I'm running NSX 6.2 on vSphere 6 U2. Using CLI on the controllers, manager, routers, anything and everything, to show any indication NSX notices a MAC Flood attack is happening.
A regular physical switch may notice that a MAC Flood is happening by reviewing the output from "show mac address-table dynamic", but I haven't found a similar command in the NSX CLI environment, except for perhaps
nsx-controller # show control-cluster logical-switches vni-stats 5001
update.member 4
update.vtep 41
update.mac 3
update.mac.invalidate 0
update.arp 147
update.arp.duplicate 0
query.mac 11
query.mac.miss 0
query.arp 2
query.arp.miss 2
or
nsx-controller # show control-cluster logical-routers vdr-stats 0x1388
host.reports.received 5
host.reports.dropped 0
edge.routes.received 18
edge.routes.dropped 0
bridge.reports.received 0
bridge.reports.dropped 0
bridge.macs.received 0
bridge.macs.dropped 0
route.queries.received 0
interface.queries.received 0
mac.queries.received 0
clear.routes.received 1
clear.macs.received 0
errdecode.messages.dropped 0
memfull.messages.dropped 0
errserver.messages.dropped 0
notifications.error 0
Any ideas?
Damion Terrell . + (He/Him) + . * . + @ + . * . + .
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
ok, I found something, on the NSX Manager. But not some statement of MAC number of table entries.
nsxlabmgr.vsphere.local> show logical-router host <host-ID> dlr <edge-ID> interface <intf-ID> statistics
VDR default+edge-7 LIF 138800000002 Statistics :
RX Unicast Packets on the interface: 0
RX Unicast Bytes on the interface: 0
TX Unicast Packets on the interface: 0
RX Broadcast Packets on the interface: 0
RX Broadcast Bytes on the interface: 0
TX Broadcast Packets on the interface: 0
TX Broadcast Bytes on the interface: 0
RX Multicast Packets on the interface: 0
RX Multicast Bytes on the interface: 0
RX Packets System Error on interface: 0
TX Ref Errors on the interface: 0
Packets Deferred Free on the interface: 0
RX Packets Dropped on interface: 0
LIF Net Statistics (approx.):
IP & ARP packets RX: 26
IP & ARP packets TX: 345820 <- These numbers increase during MAC flood attack.
IP packets Forwarded to Lif: 345803
IP packets Consumed: 0
IP packets Fragmented: 0
IP packets Ignored: 0
ARP Request RX: 0
ARP Request TX: 11
ARP Response RX: 25
ARP Response TX: 0
ARP Request for Proxy RX: 0
ARP Request for Proxy My IP RX: 0
GARP RX: 1
GARP TX: 1
ARP Probes TX: 15
ICMP Echo Req RX: 0
ICMP Echo Rsp TX: 0
ICMP Time Exceeded TX: 0
TTL Zero Drops: 0
Bad Checksum Drops: 0
Arp HoldPkts Drops: 0
Packet Allocation Failure: 0
Route not found to Dest: 0
Neighbor not found: 10
But then I found
show logical-switch host host-10 vni 5001 statistics
..
mac.lookup.flood: 4
Damion Terrell . + (He/Him) + . * . + @ + . * . + .
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +