole MAC.
SAP or SDP bindings, where restrict-protected-src (no discard-frame) is enabled, go operationally down if a frame with MAC SA is equal to blackhole MAC is received.
After the blackhole MAC has been successfully added to the FDB, any frame arriving at any SAP or SDP binding or EVPN endpoint with MAC DA equal to blackhole MAC is discarded.
Blackhole MACs can also be used in services with proxy-ARP/proxy-ND enabled to filter traffic with destination to anti-spoof-macs. The anti-spoof-mac provides a way to attract traffic to a specified IP when a duplicate condition is detected for that IP address (see section ARP/ND snooping and proxy support for more information); however, the system still needs to drop the traffic addressed to the anti-spoof-mac by using either a MAC filter or a blackhole MAC.
The user does not need to configure MAC filters when configuring a static-black-hole MAC address for the anti-spoof-mac function. To use a blackhole MAC entry for the anti-spoof-mac function in a proxy-ARP/proxy-ND service, the user needs to configure:
the static-black-hole option for the anti-spoof-mac
*A:PE1# config>service>vpls>proxy-arp#
dup-detect window 3 num-moves 5 hold-down max anti-spoof-
mac 00:66:66:66:66:00 static-black-hole
a static blackhole MAC using the same MAC address used for the anti-spoof-mac
*A:PE1# config>service>vpls#
static-mac mac 00:66:66:66:66:00 create black-hole
When this configuration is complete, the behavior of the anti-spoof-mac function changes as follows:
In the EVPN, the MAC is advertised as static. Locally, the MAC is shown in the FDB as ‟CStatic” and associated with a black-hole.
The combination of the anti-spoof-mac and the static-black-hole ensures that any frame that arrives at the system with MAC DA = anti-spoof-mac is discarded, regardless of the ingress endpoint type (SAP or SDP binding or EVPN) and without the need for a filter.
If, instead of discarding traffic, the user wants to redirect it using MAC DA as the anti-spoof-mac, then redirect filters should be configured on SAPs or SDP bindings (instead of the static-black-hole option).
When the static-black-hole option is not configured with the anti-spoof-mac, the behavior of the anti-spoof-mac function, as described in ARP/ND snooping and proxy support, remains unchanged. In particular:
the anti-spoof-mac is not programmed in the FDB
any attempt to add a static MAC (or any other MAC) with the anti-spoof-mac value is rejected by the system
a MAC filter is needed to discard traffic with MAC DA = anti-spoof-mac.