[j-nsp] Tricks for killing L2 loops in VPLS and STP "BPDU-less" situations?

Christopher E. Brown chris.brown at acsalaska.net
Sun Aug 19 08:39:43 EDT 2012 


One think I noticed when working with the BUM filter under VPLS instance
is that there is no way to declare a per instance policer that I could find.

Your can call the same filter/policer in multiple VPLS instances, but
the named policer is a single global instance.  So, if you call the same
filter w/ 5Mbit policer in 20 instances it is not 20 seperate 5 mbit
policers, it is one policer shared across all.


I very much want to add a BUM policer by default to all VPLS instances,
but I really want to avoid creating a seperate filter and policer config
for each instance, when 95% of them would be running one of three
standard configs.


And yes, this was tested.  10.4R10, trio based (MX960s w/ MPC2 and MX80)
the policer was always shared.


On 8/17/12 3:20 PM, Chris Kawchuk wrote:
> Hi Clarke,
> 
> We pass through BPDUs through VPLS the MX'es- but yes, miscreant users / switches will always be a problem.
> 
> We do the following to every customer-facing VPLS instance, but only #3 would help you here:
> 
> 1. Mac Limiting per VPLS Interface (100) (i.e per 'site')
> 2. Mac Limiting per VPLS (500)
> 3. Limit Broadcast/Unknown Unicast/Multicast Traffic (5 Mbit) into the VPLS
> 
> You can put on an input firewall filter which calls a 5 Mbit policer at [routing instances <vpls-name> forwarding-options family vpls <>] to start limiting this type of traffic into the 'bridge domain' at any time.
> 
> - CK.
> 
> 
> On 18/08/2012, at 1:08 AM, Clarke Morledge <chmorl at wm.edu> wrote:
> 
>> We have had the unfortunate experience of having users plug in small mini-switches into our network that have the capability of filtering out (by-default) BPDUs while allowing other traffic through.  The nightmare situation is when a user plugs in such a switch accidentally into two of our EX switches.  Traffic will loop through the miscreant switch between the two EXs and without BPDUs it just looks like MAC addresses keep moving between the real source and the two EXs.
>>
>> In an MX environment running VPLS, this problem can happen easily as there are no BPDUs even to protect against loops in VPLS, particularly when your VPLS domain ties into a Spanning Tree domain downstream where your potential miscreant switch may appear.
>>
>> I am curious to know if anyone has come up with strategies to kill these loops for EXs running Spanning Tree and/or MXs running VPLS. Rate-limiting may help, but it doesn't kill loops completely.  I am looking for ways to detect lots of MAC address moves (without polling for them) and blocking those interfaces involved when those MAC moves exceed a certain threshold via some trigger mechanism.
>>
>> Assume Junos 10.4R10 or more recent.
>>
>> Clarke Morledge
>> College of William and Mary
>> Information Technology - Network Engineering
>> Jones Hall (Room 18)
>> Williamsburg VA 23187
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 


-- 
------------------------------------------------------------------------
Christopher E. Brown   <chris.brown at acsalaska.net>   desk (907) 550-8393
                                                     cell (907) 632-8492
IP Engineer - ACS
------------------------------------------------------------------------

More information about the juniper-nsp mailing list