Data Center

 View Only
last person joined: 7 days ago 

Ask questions and share experiences about Data Center Architecture and approaches.
  • 1.  Overlay ARP packet (DDoS Protection)

    This message was posted by a user wishing to remain anonymous
    Posted 08-14-2023 19:05
    This message was posted by a user wishing to remain anonymous

    Greetings,

    We are experiencing some VXLAN DDoS violations (e.g. Mar 7 15:55:15 XXXXX-QFX-L3 jddosd[12206]: DDOS_PROTOCOL_VIOLATION_SET: Warning: Host-bound traffic for protocol/exception VXLAN:aggregate exceeded its allowed bandwidth at fpc 0 for 642 times, started at 2023-03-07 15:55:14 MST). 

    We are currently evaluating documentation about what could cause the VXLAN DDoS violation, however, the documentation is quite cryptic about what actually triggers the VXLAN DDoS events. The main source I'm reading is: CEC Juniper Community. It mentions the following: 

    1) Overlay ARP packets (All ARP packets hitting on local CE VXLAN enabled port and VTEPs )

    2) Any vxlan packets received over VTEP & Access ports (Local CE vxlan enabled ports) which are not classified into any protocol Queue will make it to Q 7

    I'm puzzeled on what "Overlay ARP packets" means. It is not an industry standard term and does not to appear anywhere on the Juniper documentation. Does anyone have a clue what "Overlay ARP packets" exactly means? If anyone else has a clue what could trigger the VXLAN DDoS violation that would also be of great help.

    Kind regards,

    Juniper remove preview
    CEC Juniper Community
    View this on Juniper >

     



  • 2.  RE: Overlay ARP packet (DDoS Protection)

    This message was posted by a user wishing to remain anonymous
    Posted 08-15-2023 08:19
    This message was posted by a user wishing to remain anonymous

    Hi,
    I think Overlay ARP packets means that the ARP packets is flood  to all other leaf's with a VXLAN header when the incoming ARP message to the leaf has no match in EVPN database.
    A trigger is if you have IP addresses that is reachable but no client connected.




  • 3.  RE: Overlay ARP packet (DDoS Protection)

    This message was posted by a user wishing to remain anonymous
    Posted 08-16-2023 12:37
    This message was posted by a user wishing to remain anonymous

    Hi,  

    Do you mean the switch will drop/not sent the ARP packet to another leaf (VTEP)? Because if an ARP packet is received on a VTEP interface how can a switch tell the difference between a normal VXLAN (data) transit packet and a ARP VXLAN packet. Both have as destination a VTEP IP. 

    Kind regards,




  • 4.  RE: Overlay ARP packet (DDoS Protection)

    This message was posted by a user wishing to remain anonymous
    Posted 08-17-2023 01:57
    This message was posted by a user wishing to remain anonymous

    Hi,

    With ARP suppression and the target address is present in the leaf cache, the switch responds to the broadcast or unicast ARP request. If the target IP/MAC is not present, the switch forwards ARP request over the VXLAN data plane to all VTEPs (with the VLAN configured) for neighbor resolution.

    So if you have a silent client or no client for an certain IP, the origin leaf should send the ARP request over the VXLAN fabric to.