[j-nsp] EX Switches - Internet Exchange Points

Paul Stewart paul at paulstewart.org
Thu Mar 25 20:01:36 EDT 2010


Thanks Richard...

The MAC filtering idea proposed earlier by another friendly person was quite
helpful and solved the issue.  That Cisco MAC is actually what we wanted to
see however other MAC's were showing up from the intermediary switches along
the path (Cisco 7600 - EX4200 - EX4200 - EX4200 in this particular case)....

Solved now thankfully - we like to be friendly to our peers at exchange
points and I was getting worried ;)

Take care,

Paul


-----Original Message-----
From: Richard A Steenbergen [mailto:ras at e-gerbil.net] 
Sent: March-25-10 7:52 PM
To: Paul Stewart
Cc: 'jnsp'
Subject: Re: [j-nsp] EX Switches - Internet Exchange Points

On Thu, Mar 25, 2010 at 03:13:31PM -0400, Paul Stewart wrote:
> The problem I'm facing we're tripping the port security on the exchange
> switch:
> 
> Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
> violation occurred, caused by MAC address 000b.45b6.f500 on port
> FastEthernet0/1.
> 
> It is obviously seeing several MAC addresses and doesn't like this.  so
I'm
> trying to adapt a "best practice" here based on what other folks have
> encountered along the way as we're trying our best to learn Juniper better
> ;)

The MAC address vendor database says 000b45 is Cisco, so either you have
a misconfiguration or your Juniper is leaking something it shouldn't be,
but at least is isn't generating something on its own. I'd recommend you
track down that MAC address on your network and figure out how it is
getting to the exchange, since if the Juniper is leaking things outside
of its configured vlan it is a Big Problem (tm) which needs to be fixed.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)




More information about the juniper-nsp mailing list