On Fri, Aug 17, 2012 at 8:08 AM, Clarke Morledge <chm...@wm.edu> wrote: > We have had the unfortunate experience of having users plug in small > mini-switches into our network that have the capability of filtering out > (by-default) BPDUs while allowing other traffic through. The nightmare > situation is when a user plugs in such a switch accidentally into two of our > EX switches. Traffic will loop through the miscreant switch between the two > EXs and without BPDUs it just looks like MAC addresses keep moving between > the real source and the two EXs.
This is probably not the answer you're looking for, but the best solution is to not bridge to your access switches. Everything in the EX series is capable of routing, so why not take advantage of that functionality? Barring that, your options are: storm control, MAC limiting, and MAC move limiting. I've never found storm control to be that useful. It reduces the volume of frames but usually not enough to cancel out all of the negative effects. MAC limiting with a reasonable MAC limit on a port can cause the port to be disabled if too many addresses are seen coming from said port. MAC move limiting is configured per VLAN. It can detect a layer 2 loop with a smaller number of MAC addresses than MAC limiting would, but my concern has always been that (as far as I can tell) there's no way to determine which interface would end up being disabled - it would be bad to have it pick a trunk between your core switches instead of the trunk to the IDF. None of these will ever be as effective as routing. > In an MX environment running VPLS, this problem can happen easily as there > are no BPDUs even to protect against loops in VPLS, particularly when your > VPLS domain ties into a Spanning Tree domain downstream where your potential > miscreant switch may appear. I believe there was a thread on here within the last month about an event script for the MX platform that would do just that. Going back to the first section, though, you should think thrice before doing VPLS - Ivan PepeInjak has some good articles about the hazards of L2 across your wan on his blog. HTH :w _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp