[j-nsp] Tricks for killing L2 loops in VPLS and STP "BPDU-less" situations?

Ge Moua moua0100 at umn.edu
Fri Aug 17 17:04:51 EDT 2012


What about TRILL? Not sure if Juniper has jumped on the TRILL bandwagon yet.


--
Regards,
Ge Moua
Univ of Minn Alumnus
--


On 08/17/2012 11:06 AM, Wayne Tucker wrote:
> On Fri, Aug 17, 2012 at 8:08 AM, Clarke Morledge<chmorl at wm.edu>  wrote:
>> We have had the unfortunate experience of having users plug in small
>> mini-switches into our network that have the capability of filtering out
>> (by-default) BPDUs while allowing other traffic through.  The nightmare
>> situation is when a user plugs in such a switch accidentally into two of our
>> EX switches.  Traffic will loop through the miscreant switch between the two
>> EXs and without BPDUs it just looks like MAC addresses keep moving between
>> the real source and the two EXs.
> This is probably not the answer you're looking for, but the best
> solution is to not bridge to your access switches.  Everything in the
> EX series is capable of routing, so why not take advantage of that
> functionality?
>
> Barring that, your options are: storm control, MAC limiting, and MAC
> move limiting.
>
> I've never found storm control to be that useful.  It reduces the
> volume of frames but usually not enough to cancel out all of the
> negative effects.
>
> MAC limiting with a reasonable MAC limit on a port can cause the port
> to be disabled if too many addresses are seen coming from said port.
>
> MAC move limiting is configured per VLAN.  It can detect a layer 2
> loop with a smaller number of MAC addresses than MAC limiting would,
> but my concern has always been that (as far as I can tell) there's no
> way to determine which interface would end up being disabled - it
> would be bad to have it pick a trunk between your core switches
> instead of the trunk to the IDF.
>
> None of these will ever be as effective as routing.
>
>
>> In an MX environment running VPLS, this problem can happen easily as there
>> are no BPDUs even to protect against loops in VPLS, particularly when your
>> VPLS domain ties into a Spanning Tree domain downstream where your potential
>> miscreant switch may appear.
> I believe there was a thread on here within the last month about an
> event script for the MX platform that would do just that.  Going back
> to the first section, though, you should think thrice before doing
> VPLS - Ivan PepeInjak has some good articles about the hazards of L2
> across your wan on his blog.
>
> HTH
>
> :w
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list