topic Disable going multicast between subvlans in supervlan. in ExtremeSwitching (EXOS/Switch Engine)

Disable going multicast between subvlans in supervlan.

Victor_Vit — Thu, 19 Jan 2017 17:23:00 GMT

Dear Colleagues,

If I use separate vlans on Extreme X450-24 ver. 15.3.2.11 on default settings multicast trafic doesn't route between these vlans. But if I use 2 subvlans (or more) in supervlan multicast trafic begins to route between these subvlans.
I don't need this. Please, help me.
How can I disable multicast routing between subvlans in 1 supervlan without using ACL?

Thank you.

RE: Disable going multicast between subvlans in supervlan.

Zdeněk_Pala — Thu, 19 Jan 2017 17:39:00 GMT

what do you mean by subvlan and supervlan?

I can imagine secondary interface on the same vlan or QinQ.

What kind of multicast you refer to ? L2 multicast or L3 multicast?
You mention multicast routing, can you elaborate more? = multicast routing protocol do you use?

Z.

RE: Disable going multicast between subvlans in supervlan.

Victor_Vit — Thu, 19 Jan 2017 17:39:00 GMT

subvlan and supervlan - https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-subvlan-with-super-vlan

L3 multicast. Mvr, pim is disable.

RE: Disable going multicast between subvlans in supervlan.

Ty_Kolff — Thu, 19 Jan 2017 17:39:00 GMT

Did you run
#disable subvlan-proxy-arp vlan all as was suggested at the bottom of that article?

Why are you using this method as opposed to just creating smaller subnets on separate vlans?

RE: Disable going multicast between subvlans in supervlan.

Alexandr_P — Thu, 19 Jan 2017 17:39:00 GMT

Hello, Ty Kolff!

#disable subvlan-proxy-arp vlan all
The isolation option works for normal, dynamic, ARP-based client communication.

Thank you!

RE: Disable going multicast between subvlans in supervlan.

Victor_Vit — Thu, 19 Jan 2017 17:39:00 GMT

Hello, Ty Kolff!
But this command does not isolation multicast. It works for ARP.
In our situation we must use supervlan.

RE: Disable going multicast between subvlans in supervlan.

Henrique — Thu, 19 Jan 2017 17:39:00 GMT

Hi Victor,

I don't see any other way to deny mcast communication between the subvlans. Even ACL might be tricky.

Only broadcast and unknown traffic remain local to the subvlans.

I would recommend you (if possible) to use normal vlans instead of using Vlan Aggregation feature if this issue is critical to your environment.

RE: Disable going multicast between subvlans in supervlan.

Alexandr_P — Tue, 18 Apr 2017 11:41:00 GMT

Hi, all!

As a continuation of this topic:
When using Supervlan - if numbers of IPARP and FDB entries less then 3000 - all work fine.
If entries more then 3000 - then higher ping, higher bcmRX (as I understand - because loop) process and appear below messages in logs:
Mar 22 20:02:02 192.168.x.xx Mar 22 20:02:03 DOSProt: Notify-threshold for L3 Protect packet count of 3000 reached Mar 22 20:02:03 192.168.x.xx Mar 22 20:02:04 DOSProt: Added an ACL to port 25, srcIP 0.0.0.0 to destIP 77.yyy.yyy.yyy, protocol tcp

Mar 22 20:02:03 192.168.x.xx Mar 22 20:02:04 DOSProt: Removed ACL from port 25, srcIP 0.0.0.0 to destIP 77.yyy.yyy.yyy, protocol tcp

Mar 22 20:02:12 192.168.x.xx Mar 22 20:02:04 DOSProt: Notify-threshold for L3 Protect packet count of 3000 reached

Mar 22 20:02:12 192.168.x.xx Mar 22 20:02:05 DOSProt: Added an ACL to port 25, srcIP 0.0.0.0 to destIP 77.yyy.yyy.yyy, protocol tcp

Mar 22 20:02:12 192.168.x.xx Mar 22 20:02:05 DOSProt: Notify-threshold for L3 Protect packet count of 3000 reached

Any ideas?

Thank you!

RE: Disable going multicast between subvlans in supervlan.

Erik_Auerswald — Tue, 18 Apr 2017 12:48:00 GMT

Hi Alexandr,

is the DoS Protect ACL matching traffic to the switch or traffic through the switch? From the looks of it, it should be traffic through the switch to an SMTP server. If so, that traffic should not reach the CPU during normal operation.

One reason through traffic reaches the CPU is a missing ARP entry for a local end system, resulting in software based forwarding. You might want to check the hardware capabilities and the configured maximum ARP entries in hardware:
show iproute reserved-entries statistics show iparp show iparp stats summary Older EXOS had a default of 4096 ARP entries max, newer EXOS uses 8192, you might want to check that you use the newer default value, if the hardware permits this. This can be configured using
configure iparp max_entries [vr VR_NAME] MAX_ENTRIES

The maximum IP ARP entries include dynamic, static, and incomplete IP ARP entries.

Thanks,
Erik

RE: Disable going multicast between subvlans in supervlan.

Alexandr_P — Tue, 18 Apr 2017 12:48:00 GMT

Hi, Erik!

X450a have limits IP ARP:
8K with minimum LPM entries - 100 and less
2K with max LPM - 12K

In this switch configured max LPM:
sh iproute reserved-entries IPv4 # Reserved Routes Minimum #

Slot Type Routes IPv4 (or IPv6) IPv4 Hosts

---- ---------------- -------- ------ ------------------ ----------

1 X450a-24x Internal 12240 ( 6120) [default] 16

So there is few factors:

- hardware limit

- possible loop and mcast traffic because using Supervlan feature.

Main question in this case is still - how to block mcast between SubVlans?

Thank you!

RE: Disable going multicast between subvlans in supervlan.

Victor_Vit — Tue, 18 Apr 2017 12:48:00 GMT

Hi, Erik
I'm sorry, but can you explain what do the numbers in the output of "Show iproute reserved-entries statistics" represent?

RE: Disable going multicast between subvlans in supervlan.

Erik_Auerswald — Tue, 18 Apr 2017 12:48:00 GMT

Hi Victor,

the numbers in the table show how many entries of the different types that are stored in hardware tables are used, the numbers after the table show the limits of different switches.

An exclamation mark (!) next to a number signals that the hardware limit is reached, see e.g. Multicast Entry not Added. Hardware Table Full and Known traffic gets forwarded in the CPU of an X670-X440 stack. Some entries need to be added up against the hardware limit, e.g. IPv6 routes use the same resources as IPv4 routes, see e.g. Space occupied by IPv6 route in hardware table. The HW Route Table stores prefixes for longest prefix match (LPM) lookup, the HW L3 Hash Table stores direct lookup entries, e.g. ARP entries or multicast groups.

For some switches, the table usage can be configured, see Can the maximum reserved route entries be increased for a specific switch model? This depends on the hardware, newer Broadcom switch chips use so called Unified Forwarding Tables (UFT) that can be used with different partitioning variants.

Additional information can be found in the GTAC Knowledge articles Check for Table full conditions and How to troubleshoot FDB entry not added on slot X. Hardware Table full.

Some effects of needing too many ARP entries are explained in Slot reboot on BD8K due to Async Queue growing with CustomType 42 messages.

Thanks,
Erik