[j-nsp] EX Switches - Internet Exchange Points
Paul Stewart
paul at paulstewart.org
Thu Mar 25 16:09:51 EDT 2010
Thanks very much for the reply...
The AMS-IX guide I've been through but their Juniper section isn't nearly as
detailed as the Cisco side... good guide for sure. ;)
The MAC shown in my example below is actually the correct MAC for the layer3
facing interface ... so you're suggesting to create a filter to only allow
that MAC to be 'sent out' to the peering switch? We never had to do this in
the Cisco world using the configurations I sent in my original post hence
some of my confusion...
Appreciate it,
Paul
-----Original Message-----
From: Jonathan Lassoff [mailto:jof at thejof.com]
Sent: Thursday, March 25, 2010 4:03 PM
To: Paul Stewart
Cc: jnsp
Subject: Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Thu Mar 25 12:13:31 -0700 2010:
> I'm looking for feedback from folks on the list who are service providers
> and connect to peering exchange points (IE. PAIX, Equinix, LINX etc).
I'm
> looking for recommended configuration for layer2 connectivity via an EX
> switch towards one of these exchange points - we have been doing in Cisco
so
> long that I'm missing some obvious config in the Juniper's we just moved
to
> ;)
AMS-IX has a nice guide and some useful suggestions over here:
http://www.ams-ix.net/config-guide/#10
> The problem I'm facing we're tripping the port security on the exchange
> switch:
>
>
>
> Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
> violation occurred, caused by MAC address 000b.45b6.f500 on port
> FastEthernet0/1.
>
> It is obviously seeing several MAC addresses and doesn't like this. so
I'm
> trying to adapt a "best practice" here based on what other folks have
> encountered along the way as we're trying our best to learn Juniper better
> ;)
Doh!
If your platform supports it, implement a packet filter that blocks all
traffic except for the single MAC that you think should be on that port.
Maybe IGMP is leaking out?
Also, depending on your platform, tcpdump (probably not much help on an
L2 switch configuration) or a passive tap could provide some indication
as to what traffic is causing port security to trip on the far side.
Is 00:0b:45:b6:f5:00 the Ethernet MAC you expect to be seeing?
Cheers,
jof
More information about the juniper-nsp
mailing list