Original Message:
Sent: 07-08-2024 11:03
From: Andrei Cebotareanu
Subject: Unknown Unicast in EVPN using DHCP-Relay Issue - Junos EVO
There is an option for EVO:
set routing-instances RI_TEST vlans VLANS forwarding-options flood input FW-FILTER
set firewall family ethernet-switching filter FW-FILTER term BUM from traffic-type broadcast set firewall family ethernet-switching filter FW-FILTER term BUM from traffic-type multicast set firewall family ethernet-switching filter FW-FILTER term BUM from traffic-type unknown-unicast set firewall family ethernet-switching filter FW-FILTER term BUM then count BUM set firewall family ethernet-switching filter FW-FILTER term BUM then policer POLICE-1M set firewall family ethernet-switching filter FW-FILTER term REST then accept set firewall policer POLICE-1M if-exceeding bandwidth-limit 1m set firewall policer POLICE-1M if-exceeding burst-size-limit 1500 set firewall policer POLICE-1M then discard
I know it is not what you was looking for...
BR, Andrei |
------------------------------
Andrei Cebotareanu
Original Message:
Sent: 07-08-2024 10:49
From: WalkerSteve
Subject: Unknown Unicast in EVPN using DHCP-Relay Issue - Junos EVO
Thanks @Andrei Cebotareanu for the reply. I have already come across this and unfortunately, the ACX7100's running EVO don't have these options as the MX's do. It sounds like this is a bug/non-working config option.
IMO...this is a huge miss on the EVO code and how EVPN and BUM traffic (in my case, DHCP Relay) traffic is handled.
Original Message:
Sent: 07-05-2024 05:58
From: Andrei Cebotareanu
Subject: Unknown Unicast in EVPN using DHCP-Relay Issue - Junos EVO
There is similar tread - maybe it can help
https://community.juniper.net/discussion/prevent-unknown-unicast-traffic-in-an-evpn-environment
------------------------------
Andrei Cebotareanu
Original Message:
Sent: 06-25-2024 10:51
From: WalkerSteve
Subject: Unknown Unicast in EVPN using DHCP-Relay Issue - Junos EVO
Looking to see if anyone has come across a similar issue I'm having with DHCP-Relay in an EVPN creating Unknown Unicast.
The scenario is the network is Cisco NCS's across numerous sites, but one site is an ACX7100. For the ACX site, DHCP-Relay works as expected, however, with the IRB interface enabled with DHCP-Relay, other sites have end users/devices that are experiencing issues getting an address. If I disable the IRB on the ACX, the same user/device gets an IP. What the DHCP server is seeing is a Discover come from the host/device MAC at a remote site(Cisco site), but it also see's the same MAC come from the ACX. The service is part of a network wide EVPN(MAC-VRF in JunosEVO).
Here is a snippet of the DHCP Server Logs showing the issue described above...
NOTE:
10.1.42.48 = Remote Site Cisco Device
10.1.42.5 = ACX7100
Jun 18 09:10:06 ns4 dhcpd[24814]: DHCPDISCOVER from b8:94:70:9c:cf:65 via 10.1.42.5: unknown network segment
Jun 18 09:10:06 ns4 dhcpd[24814]: DHCPDISCOVER from b8:94:70:9c:cf:65 (router) via 10.1.42.48
Jun 18 09:10:06 ns4 dhcpd[24814]: DHCPOFFER on 10.226.32.50 to b8:94:70:9c:cf:65 (router) via 10.1.42.48
Jun 18 09:10:09 ns4 dhcpd[24814]: DHCPDISCOVER from b8:94:70:9c:cf:65 via 10.1.42.5: unknown network segment
Jun 18 09:10:09 ns4 dhcpd[24814]: DHCPDISCOVER from b8:94:70:9c:cf:65 (router) via 10.1.42.48
Jun 18 09:10:09 ns4 dhcpd[24814]: DHCPOFFER on 10.226.32.50 to b8:94:70:9c:cf:65 (router) via 10.1.42.48
Jun 18 09:10:12 ns4 dhcpd[24814]: DHCPDISCOVER from b8:94:70:9c:cf:65 via 10.1.42.5: unknown network segment
Jun 18 09:10:12 ns4 dhcpd[24814]: DHCPDISCOVER from b8:94:70:9c:cf:65 (router) via 10.1.42.48
Jun 18 09:10:12 ns4 dhcpd[24814]: DHCPOFFER on 10.226.32.50 to b8:94:70:9c:cf:65 (router) via 10.1.42.48
To me, it makes no sense why the ACX7100 would be sending a Discover on behalf of a MAC address that resides at another site that has it's own BVI (IRB in Junos speak).
I've tried practically everything to get this to stop behaving this way, with no success::
no-snooping
storm control profile
firewall filter
Anyone ever seen this behavior?
On a side note, the Cisco's have a command unknown-unicast-suppression turned on, and I can not find a similar(working) command in JUNOS that I believe is what is causing the ACX to behave this why and the Cisco's are not.