Hi Neal, Thanks, Is there a way to view and limit learned MAC addresses for an interface without adding an interface to a bridge-domain?
On Tue, Aug 3, 2021 at 12:15 PM Neale Ranns <ne...@graphiant.com> wrote: > HI Mohsen, > > > > Learning in a BD is enabled by default – your trace shows learning on. You > can turn in on or off through configuration on the BD or on the input > interface. > > DBGvpp# set bridge-domain ? > > set bridge-domain learn set bridge-domain learn > <bridge-domain-id> [disable] > > set bridge-domain learn-limit set bridge-domain learn-limit > <bridge-domain-id> <learn-limit> > > > > or > > > > DBGvpp# set interface l2 ? > > set interface l2 learn set interface l2 learn > <interface> [disable] > > > > Ping and ARP work with learning on. > > > > Note also in the commands above, there is a mechanism to limit the number > of MACs that can be learnt in each BD. > > > > /neale > > > > > > *From: *Mohsen Meamarian <meamarian.moh...@gmail.com> > *Date: *Tuesday, 3 August 2021 at 06:37 > *To: *Neale Ranns <ne...@graphiant.com> > *Cc: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > *Subject: *Re: [vpp-dev] MAC Learning in vpp > > Thanks neale, > > What is the easiest way to enable learning on an interface while other > functionality , including passing the ping and arp packets , work normally? > > > > I want l2_learn_process run for that interface so that I can write a > function to do something like put a limiting on maximum connected devices > with it's help. > > > > > > On Mon, Aug 2, 2021, 23:38 Neale Ranns <ne...@graphiant.com> wrote: > > > > HI Moshen, > > > > *From: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> on behalf of Mohsen > Meamarian via lists.fd.io <meamarian.mohsen=gmail....@lists.fd.io> > *Date: *Monday, 2 August 2021 at 18:45 > *To: *vpp-dev@lists.fd.io <vpp-dev@lists.fd.io> > *Subject: *[vpp-dev] MAC Learning in vpp > > Hi friends, > > I want to implement port security in vpp. I assume that the > l2learn_process function in l2_learn.c runs periodically when vpp is active > and When a device is connected to my system , this function helps to learn > it's mac. Is this assumption true ? > > > > No. l2_learn runs for all packets that are received on a link on which > learning is enabled. You can see it in the trace you provided. It is > learning in this VLIB node that will populated the l2fib. > > > > because when I run the sh l2fib command , it returns nothing. but when I > set an interface as a bridge , the sh l2fib command returns something. my > commands : > > > > create bridge-domain 2 arp-term 1 > create loopback interface > set int l2 bridge loop0 2 bvi > set interface state loop0 up > set interface l2 bridge GigabitEthernet0/8/0 2 > > show bridge-domain 2 detail > show l2fib all > > > > but i have a problem here. vpp drop ping packet.Where can the problem come > from? > > > > I attached my trace command result to this mail.I get " l2-flood: BVI L3 > mac mismatch " error. > > > > That shows an ARP packet destined to a unicast MAC. That packet was > flooded, suggesting an l2fib miss and unknown-unicast flooding is enabled. > The dst MAC of the packet did not match the MAC of the BVI (the only other > interface in the BD) so it was dropped. > > > > /neale > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19910): https://lists.fd.io/g/vpp-dev/message/19910 Mute This Topic: https://lists.fd.io/mt/84615988/21656 Group Owner: vpp-dev+ow...@lists.fd.io Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
