[j-nsp] EX Switches - Internet Exchange Points

Jonathan Lassoff jof at thejof.com
Thu Mar 25 16:02:51 EDT 2010


Excerpts from Paul Stewart's message of Thu Mar 25 12:13:31 -0700 2010:
> I'm looking for feedback from folks on the list who are service providers
> and connect to peering exchange points (IE. PAIX, Equinix, LINX etc).   I'm
> looking for recommended configuration for layer2 connectivity via an EX
> switch towards one of these exchange points - we have been doing in Cisco so
> long that I'm missing some obvious config in the Juniper's we just moved to
> ;)

AMS-IX has a nice guide and some useful suggestions over here:
http://www.ams-ix.net/config-guide/#10


> The problem I'm facing we're tripping the port security on the exchange
> switch:
> 
>  
> 
> Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
> violation occurred, caused by MAC address 000b.45b6.f500 on port
> FastEthernet0/1.
> 
> It is obviously seeing several MAC addresses and doesn't like this.  so I'm
> trying to adapt a "best practice" here based on what other folks have
> encountered along the way as we're trying our best to learn Juniper better
> ;)

Doh!

If your platform supports it, implement a packet filter that blocks all
traffic except for the single MAC that you think should be on that port.

Maybe IGMP is leaking out?

Also, depending on your platform, tcpdump (probably not much help on an
L2 switch configuration) or a passive tap could provide some indication
as to what traffic is causing port security to trip on the far side.

Is 00:0b:45:b6:f5:00 the Ethernet MAC you expect to be seeing?

Cheers,
jof


More information about the juniper-nsp mailing list