From 51f4dab42652446075664bf22962e125d754de31 Mon Sep 17 00:00:00 2001 From: Anuradha Karuppiah Date: Mon, 9 Jul 2018 17:44:44 -0700 Subject: [PATCH] zebra: install EVPN gateway MAC as static/sticky SVI interface ip/hw address is advertised by the GW VTEP (say TORC11) with the default-GW community. And the rxing VTEP (say TORC21) installs the GW MAC as a dynamic FDB entry. The problem with this is a rogue packet from a server with the GW MAC as source can cause a station move resulting in TORC21 hijacking the GW MAC address and blackholing all inter rack traffic. Fix is to make the GW MAC "sticky" pinning it to the GW VTEP (TORC11). This commit does it by installing the FDB entry as static if the MACIP route is received with the default-GW community (mimics handling of mac-mobility-with-sticky community) Sample output with from TORC12 with TORC11 setup as gateway - root@TORC21:~# net show evpn mac vni 1004 mac 00:00:5e:00:01:01 MAC: 00:00:5e:00:01:01 Remote VTEP: 36.0.0.11 Remote-gateway Mac Neighbors: 45.0.4.1 fe80::200:5eff:fe00:101 2001:fee1:0:4::1 root@TORC21:~# bridge fdb show |grep 00:00:5e:00:01:01|grep 1004 00:00:5e:00:01:01 dev vx-1004 vlan 1004 master bridge static 00:00:5e:00:01:01 dev vx-1004 dst 36.0.0.11 self static root@TORC21:~# Signed-off-by: Anuradha Karuppiah Ticket: CM-21508 --- zebra/zebra_vxlan.c | 15 ++++++++++++++- zebra/zebra_vxlan_private.h | 2 ++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/zebra/zebra_vxlan.c b/zebra/zebra_vxlan.c index 59f0cf52f..a3b1c7d62 100644 --- a/zebra/zebra_vxlan.c +++ b/zebra/zebra_vxlan.c @@ -581,6 +581,9 @@ static void zvni_print_mac(zebra_mac_t *mac, void *ctxt) if (CHECK_FLAG(mac->flags, ZEBRA_MAC_DEF_GW)) vty_out(vty, " Default-gateway Mac "); + if (CHECK_FLAG(mac->flags, ZEBRA_MAC_REMOTE_DEF_GW)) + vty_out(vty, " Remote-gateway Mac "); + vty_out(vty, "\n"); /* print all the associated neigh */ vty_out(vty, " Neighbors:\n"); @@ -2534,7 +2537,8 @@ static int zvni_mac_install(zebra_vni_t *zvni, zebra_mac_t *mac) return -1; vxl = &zif->l2info.vxl; - sticky = CHECK_FLAG(mac->flags, ZEBRA_MAC_STICKY) ? 1 : 0; + sticky = CHECK_FLAG(mac->flags, + (ZEBRA_MAC_STICKY | ZEBRA_MAC_REMOTE_DEF_GW)) ? 1 : 0; return kernel_add_mac(zvni->vxlan_if, vxl->access_vlan, &mac->macaddr, mac->fwd_info.r_vtep_ip, sticky); @@ -5152,6 +5156,7 @@ void zebra_vxlan_remote_macip_add(ZAPI_HANDLER_ARGS) char buf[ETHER_ADDR_STRLEN]; char buf1[INET6_ADDRSTRLEN]; uint8_t sticky = 0; + u_char remote_gw = 0; uint8_t flags = 0; struct interface *ifp = NULL; struct zebra_if *zif = NULL; @@ -5193,6 +5198,7 @@ void zebra_vxlan_remote_macip_add(ZAPI_HANDLER_ARGS) /* Get flags - sticky mac and/or gateway mac */ STREAM_GETC(s, flags); sticky = CHECK_FLAG(flags, ZEBRA_MACIP_TYPE_STICKY); + remote_gw = CHECK_FLAG(flags, ZEBRA_MACIP_TYPE_GW); l++; if (IS_ZEBRA_DEBUG_VXLAN) @@ -5266,6 +5272,8 @@ void zebra_vxlan_remote_macip_add(ZAPI_HANDLER_ARGS) if (!mac || !CHECK_FLAG(mac->flags, ZEBRA_MAC_REMOTE) || (CHECK_FLAG(mac->flags, ZEBRA_MAC_STICKY) ? 1 : 0) != sticky + || (CHECK_FLAG(mac->flags, ZEBRA_MAC_REMOTE_DEF_GW) ? 1 : 0) + != remote_gw || !IPV4_ADDR_SAME(&mac->fwd_info.r_vtep_ip, &vtep_ip)) update_mac = 1; @@ -5297,6 +5305,11 @@ void zebra_vxlan_remote_macip_add(ZAPI_HANDLER_ARGS) else UNSET_FLAG(mac->flags, ZEBRA_MAC_STICKY); + if (remote_gw) + SET_FLAG(mac->flags, ZEBRA_MAC_REMOTE_DEF_GW); + else + UNSET_FLAG(mac->flags, ZEBRA_MAC_REMOTE_DEF_GW); + zvni_process_neigh_on_remote_mac_add(zvni, mac); /* Install the entry. */ diff --git a/zebra/zebra_vxlan_private.h b/zebra/zebra_vxlan_private.h index fa7075f2d..354126ca5 100644 --- a/zebra/zebra_vxlan_private.h +++ b/zebra/zebra_vxlan_private.h @@ -247,6 +247,8 @@ struct zebra_mac_t_ { #define ZEBRA_MAC_STICKY 0x08 /* Static MAC */ #define ZEBRA_MAC_REMOTE_RMAC 0x10 /* remote router mac */ #define ZEBRA_MAC_DEF_GW 0x20 +/* remote VTEP advertised MAC as default GW */ +#define ZEBRA_MAC_REMOTE_DEF_GW 0x40 /* Local or remote info. */ union { -- 2.39.2