Routing

Expand all | Collapse all

prevent unknown unicast traffic in an EVPN environment

  • 1.  prevent unknown unicast traffic in an EVPN environment

    Posted 01-21-2021 07:57
    We're using subscriber management with the pppoe protocol.
    It's possible that a customer disconnects it's pppoe client with the access concentrator not dropping the pp0 interface or session on their side.
    We're looking for a solution that prevents unwanted or unknown unicast traffic to this disconnected pppoe client's MAC address.
    This traffic should be discarded when it enters the EVPN environment and sent out to all connected pppoe clients because the disconnected pppoe client's MAC address is no longer available in the EVPN instance.

    We are currently using the below input and output filters on each logical interface. Each logical interface represents a single customer.
    For example: when the pppoe session is still active on the access concentrator and the disconnected clients IP address is targeted for ICMP traffic, this traffic is visible as encapsulated pppoe session traffic destined for the disconnected client's MAC address.
    How can we stop this specific type of unwanted unicast layer2 traffic to be received by all other clients within the EVPN instance?

    ge-1/1/1 {

        flexible-vlan-tagging;

        mtu 9192;

        encapsulation flexible-ethernet-services;

        unit 100 {

            encapsulation vlan-bridge;

            vlan-id 100;

            family bridge {

                filter {

                    input ACCEPT-PPPOE-ONLY-IN;

                    output ACCEPT-PPPOE-ONLY-OUT;

                }

            }

        }
    }


    family bridge {

        filter ACCEPT-PPPOE-ONLY-OUT {

            term specific-mac-address {

                from {

                    source-mac-address {

                        3c:8a:b0:89:32:88/48;

                    }

                }

                then accept;

            }

            term discard-rest {

                then discard;

            }

        }

        filter ACCEPT-PPPOE-ONLY-IN {

            term accept-padi {

                from {

                    ether-type pppoe-discovery;

                    destination-mac-address {

                        ff:ff:ff:ff:ff:ff/48;

                    }

                }
                then accept;

            }

            term specific-mac-address {

                from {

                    destination-mac-address {

                        3c:8a:b0:89:32:88/48;

                    }

                }

                then accept;

            }

            term discard-rest {

                then discard;

            }

        }



  • 2.  RE: prevent unknown unicast traffic in an EVPN environment

    Posted 01-21-2021 09:03
    I believe I'm looking for the Juniper version of Cisco's 'unknown-unicast-suppress'.


  • 3.  RE: prevent unknown unicast traffic in an EVPN environment

     
    Posted 01-22-2021 02:51
    Hi,

    Below KB may help to configure firewall filter/policy to suppress the unknown unicast.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30816&cat=MX_SERIES&actp=LIST

    Hope this helps


  • 4.  RE: prevent unknown unicast traffic in an EVPN environment

    Posted 01-22-2021 03:01
    Hi raviky,

    Thanks for sharing the KB link.
    However, I have tried adding the 'from traffic-type unknown-unicast' statement to my current filters, but then I get below warnings.
    Bridge filter and logical interface are added below the warning for reference.


    marijn@MX5-LAB-EDGE# commit check

    [edit interfaces ge-1/1/1 unit 100 family bridge]

      'filter'

        Referenced filter 'ACCEPT-PPPOE-ONLY' can not be used as "from traffic_type unknown-unicast " not supported on ingress of interface ge-1/1/1. Filter will not be applied.



    family bridge {

        filter ACCEPT-PPPOE-ONLY { 
            term unknown-unicast-suppress {
                from {
                    traffic-type unknown-unicast;
                }
                 then discard;
            }
        }
    }

    ge-1/1/1 {

        flexible-vlan-tagging;

        mtu 9192;

        encapsulation flexible-ethernet-services;

        unit 100 {

            encapsulation vlan-bridge;

            vlan-id 100;

            family bridge {

                filter {

                    output ACCEPT-PPPOE-ONLY

                }

            }

        }
    }

     




  • 5.  RE: prevent unknown unicast traffic in an EVPN environment

     
    Posted 01-22-2021 03:33
    Check if following works

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-unknown-unicast-rate-limiting.html



  • 6.  RE: prevent unknown unicast traffic in an EVPN environment

    Posted 01-29-2021 04:03
    I have made some progression in this case.
    The configuration of the EVPN routing-instance is as specified below.
    The solution combines the family evpn filter and the addition of EVPN ETREE leaf (customer VLANs) and root (access concentrator) configuration.

    While I'm happy with the result, I still have one question to this matter that doesn't make sense.
    If I don't use the EVPN filter, then unknown unicast traffic from a local client is still received on a leaf interface on a remote PE router.
    How is this possible? Because the EVPN ETREE documentation specified that any leaf to leaf traffic is not allowed.
    This includes both BUM and known unicast traffic.
    Yet the remote leaf interface still receives this traffic.
    Can someone explain this?

    marijn@MX5-LAB-EDGE# show routing-instances

    evpn-pppoe-ZIGGO_test {

        description "EVPN TEST";

        instance-type evpn;

        vlan-id none;

        interface ge-1/1/1.102;

        interface ge-1/1/9.0;

        route-distinguisher 202120L:503;

        vrf-target target:202120L:503;

        forwarding-options {

            family evpn {

                filter { <-- can also be flood for BUM traffic

                    input EVPN-FILTER-TEST;

                }

            }

        }

        protocols {

            evpn {

                evpn-etree;

            }

        }

    }