Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

MAC Filtering, Storm Control, and Port Mirroring Support in an EVPN-VXLAN Environment

 

Starting with Junos OS Release 18.4R1, we support MAC filtering, storm control, and port mirroring and analyzing on QFX5100 and QFX5110 switches, and MAC filtering and storm control on QFX10002 and QFX10008 switches in an Ethernet VPN-Virtual Extensible LAN (EVPN-VXLAN) overlay network.

We support the configuration of each of these features using the Enterprise style of configuration.

We support these features only in an EVPN-VXLAN edge-routed bridging overlay (EVPN-VXLAN topology with a collapsed IP fabric). This overlay network includes the following components:

  • A single layer of Juniper Networks switches—for example, QFX10002 or QFX5110 switches—each of which functions as both a Layer 3 spine device and a Layer 2 leaf device.

  • Customer edge (CE) devices that are single-homed or multihomed in active/active mode to the spine-leaf devices.

This topic includes the following information:

Benefits of MAC Filtering, Storm Control, and Port Mirroring Support in an EVPN-VXLAN Environment

  • MAC filtering enables you to filter and accept packets from ingress CE-facing interfaces, thereby reducing the volume of associated MAC addresses in the Ethernet switching table and traffic in a VXLAN.

  • Storm control allows you to monitor traffic levels on EVPN-VXLAN interfaces, and if a specified traffic level is exceeded, drop broadcast, unknown unicast, and multicast (BUM) packets and on some Juniper Networks switches, disable the interface for a specified amount of time. This feature can prevent excessive traffic from degrading the network.

  • With port mirroring and analyzers, you can analyze traffic down to the packet level in an EVPN-VXLAN environment. You can use this feature to enforce policies related to network usage and file sharing and to identify problem sources by locating abnormal or heavy bandwidth usage by particular stations or applications.

MAC Filtering

MAC filtering enables you to filter MAC addresses and accept traffic. We support this feature only on ingress CE-facing interfaces, which are interfaces on which VXLAN encapsulation is typically not enabled. To use this feature, you must do the following:

  • Create a firewall filter in which you specify one or more of the supported match conditions in Table 1 and Table 2.

  • Apply the firewall filter to a Layer 2 interface configured in the [edit interfaces interface-name unit logical-unit-number family ethernet-switching filter] hierarchy.

Table 1: Match Conditions Supported on QFX5100 and QFX5110 Switches

Match Conditions

Interface Input Filter Support

Interface Output Filter Support

Source MAC address

X

X

Destination MAC address

X

X

User VLAN ID

X

X

Source port

X

Destination port

X

Ether-type

X

IP protocol

X

IP precedence

X

ICMP codes

X

TCP flags

X

IP address

X

Note

When configuring MAC filters on QFX5100 and QFX5110 switches, keep in mind that you can apply a filter to an interface only. You cannot apply a filter to a VXLAN-mapped VLAN.

Table 2: Match Conditions Supported on QFX10000 Switches

Match Conditions

Interface Input Filter Support

Interface Output Filter Support

Source MAC address

X

Destination MAC address

X

User VLAN ID

Source port

X

X

Destination port

X

X

Ether-type

X

X

IP protocol

X

IP precedence

X

X

ICMP codes

X

X

TCP flags

X

X

IP address

X

X

Note

When configuring MAC filters on QFX10000 switches, keep the following in mind:

  • You can apply a filter to an interface only. You cannot apply a filter to a VXLAN-mapped VLAN.

  • We do not support a mix of Layer 2 match conditions and Layer 3/Layer 4 match conditions in the same firewall filter. For example, if you include source MAC address and source port match conditions in the same firewall filter on a QFX10002 switch, the firewall filter will not work.

  • We do not support the user VLAN ID match condition. Therefore, if you need to filter logical interfaces, each of which is mapped to a particular VLAN, you must use the service provider style of configuration when configuring the physical interface and associated logical interfaces. After creating a firewall filter, you must then apply the filter to each logical interface to achieve the effect of the user VLAN ID match condition.

Through the firewall filter, you specify MAC addresses associated with a VXLAN that are allowed on a particular interface.

Note

After you apply the firewall filter to a Layer 2 interface, the interface resides under the default-switch instance.

The following sample configuration on a QFX5110 switch creates a firewall filter named DHCP-Discover-In that accepts and counts incoming traffic that meets multiple match conditions (source MAC address, destination MAC address, destination ports, and VLAN ID) on Layer 2 logical interface xe-0/0/6.0:

set firewall family ethernet-switching filter DHCP-Discover-In term 1 from source-mac-address 00:00:5E:00:53:ab/48
set firewall family ethernet-switching filter DHCP-Discover-In term 1 from destination-mac-address ff:ff:ff:ff:ff:ff/48
set firewall family ethernet-switching filter DHCP-Discover-In term 1 from destination-port dhcp
set firewall family ethernet-switching filter DHCP-Discover-In term 1 from destination-port bootps
set firewall family ethernet-switching filter DHCP-Discover-In term 1 from destination-port bootpc
set firewall family ethernet-switching filter DHCP-Discover-In term 1 from user-vlan-id 803
set firewall family ethernet-switching filter DHCP-Discover-In term 1 then accept
set firewall family ethernet-switching filter DHCP-Discover-In term 1 then count DHCP-Discover-In
set firewall family ethernet-switching filter DHCP-Discover-In term 2 then accept
set interfaces xe-0/0/6 unit 0 family ethernet-switching filter input DHCP-Discover-In

Storm Control

By default, storm control is enabled on Layer 2 interfaces that are associated with VXLANs. The storm control level is set to 80 percent of the combined BUM traffic streams.

In an EVPN-VXLAN environment, storm control is implemented and configured on Layer 2 interfaces that are associated with VXLANs the same as in a non-EVPN-VXLAN environment except for the following differences:

  • In an EVPN-VXLAN environment, the traffic types that storm control monitors are as follows:

    • Layer 2 BUM traffic that originates in a VXLAN and is forwarded to interfaces within the same VXLAN.

    • Layer 3 multicast traffic that is received by an integrated routing and bridging (IRB) interface in a VXLAN and is forwarded to interfaces in another VXLAN.

  • After creating a storm control profile, you must bind it to an ingress Layer 2 interface at the [edit interfaces interface-name unit logical-unit-number family ethernet-switching filter] hierarchy.

    Note

    After you bind the profile to a Layer 2 interface, the interface resides within the default-switch instance.

  • If the traffic streams on an interface exceed the specified storm control level, the Juniper Networks switch drops the excess packets, which is known as rate limiting. In addition, QFX10000 switches in an EVPN-VXLAN environment support the disabling of the interface for a specified amount of time using the action-shutdown configuration statement at the [edit forwarding-options storm-control-profiles] hierarchy level and the recovery-timeout configuration statement at the [edit interfaces interface-name unit logical-unit-number family ethernet-switching] hierarchy level.

    Note

    QFX5100 and QFX5110 switches in an EVPN-VXLAN environment do not support the disabling of the interface for a specified amount of time.

The following configuration creates a profile named scp, which specifies that if the bandwidth used by the combined BUM traffic streams exceeds 5 percent on Layer 2 logical interface et-0/0/23.0, the interface drops the excess BUM traffic.

set forwarding-options storm-control-profiles scp all bandwidth-percentage 5
set interfaces et-0/0/23 unit 0 family ethernet-switching storm-control scp

The following configuration creates a profile named scp, which specifies that if the bandwidth used by the multicast traffic stream (broadcast and unknown unicast traffic streams are excluded) exceeds 5 percent on Layer 2 logical interface et-0/0/23.0, the interface drops the excess multicast traffic.

set forwarding-options storm-control-profiles scp all bandwidth-percentage 5 no-broadcast no-unknown-unicast
set interfaces et-0/0/23 unit 0 family ethernet-switching storm-control scp

The following configuration on a QFX10000 switch creates the same profile as in the previous configuration. However, instead of implicitly dropping multicast traffic if the traffic stream exceeds 5 percent, the following configuration explicitly disables the interface for 120 seconds and then brings the interface back up.

set forwarding-options storm-control-profiles scp all bandwidth-percentage 5 no-broadcast no-unknown-unicast
set forwarding-options storm-control-profiles scp all action-shutdown
set interfaces ge-0/0/0 unit 0 family ethernet-switching storm-control scp recovery-timeout 120

Port Mirroring and Analyzers

To analyze traffic in an EVPN-VXLAN environment, we support the following port mirroring and analyzer functionality:

  • Local mirroring

    • On an interface

    • On a VXLAN

  • Remote mirroring

    • On an interface

    • On a VXLAN

The following sections provide more information about the supported functionality and include sample configurations.

Local Mirroring

Note

Local mirroring is also known as Switched Port Analyzer (SPAN).

Table 3 provides a summary of local mirroring support.

Table 3: Local Mirroring Support

Entity to Which Local Mirroring Is Applied

Traffic Direction

Filter-based Support

Analyzer-based Support

CE-facing interface

Ingress

Supported.

See Use Case 1: Sample Configuration.

Supported.

See Use Case 2: Sample Configuration.

CE-facing interface

Egress

Not supported.

Supported; however, egress mirrored traffic might carry incorrect VLAN tags that differ from the tags in the original traffic.

See Use Case 3: Sample Configuration.

IP fabric-facing interface

Ingress

Not supported.

Supported.

See Use Case 4: Sample Configuration.

IP fabric-facing interface

Egress

Not supported.

Supported; however, mirrored VXLAN-encapsulated packets will not include a VXLAN header.

See Use Case 5: Sample Configuration.

VXLAN-mapped VLAN

Ingress

Not supported.

Supported only for traffic entering through a CE-facing interface.

See Use Case 6: Sample Configuration.

Use Case 1: Sample Configuration

The following is a firewall filter-based port mirroring sample configuration. Through the use of a port mirroring instance named pm1 and a firewall filter, this configuration specifies that Layer 2 traffic that enters VXLAN100 through logical interface xe-0/0/8.0 is mirrored to an analyzer on logical interface xe-0/0/6.0 and then to port mirroring instance pm1.

set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN100
set interfaces xe-0/0/8 unit 0 family ethernet-switching filter input IPACL
set interfaces xe-0/0/6 unit 0 family ethernet-switching
set forwarding-options port-mirroring instance pm1 family ethernet-switching output interface xe-0/0/6
set firewall family ethernet-switching filter IPACL term to-analyzer then port-mirror-instance pm1

Use Case 2: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that enters logical interface xe-0/0/8.0 is mirrored to an analyzer on logical interface xe-0/0/6.0.

set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN100
set interfaces xe-0/0/6 unit 0 family ethernet-switching
set forwarding-options analyzer ANA1 input ingress interface xe-0/0/8.0
set forwarding-options analyzer ANA1 output interface xe-0/0/6.0

Use Case 3: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that exits logical interface xe-0/0/8.0 is mirrored to an analyzer on logical interface xe-0/0/6.0.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN100
set interfaces xe-0/0/6 unit 0 family ethernet-switching
set forwarding-options analyzer test input egress interface xe-0/0/8
set forwarding-options analyzer test output interface xe-0/0/6

Use Case 4: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that enters logical interface xe-0/0/29.0 is mirrored to an analyzer on logical interface xe-0/0/6.0.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/29 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/29 unit 0 family ethernet-switching vlan members VXLAN100
set interfaces xe-0/0/6 unit 0 family ethernet-switching
set forwarding-options analyzer test input ingress interface xe-0/0/29
set forwarding-options analyzer test output interface xe-0/0/6

Use Case 5: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that exits logical interface xe-0/0/29.0 is mirrored to an analyzer on logical interface xe-0/0/6.0.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/29 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/29 unit 0 family ethernet-switching vlan members VXLAN100
set interfaces xe-0/0/6 unit 0 family ethernet-switching
set forwarding-options analyzer test input egress interface xe-0/0/29
set forwarding-options analyzer test output interface xe-0/0/6

Use Case 6: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that enters the VLAN named VXLAN100 and is mirrored to an analyzer on logical interface xe-0/0/6.0.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN100
set interfaces xe-0/0/6 unit 0 family ethernet-switching
set forwarding-options analyzer test input ingress vlan VXLAN100
set forwarding-options analyzer test output interface xe-0/0/6

Remote Mirroring

Note

Remote mirroring is also known as Encapsulated Remote Switched Port Analyzer (ERSPAN).

We do not support Remote Switched Port Analyzer (RSPAN) with VXLAN encapsulation.

Table 4 provides a summary of remote mirroring support.

Table 4: Remote Mirroring Support

Entity to Which Remote Mirroring Is Applied

Traffic Direction

Filter-based Support

Analyzer-based Support

CE-facing interface

Ingress

Not supported.

Supported.

See Use Case 1: Sample Configuration.

CE-facing interface

Egress

Not supported.

Supported.

See Use Case 2: Sample Configuration.

IP fabric-facing interface

Ingress

Not supported.

Supported.

See Use Case 3: Sample Configuration.

IP fabric-facing interface

Egress

Not supported.

Supported; however, mirrored traffic might include a bogus VLAN ID tag of 4094 on the native MAC frame.

See Use Case 4: Sample Configuration.

VXLAN-mapped VLAN

Ingress

Not supported.

Supported only for traffic entering a CE-facing interface.

See Use Case 5: Sample Configuration.

Use Case 1: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that enters logical interface xe-0/0/8.0 is mirrored to a remote logical interface with an IP address of 10.9.9.2.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN100
set forwarding-options analyzer test input ingress interface xe-0/0/8.0
set forwarding-options analyzer test output ip-address 10.9.9.2

Use Case 2: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that exits logical interface xe-0/0/8.0 is mirrored to a remote logical interface with an IP address of 10.9.9.2.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN100
set forwarding-options analyzer test input egress interface xe-0/0/8
set forwarding-options analyzer test output ip-address 10.9.9.2

Use Case 3: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that enters logical interface xe-0/0/29.0 is mirrored to a remote logical interface with an IP address of 10.9.9.2.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/29 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/29 unit 0 family ethernet-switching vlan members VXLAN100
set forwarding-options analyzer test input ingress interface xe-0/0/29
set forwarding-options analyzer test output ip-address 10.9.9.2

Use Case 4: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that exits logical interface xe-0/0/29.0 is mirrored to a remote logical interface with an IP address of 10.9.9.2.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/29 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/29 unit 0 family ethernet-switching vlan members VXLAN100
set forwarding-options analyzer test input egress interface xe-0/0/29
set forwarding-options analyzer test output ip-address 10.9.9.2

Use Case 5: Sample Configuration

The following is an analyzer-based sample configuration. Through the use of the analyzer configuration statement at the [set forwarding-options] hierarchy level, this configuration specifies that Layer 2 traffic that enters VXLAN100, which is mapped to logical interface xe-0/0/8.0, is mirrored to a remote logical interface with an IP address of 10.9.9.2.

set vlans VXLAN100 vlan-id 100
set interfaces xe-0/0/8 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/8 unit 0 family ethernet-switching vlan members VXLAN100
set forwarding-options analyzer test input ingress vlan VXLAN100
set forwarding-options analyzer test output ip-address 10.9.9.2
Release History Table
Release
Description
Starting with Junos OS Release 18.4R1, we support MAC filtering, storm control, and port mirroring and analyzing on QFX5100 and QFX5110 switches, and MAC filtering and storm control on QFX10002 and QFX10008 switches in an Ethernet VPN-Virtual Extensible LAN (EVPN-VXLAN) overlay network.