Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vxlan: T5668: add CLI knob to enable ARP/ND suppression #2413

Merged
merged 1 commit into from
Oct 31, 2023

Conversation

c-po
Copy link
Member

@c-po c-po commented Oct 28, 2023

Change Summary

In order to minimize the flooding of ARP and ND messages in the VXLAN network, EVPN includes provisions [1] that allow participating VTEPs to suppress such messages in case they know the MAC-IP binding and can reply on behalf of the remote host. In Linux, the above is implemented in the bridge driver using a per-port option called "neigh_suppress" that was added in kernel version 4.15.

[1] https://www.rfc-editor.org/rfc/rfc7432#section-10

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

VXLAN

Proposed changes

How to test

Smoketest result

[email protected]:~$ /usr/libexec/vyos/tests/smoke/cli/test_interfaces_vxlan.py
test_add_multiple_ip_addresses (__main__.VXLANInterfaceTest.test_add_multiple_ip_addresses) ... ok
test_add_single_ip_address (__main__.VXLANInterfaceTest.test_add_single_ip_address) ... ok
test_dhcp_client_options (__main__.VXLANInterfaceTest.test_dhcp_client_options) ... skipped 'not supported'
test_dhcp_disable_interface (__main__.VXLANInterfaceTest.test_dhcp_disable_interface) ... skipped 'not supported'
test_dhcp_vrf (__main__.VXLANInterfaceTest.test_dhcp_vrf) ... skipped 'not supported'
test_dhcpv6_client_options (__main__.VXLANInterfaceTest.test_dhcpv6_client_options) ... skipped 'not supported'
test_dhcpv6_vrf (__main__.VXLANInterfaceTest.test_dhcpv6_vrf) ... skipped 'not supported'
test_dhcpv6pd_auto_sla_id (__main__.VXLANInterfaceTest.test_dhcpv6pd_auto_sla_id) ... skipped 'not supported'
test_dhcpv6pd_manual_sla_id (__main__.VXLANInterfaceTest.test_dhcpv6pd_manual_sla_id) ... skipped 'not supported'
test_interface_description (__main__.VXLANInterfaceTest.test_interface_description) ... ok
test_interface_disable (__main__.VXLANInterfaceTest.test_interface_disable) ... ok
test_interface_ip_options (__main__.VXLANInterfaceTest.test_interface_ip_options) ... ok
test_interface_ipv6_options (__main__.VXLANInterfaceTest.test_interface_ipv6_options) ... ok
test_interface_mtu (__main__.VXLANInterfaceTest.test_interface_mtu) ... ok
test_ipv6_link_local_address (__main__.VXLANInterfaceTest.test_ipv6_link_local_address) ... ok
test_mtu_1200_no_ipv6_interface (__main__.VXLANInterfaceTest.test_mtu_1200_no_ipv6_interface) ... ok
test_span_mirror (__main__.VXLANInterfaceTest.test_span_mirror) ... skipped 'not supported'
test_vif_8021q_interfaces (__main__.VXLANInterfaceTest.test_vif_8021q_interfaces) ... skipped 'not supported'
test_vif_8021q_lower_up_down (__main__.VXLANInterfaceTest.test_vif_8021q_lower_up_down) ... skipped 'not supported'
test_vif_8021q_mtu_limits (__main__.VXLANInterfaceTest.test_vif_8021q_mtu_limits) ... skipped 'not supported'
test_vif_8021q_qos_change (__main__.VXLANInterfaceTest.test_vif_8021q_qos_change) ... skipped 'not supported'
test_vif_s_8021ad_vlan_interfaces (__main__.VXLANInterfaceTest.test_vif_s_8021ad_vlan_interfaces) ... skipped 'not supported'
test_vif_s_protocol_change (__main__.VXLANInterfaceTest.test_vif_s_protocol_change) ... skipped 'not supported'
test_vxlan_external (__main__.VXLANInterfaceTest.test_vxlan_external) ... ok
test_vxlan_neighbor_suppress (__main__.VXLANInterfaceTest.test_vxlan_neighbor_suppress) ... ok
test_vxlan_parameters (__main__.VXLANInterfaceTest.test_vxlan_parameters) ... ok
test_vxlan_vlan_vni_mapping (__main__.VXLANInterfaceTest.test_vxlan_vlan_vni_mapping) ... ok

----------------------------------------------------------------------
Ran 27 tests in 88.542s

OK (skipped=14)

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@c-po
Copy link
Member Author

c-po commented Oct 28, 2023

@Mergifyio backport sagitta

@mergify
Copy link
Contributor

mergify bot commented Oct 28, 2023

backport sagitta

✅ Backports have been created

@tjjh89017
Copy link
Contributor

Hi @c-po
You only add ARP/ND suppress
But there is another "nolearning" here.
Do you consider to add it too?
It's different from the original "nolearning" in vxlan parameter.
It's "bridge_slave nolearning"
I think these two "nolearning" is different.
Thank you

@c-po
Copy link
Member Author

c-po commented Oct 30, 2023

According to https://man7.org/linux/man-pages/man8/ip-link.8.html there is no bridge_slave nolearning option. There is only [no]learning for VXLAN which we support by set interfaces vxlan vxlan1 parameters nolearning but that is only valid when set interfaces vxlan vxlan1 external is used for external control planes.

@tjjh89017
Copy link
Contributor

That is "learning on/off".
Sorry I forget the real option.
Please check this.
Thank you

image

@c-po
Copy link
Member Author

c-po commented Oct 30, 2023

Are you sure those are two different options?

bridge: learning { on | off } - allow MAC address learning on this port <- not related to VXLAN but ALL bridge ports

vxlan: [no]learning - specifies if unknown source link layer addresses and IP addresses are entered into the VXLAN device forwarding database. <- VXLAN only option

They sound quiet the same. Can you please test if learning off is really required here?

We wan't to learn locally connected MACs behind the physical port into our control plane, but do not wan't to also learn everything via VXLAN floods, too - thats where we use the control plane. But how do we install MAC addresses into the control plane for local targets if learning is off?

@tjjh89017
Copy link
Contributor

as I know
vxlan nolearning is ip neigh which means the head-end replication related (This also affect if VXLAN is L3 interface (master is not bridge)) (VTEP learning, in EVPN we don't need this)
bridge_slave learning off is MAC learning (bridge fdb) in EVPN we don't need this, and this is per-port option, it should only be enabled on VXLAN interface which is the bridge slave.
Other bridge slave should not disable MAC learning.

That is the reason I will suggest to put those parameters inside "bridge member" and the same level of "native-vlan" and "allowed-vlan" because these two (neigh_suppress, bridge_slave learning off) require bridge_slave.

In FRR's doc[1]
[1] https://docs.frrouting.org/en/latest/evpn.html#linux-interface-configuration

In order to minimize the flooding of ARP and ND messages in the VXLAN network,
EVPN includes provisions [1] that allow participating VTEPs to suppress such
messages in case they know the MAC-IP binding and can reply on behalf of the
remote host. In Linux, the above is implemented in the bridge driver using a
per-port option called "neigh_suppress" that was added in kernel version 4.15.

[1] https://www.rfc-editor.org/rfc/rfc7432#section-10
@c-po
Copy link
Member Author

c-po commented Oct 30, 2023

Added learning off

@c-po c-po merged commit 82a0067 into vyos:current Oct 31, 2023
7 checks passed
@c-po c-po deleted the t5668-vxlan branch October 31, 2023 05:59
c-po added a commit that referenced this pull request Oct 31, 2023
vxlan: T5668: add CLI knob to enable ARP/ND suppression (backport #2413)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

3 participants