[j-nsp] Tricks for killing L2 loops in VPLS and STP "BPDU-less" situations?
Wayne Tucker
wayne at tuckerlabs.com
Fri Aug 17 12:06:49 EDT 2012
On Fri, Aug 17, 2012 at 8:08 AM, Clarke Morledge <chmorl at wm.edu> wrote:
> We have had the unfortunate experience of having users plug in small
> mini-switches into our network that have the capability of filtering out
> (by-default) BPDUs while allowing other traffic through. The nightmare
> situation is when a user plugs in such a switch accidentally into two of our
> EX switches. Traffic will loop through the miscreant switch between the two
> EXs and without BPDUs it just looks like MAC addresses keep moving between
> the real source and the two EXs.
This is probably not the answer you're looking for, but the best
solution is to not bridge to your access switches. Everything in the
EX series is capable of routing, so why not take advantage of that
functionality?
Barring that, your options are: storm control, MAC limiting, and MAC
move limiting.
I've never found storm control to be that useful. It reduces the
volume of frames but usually not enough to cancel out all of the
negative effects.
MAC limiting with a reasonable MAC limit on a port can cause the port
to be disabled if too many addresses are seen coming from said port.
MAC move limiting is configured per VLAN. It can detect a layer 2
loop with a smaller number of MAC addresses than MAC limiting would,
but my concern has always been that (as far as I can tell) there's no
way to determine which interface would end up being disabled - it
would be bad to have it pick a trunk between your core switches
instead of the trunk to the IDF.
None of these will ever be as effective as routing.
> In an MX environment running VPLS, this problem can happen easily as there
> are no BPDUs even to protect against loops in VPLS, particularly when your
> VPLS domain ties into a Spanning Tree domain downstream where your potential
> miscreant switch may appear.
I believe there was a thread on here within the last month about an
event script for the MX platform that would do just that. Going back
to the first section, though, you should think thrice before doing
VPLS - Ivan PepeInjak has some good articles about the hazards of L2
across your wan on his blog.
HTH
:w
More information about the juniper-nsp
mailing list