[j-nsp] Network, trouble after customer created a loop *inside* a VM host

[Jeff Meyers]

Hi Alex,

> I think we are missing some important details here.
> AFAIK, in order to detect MAC moves, the port must be in a
> bridge-domain/VPLS instance.
> So Your MX480 ae0 must be a L2/"bridged" port, not a L3/routed one.

yes, that is the case - historically actually. In the past we migrated 
from L3 only to L2 interfaces with IRB and RSTP active with the MX480 as 
the root bridge and one MX80 as the backup root. But we quickly saw that 
RSTP was poorly implemented on the MX-routers because a topology change 
leads to a complete flush of the arp table on the router, causing 
packet-loss in the network because our ~35.000 entries couldn't be 
learned that quick again.

> So the question would be -  are there any other ports on this MX480 in
> same bridge-domain(BD)/VPLS instance?

Not anymore, there was in the past when we had all vlans bridged over to 
the MX80 as well. We don't do that anymore. But that's actually an 
important information that this can't/shouldn't happen on L3 interfaces. 
Since we don't need the L2 functionality anymore anyways, I guess we 
will migrate back to L3-only then.

> If not, but You have an IRB interface in this BD, does it have "IS-IS
> passive" enabled by any chance? "IS-IS passive" does not actually stop
> ES-IS PDUs being sent out, so these pesky ES-IS mcast frames could be
> the ones which looped.

No, we do OSPF internally but not on the L2 interface - only on "real" 
router ports.

> Additionally, MAC move limiting is not supported on EX4550 VC and in
> mixed EX4200-4500/4550 VC so if Your EX4200 VC is actually a mixed
> EX4200-4500/4550 VC there is no chance getting it stopped on EX.
> https://www.juniper.net/techpubs/en_US/release-independent/junos/topics/concept/ex-series-software-features-overview-vc.html#port-security-features-by-platform-table

It's two separate VCs because of the drawbacks a mixed VC causes but the 
L2 core is a EX4550 VC.


Thanks,
Jeff