Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Fri Mar 26 06:10:47 -0700 2010: > Hi there.. > > I just wanted to follow up on this - I'd open a case at JTAC but honestly > have no idea where to get started with them yet...;) > > So, the MAC filtering worked for one of the exchange points yesterday ... > then late last night one of our upstream providers dropped off. With the > upstream provider I've asked them for port security logs so I can start > hunting for MAC's they are seeing this will hopefully provide a clue. Oh no! Hopefully you're multihomed :) It's strange that a transit provider would drop a connection because of layer 2 traffic it doesn't like. Perhaps the outage was unrelated? Every transit I've dealt with delivers service over a point-to-point link (an Ethernet segment with just two routers on it), with no port security or spanning tree. IXes on the other hand seem to regularly implement port security as a way of preventing loops in a switched environment without spanning tree running. It's a hassle to deal with spanning tree across administrative boundaries. If you're still trying to track down traffic that's appearing without explaination, and have a free PC with a GigE NIC, attach it to an analyzer port and just start capturing. > Is there a way in a filter to log denied MAC addresses? Snippet looks like > this: > > family ethernet-switching { > filter core2_peering_filter { > term expected_mac_address { > from { > source-mac-address { > 00:0b:45:b6:f5:00; > } > } > then accept; > } > term block { > then discard; > } > } > > I tried to add "then discard log" to the term block but I get: > > 'filter' > Referenced filter 'core1_peering_filter' can not be used as log not > supported on egress > error: configuration check-out failed Looks like it's not supported on egress then. This has the potential to log a LOT. --j ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Hi there.. I just wanted to follow up on this - I'd open a case at JTAC but honestly have no idea where to get started with them yet...;) So, the MAC filtering worked for one of the exchange points yesterday ... then late last night one of our upstream providers dropped off. With the upstream provider I've asked them for port security logs so I can start hunting for MAC's they are seeing this will hopefully provide a clue. Is there a way in a filter to log denied MAC addresses? Snippet looks like this: family ethernet-switching { filter core2_peering_filter { term expected_mac_address { from { source-mac-address { 00:0b:45:b6:f5:00; } } then accept; } term block { then discard; } } I tried to add "then discard log" to the term block but I get: 'filter' Referenced filter 'core1_peering_filter' can not be used as log not supported on egress error: configuration check-out failed Thanks, Paul -Original Message- From: Richard A Steenbergen [mailto:r...@e-gerbil.net] Sent: Thursday, March 25, 2010 8:41 PM To: Paul Stewart Cc: 'jnsp' Subject: Re: [j-nsp] EX Switches - Internet Exchange Points On Thu, Mar 25, 2010 at 08:01:36PM -0400, Paul Stewart wrote: > Thanks Richard... > > The MAC filtering idea proposed earlier by another friendly person was > quite helpful and solved the issue. That Cisco MAC is actually what > we wanted to see however other MAC's were showing up from the > intermediary switches along the path (Cisco 7600 - EX4200 - EX4200 - > EX4200 in this particular case) > > Solved now thankfully - we like to be friendly to our peers at > exchange points and I was getting worried ;) What were the other MACs that you didn't want leaked? The MAC filter is a fine workaround, but if your EX's are leaking things they shouldn't be I'd like to see that get addressed too. :) -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Richard, You have a very valid point and to be honest we never found out - ironically this morning we lost a transit connection which is on a different EX4200 switch and I'm investigating a potentially similar MAC issue. I'm not sure yet but I've asked the upstream for detailed MAC information to see if it could be related. If I find something concrete I'll be happy to share this back with the list - was hoping to find someone who had already deployed EX4200's towards exchange points possibly ... so I could see if they ran into any of this (which we're presuming most of it is just us learning more about Juniper) :) Paul -Original Message- From: Richard A Steenbergen [mailto:r...@e-gerbil.net] Sent: March-25-10 8:41 PM To: Paul Stewart Cc: 'jnsp' Subject: Re: [j-nsp] EX Switches - Internet Exchange Points On Thu, Mar 25, 2010 at 08:01:36PM -0400, Paul Stewart wrote: > Thanks Richard... > > The MAC filtering idea proposed earlier by another friendly person was > quite helpful and solved the issue. That Cisco MAC is actually what > we wanted to see however other MAC's were showing up from the > intermediary switches along the path (Cisco 7600 - EX4200 - EX4200 - > EX4200 in this particular case) > > Solved now thankfully - we like to be friendly to our peers at > exchange points and I was getting worried ;) What were the other MACs that you didn't want leaked? The MAC filter is a fine workaround, but if your EX's are leaking things they shouldn't be I'd like to see that get addressed too. :) -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
On Thu, Mar 25, 2010 at 08:01:36PM -0400, Paul Stewart wrote: > Thanks Richard... > > The MAC filtering idea proposed earlier by another friendly person was > quite helpful and solved the issue. That Cisco MAC is actually what > we wanted to see however other MAC's were showing up from the > intermediary switches along the path (Cisco 7600 - EX4200 - EX4200 - > EX4200 in this particular case) > > Solved now thankfully - we like to be friendly to our peers at > exchange points and I was getting worried ;) What were the other MACs that you didn't want leaked? The MAC filter is a fine workaround, but if your EX's are leaking things they shouldn't be I'd like to see that get addressed too. :) -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Thanks Richard... The MAC filtering idea proposed earlier by another friendly person was quite helpful and solved the issue. That Cisco MAC is actually what we wanted to see however other MAC's were showing up from the intermediary switches along the path (Cisco 7600 - EX4200 - EX4200 - EX4200 in this particular case) Solved now thankfully - we like to be friendly to our peers at exchange points and I was getting worried ;) Take care, Paul -Original Message- From: Richard A Steenbergen [mailto:r...@e-gerbil.net] Sent: March-25-10 7:52 PM To: Paul Stewart Cc: 'jnsp' Subject: Re: [j-nsp] EX Switches - Internet Exchange Points On Thu, Mar 25, 2010 at 03:13:31PM -0400, Paul Stewart wrote: > The problem I'm facing we're tripping the port security on the exchange > switch: > > Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 000b.45b6.f500 on port > FastEthernet0/1. > > It is obviously seeing several MAC addresses and doesn't like this. so I'm > trying to adapt a "best practice" here based on what other folks have > encountered along the way as we're trying our best to learn Juniper better > ;) The MAC address vendor database says 000b45 is Cisco, so either you have a misconfiguration or your Juniper is leaking something it shouldn't be, but at least is isn't generating something on its own. I'd recommend you track down that MAC address on your network and figure out how it is getting to the exchange, since if the Juniper is leaking things outside of its configured vlan it is a Big Problem (tm) which needs to be fixed. -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Richard A Steenbergen's message of Thu Mar 25 16:52:15 -0700 2010: > On Thu, Mar 25, 2010 at 03:13:31PM -0400, Paul Stewart wrote: > > The problem I'm facing we're tripping the port security on the exchange > > switch: > > > > Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security > > violation occurred, caused by MAC address 000b.45b6.f500 on port > > FastEthernet0/1. > > > > It is obviously seeing several MAC addresses and doesn't like this. so I'm > > trying to adapt a "best practice" here based on what other folks have > > encountered along the way as we're trying our best to learn Juniper better > > ;) > > The MAC address vendor database says 000b45 is Cisco, so either you have > a misconfiguration or your Juniper is leaking something it shouldn't be, > but at least is isn't generating something on its own. I'd recommend you > track down that MAC address on your network and figure out how it is > getting to the exchange, since if the Juniper is leaking things outside > of its configured vlan it is a Big Problem (tm) which needs to be fixed. >From the original post, it sounds like Paul was using a Cisco as the router and just using his EX switch as an L2 device to connect the two, in which case, the Cisco OUI seems expected. --j ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
On Thu, Mar 25, 2010 at 03:13:31PM -0400, Paul Stewart wrote: > The problem I'm facing we're tripping the port security on the exchange > switch: > > Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 000b.45b6.f500 on port > FastEthernet0/1. > > It is obviously seeing several MAC addresses and doesn't like this. so I'm > trying to adapt a "best practice" here based on what other folks have > encountered along the way as we're trying our best to learn Juniper better > ;) The MAC address vendor database says 000b45 is Cisco, so either you have a misconfiguration or your Juniper is leaking something it shouldn't be, but at least is isn't generating something on its own. I'd recommend you track down that MAC address on your network and figure out how it is getting to the exchange, since if the Juniper is leaking things outside of its configured vlan it is a Big Problem (tm) which needs to be fixed. -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Thanks again - we have some Ex4200's in our lab currently so will test this out... again, appreciate the fast response times..;) Paul -Original Message- From: Jonathan Lassoff [mailto:j...@thejof.com] Sent: Thursday, March 25, 2010 4:39 PM To: Paul Stewart Cc: jnsp Subject: RE: [j-nsp] EX Switches - Internet Exchange Points Excerpts from Paul Stewart's message of Thu Mar 25 13:09:51 -0700 2010: > Thanks very much for the reply... > > The AMS-IX guide I've been through but their Juniper section isn't nearly as > detailed as the Cisco side... good guide for sure. ;) > > The MAC shown in my example below is actually the correct MAC for the layer3 > facing interface ... so you're suggesting to create a filter to only allow > that MAC to be 'sent out' to the peering switch? We never had to do this in > the Cisco world using the configurations I sent in my original post hence > some of my confusion... Ok, I checked this out on a spare EX-3200. Maybe some configuration like: firewall { family ethernet-switching { filter XXX-IX_Peering_Filter { term expected_mac_address { from { source-mac-address { 00:0b:45:b6:f5:00; } } then accept; } term block { then discard; } } } } interfaces { ge-x/x/x { unit 0 { family ethernet-switching { filter { output XXX-IX_Peering_Filter } } } } } Would accomplish what you want. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Thu Mar 25 13:09:51 -0700 2010: > Thanks very much for the reply... > > The AMS-IX guide I've been through but their Juniper section isn't nearly as > detailed as the Cisco side... good guide for sure. ;) > > The MAC shown in my example below is actually the correct MAC for the layer3 > facing interface ... so you're suggesting to create a filter to only allow > that MAC to be 'sent out' to the peering switch? We never had to do this in > the Cisco world using the configurations I sent in my original post hence > some of my confusion... Ok, I checked this out on a spare EX-3200. Maybe some configuration like: firewall { family ethernet-switching { filter XXX-IX_Peering_Filter { term expected_mac_address { from { source-mac-address { 00:0b:45:b6:f5:00; } } then accept; } term block { then discard; } } } } interfaces { ge-x/x/x { unit 0 { family ethernet-switching { filter { output XXX-IX_Peering_Filter } } } } } Would accomplish what you want. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Thu Mar 25 13:09:51 -0700 2010: > Thanks very much for the reply... > > The AMS-IX guide I've been through but their Juniper section isn't nearly as > detailed as the Cisco side... good guide for sure. ;) > > The MAC shown in my example below is actually the correct MAC for the layer3 > facing interface ... so you're suggesting to create a filter to only allow > that MAC to be 'sent out' to the peering switch? We never had to do this in > the Cisco world using the configurations I sent in my original post hence > some of my confusion... Indeed, Cisco is a big global player in the switching market, so many guides and experience are with Cisco gear. There's probably some other protocol running that's causing frames from other source MACs to be sent out of your port facing the peering switch, either from your Juniper or your Cisco interface. Maybe implement port security on your downstream interfaces that are on your peering VLAN/bridge.. If you can track down that protocol and disable it out of the interface in question, all the better. I was suggesting an L2 filter since if it's supported, it should give you the effect you want for the least amount of effort (no packet tracing, taps, etc.), but it comes at the cost of having to go back and change the filter if you want to change routers. Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Thanks very much for the reply... The AMS-IX guide I've been through but their Juniper section isn't nearly as detailed as the Cisco side... good guide for sure. ;) The MAC shown in my example below is actually the correct MAC for the layer3 facing interface ... so you're suggesting to create a filter to only allow that MAC to be 'sent out' to the peering switch? We never had to do this in the Cisco world using the configurations I sent in my original post hence some of my confusion... Appreciate it, Paul -Original Message- From: Jonathan Lassoff [mailto:j...@thejof.com] Sent: Thursday, March 25, 2010 4:03 PM To: Paul Stewart Cc: jnsp Subject: Re: [j-nsp] EX Switches - Internet Exchange Points Excerpts from Paul Stewart's message of Thu Mar 25 12:13:31 -0700 2010: > I'm looking for feedback from folks on the list who are service providers > and connect to peering exchange points (IE. PAIX, Equinix, LINX etc). I'm > looking for recommended configuration for layer2 connectivity via an EX > switch towards one of these exchange points - we have been doing in Cisco so > long that I'm missing some obvious config in the Juniper's we just moved to > ;) AMS-IX has a nice guide and some useful suggestions over here: http://www.ams-ix.net/config-guide/#10 > The problem I'm facing we're tripping the port security on the exchange > switch: > > > > Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 000b.45b6.f500 on port > FastEthernet0/1. > > It is obviously seeing several MAC addresses and doesn't like this. so I'm > trying to adapt a "best practice" here based on what other folks have > encountered along the way as we're trying our best to learn Juniper better > ;) Doh! If your platform supports it, implement a packet filter that blocks all traffic except for the single MAC that you think should be on that port. Maybe IGMP is leaking out? Also, depending on your platform, tcpdump (probably not much help on an L2 switch configuration) or a passive tap could provide some indication as to what traffic is causing port security to trip on the far side. Is 00:0b:45:b6:f5:00 the Ethernet MAC you expect to be seeing? Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] EX Switches - Internet Exchange Points
Excerpts from Paul Stewart's message of Thu Mar 25 12:13:31 -0700 2010: > I'm looking for feedback from folks on the list who are service providers > and connect to peering exchange points (IE. PAIX, Equinix, LINX etc). I'm > looking for recommended configuration for layer2 connectivity via an EX > switch towards one of these exchange points - we have been doing in Cisco so > long that I'm missing some obvious config in the Juniper's we just moved to > ;) AMS-IX has a nice guide and some useful suggestions over here: http://www.ams-ix.net/config-guide/#10 > The problem I'm facing we're tripping the port security on the exchange > switch: > > > > Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security > violation occurred, caused by MAC address 000b.45b6.f500 on port > FastEthernet0/1. > > It is obviously seeing several MAC addresses and doesn't like this. so I'm > trying to adapt a "best practice" here based on what other folks have > encountered along the way as we're trying our best to learn Juniper better > ;) Doh! If your platform supports it, implement a packet filter that blocks all traffic except for the single MAC that you think should be on that port. Maybe IGMP is leaking out? Also, depending on your platform, tcpdump (probably not much help on an L2 switch configuration) or a passive tap could provide some indication as to what traffic is causing port security to trip on the far side. Is 00:0b:45:b6:f5:00 the Ethernet MAC you expect to be seeing? Cheers, jof ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] EX Switches - Internet Exchange Points
Hi there. We're originally a Cisco shop slowly converting to Juniper . I'm looking for feedback from folks on the list who are service providers and connect to peering exchange points (IE. PAIX, Equinix, LINX etc). I'm looking for recommended configuration for layer2 connectivity via an EX switch towards one of these exchange points - we have been doing in Cisco so long that I'm missing some obvious config in the Juniper's we just moved to ;) Perhaps I should explain a bit better. in the Cisco world, we configure the physical port like this: interface GigabitEthernet3/3 description x switchport switchport access vlan 61 switchport mode access no ip address speed 100 duplex full no cdp enable no mop enabled spanning-tree bpdufilter enable Juniper port we migrated to: ether-options { no-auto-negotiation; link-mode full-duplex; speed { 100m; } } unit 0 { family ethernet-switching { port-mode access; vlan { members Peering-x; } } } protocols { rstp { interface ge-0/0/3.0 { disable; } } Then from the Juniper switch (or the Cisco that we had in place) the traffic is trunked via a couple of other switches back to a Cisco 7600 for layer3 traffic (which hasn't changed at all): interface Vlan61 description Peering:xx ip address xx.xx.xxx.34 255.255.255.0 ip access-group 199 out no ip redirects no ip proxy-arp ip flow ingress ipv6 address xx:xx:xx::34/64 ipv6 nd ra suppress no ipv6 mld router no ipv6 redirects no ipv6 pim no mop enabled end The problem I'm facing we're tripping the port security on the exchange switch: Mar 24 15:36:52.773 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 000b.45b6.f500 on port FastEthernet0/1. It is obviously seeing several MAC addresses and doesn't like this. so I'm trying to adapt a "best practice" here based on what other folks have encountered along the way as we're trying our best to learn Juniper better ;) Thanks, Paul ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp