Disable going multicast between subvlans in supervlan.

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Dear Colleagues, 

 
If I use separate vlans on Extreme X450-24 ver. 15.3.2.11 on default settings multicast trafic doesn't route between these vlans. But if I use 2 subvlans (or more) in supervlan multicast trafic begins to route between these subvlans. 
I don't need this. Please, help me. 
How can I disable multicast routing between subvlans in 1 supervlan without using ACL?
 
Thank you.
Photo of Victor Vit

Victor Vit

  • 282 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 8,442 Points 5k badge 2x thumb
what do you mean by subvlan and supervlan?

I can imagine secondary interface on the same vlan or QinQ.

What kind of multicast you refer to ? L2 multicast or L3 multicast?
You mention multicast routing, can you elaborate more? = multicast routing protocol do you use?

Z.
Photo of Ty Kolff

Ty Kolff

  • 1,098 Points 1k badge 2x thumb
Did you run 
#disable subvlan-proxy-arp vlan all
as was suggested at the bottom of that article?

Why are you using this method as opposed to just creating smaller subnets on separate vlans?
Photo of Alexandr P

Alexandr P, Embassador

  • 11,998 Points 10k badge 2x thumb
Hello, Ty Kolff!

#disable subvlan-proxy-arp vlan all
The isolation option works for normal, dynamic, ARP-based client communication.

Thank you!
Photo of Victor Vit

Victor Vit

  • 282 Points 250 badge 2x thumb
Hello, Ty Kolff!
But this command does not isolation multicast. It works for ARP.
In our situation we must use supervlan.
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Victor,

I don't see any other way to deny mcast communication between the subvlans. Even ACL might be tricky.

Only broadcast and unknown traffic remain local to the subvlans.

I would recommend you (if possible) to use normal vlans instead of using Vlan Aggregation feature if this issue is critical to your environment.
Photo of Alexandr P

Alexandr P, Embassador

  • 11,998 Points 10k badge 2x thumb
Hi, all!

As a continuation of this topic:
When using Supervlan - if numbers of IPARP and FDB entries less then 3000 - all work fine.
If entries more then 3000 - then higher ping, higher bcmRX (as I understand - because loop) process and appear below messages in logs:
Mar 22 20:02:02 192.168.x.xx  Mar 22 20:02:03 DOSProt: Notify-threshold for L3 Protect packet count of 3000 reached

Mar 22 20:02:03 192.168.x.xx  Mar 22 20:02:04 DOSProt: Added an ACL to port 25, srcIP 0.0.0.0 to destIP 77.yyy.yyy.yyy, protocol tcp

Mar 22 20:02:03 192.168.x.xx  Mar 22 20:02:04 DOSProt: Removed ACL from port 25, srcIP 0.0.0.0 to destIP 77.yyy.yyy.yyy, protocol tcp

Mar 22 20:02:12 192.168.x.xx  Mar 22 20:02:04 DOSProt: Notify-threshold for L3 Protect packet count of 3000 reached

Mar 22 20:02:12 192.168.x.xx  Mar 22 20:02:05 DOSProt: Added an ACL to port 25, srcIP 0.0.0.0 to destIP 77.yyy.yyy.yyy, protocol tcp

Mar 22 20:02:12 192.168.x.xx  Mar 22 20:02:05 DOSProt: Notify-threshold for L3 Protect packet count of 3000 reached

Any ideas?

Thank you!

Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Alexandr,

is the DoS Protect ACL matching traffic to the switch or traffic through the switch? From the looks of it, it should be traffic through the switch to an SMTP server. If so, that traffic should not reach the CPU during normal operation.

One reason through traffic reaches the CPU is a missing ARP entry for a local end system, resulting in software based forwarding. You might want to check the hardware capabilities and the configured maximum ARP entries in hardware:
show iproute reserved-entries statistics
show iparp
show iparp stats summary
Older EXOS had a default of 4096 ARP entries max, newer EXOS uses 8192, you might want to check that you use the newer default value, if the hardware permits this. This can be configured using
configure iparp max_entries [vr VR_NAME] MAX_ENTRIES
The maximum IP ARP entries include dynamic, static, and incomplete IP ARP entries.
Thanks,
Erik
Photo of Alexandr P

Alexandr P, Embassador

  • 11,998 Points 10k badge 2x thumb
Hi, Erik!

X450a have limits IP ARP:
8K with minimum LPM entries - 100 and less
2K with max LPM - 12K

In this switch configured max LPM:
sh iproute reserved-entries

                        IPv4       # Reserved Routes            Minimum #

Slot  Type              Routes      IPv4   (or IPv6)            IPv4 Hosts

----  ----------------  --------   ------  ------------------   ----------

1     X450a-24x         Internal    12240  (  6120) [default]           16

So there is few factors:

- hardware limit

- possible loop and mcast traffic because using Supervlan feature.

Main question in this case is still - how to block mcast between SubVlans?

Thank you!

Photo of Victor Vit

Victor Vit

  • 282 Points 250 badge 2x thumb
Hi, Erik
I'm sorry, but can you explain what do the numbers in the output of "Show iproute reserved-entries statistics" represent?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,782 Points 10k badge 2x thumb
Hi Victor,

the numbers in the table show how many entries of the different types that are stored in hardware tables are used, the numbers after the table show the limits of different switches.

An exclamation mark (!) next to a number signals that the hardware limit is reached, see e.g. Multicast Entry not Added. Hardware Table Full and Known traffic gets forwarded in the CPU of an X670-X440 stack. Some entries need to be added up against the hardware limit, e.g. IPv6 routes use the same resources as IPv4 routes, see e.g. Space occupied by IPv6 route in hardware table. The HW Route Table stores prefixes for longest prefix match (LPM) lookup, the HW L3 Hash Table stores direct lookup entries, e.g. ARP entries or multicast groups.

For some switches, the table usage can be configured, see Can the maximum reserved route entries be increased for a specific switch model? This depends on the hardware, newer Broadcom switch chips use so called Unified Forwarding Tables (UFT) that can be used with different partitioning variants.

Additional information can be found in the GTAC Knowledge articles Check for Table full conditions and How to troubleshoot FDB entry not added on slot X. Hardware Table full.

Some effects of needing too many ARP entries are explained in Slot reboot on BD8K due to Async Queue growing with CustomType 42 messages.

Thanks,
Erik