Hi folks, thanks for the lively discussion so far. A few notes and comments about the more recent technical part of the discussion. In our shared switch scenario, we intend to limit mac addresses per our downstream customers on the MICE vlan itsself, not per physical interface. This seems fairly standard, we would hope that as many as possible are already doing this. We would advocate this as a requirement for all customer-facing ports on all switches, remote or otherwise, dedicated or not dedicated. We would also welcome an mac limit on the Arista Core set to something reasonable facing us and other remote switches as well. The current non-remote switch limit of 5 would work perfectly fine in our scenario. Perhaps a limit per remote switch based on N+something should also be enforced as long as it's not a large burden on the MICE operators. We also use BGP session culling, it's deactivated by default. We'd activate on the MICE vlan during maintenance. #### Junos config example for mac limits #### interfaces { ae0 { description "WiscNet Router"; unit 100 { description "MICE :RP:"; vlan-id 100; } } et-0/0/25 { description "MICE Arista Core"; unit 0 { family ethernet-switching { interface-mode access; vlan { members 100; } } } } } vlans { vlan-100 { description "MICE Peering"; vlan-id 100; interface ae0.100; inactive: forwarding-options { /* based on https://tinyurl.com/junos-bgp-culling */ filter { input CullBGP-MICE; output CullBGP-MICE; } } switch-options { interface ae0.100 { interface-mac-limit { 1; packet-action drop-and-log; } } } } } As far as graphing per-vlan, this works well on Q5 based systems such as our Juniper QFX10k. This + buffers is part of the reason we chose this platform instead of a cheap Broadcom device. This is also a part of the reason we would prefer to *not* shove a cheap Broadcom/chinaswitch device in the middle. We also support SNMP polling per interface. In our case we'd expose just the MICE interfaces using views. 630 below is a subinterface's snmp ifIndex. 1.10, 1.11, etc are ifOctests, ifUcastPkts, and so on for that interface. This is manual, but with only a handful of interfaces, totally do-able: snmp { view view-mice { oid .1 exclude; oid .1.3.6.1.2.1.2.2.1.10.630 include; oid .1.3.6.1.2.1.2.2.1.11.630 include; oid .1.3.6.1.2.1.2.2.1.13.630 include; oid .1.3.6.1.2.1.2.2.1.14.630 include; oid .1.3.6.1.2.1.2.2.1.16.630 include; oid .1.3.6.1.2.1.2.2.1.17.630 include; oid .1.3.6.1.2.1.2.2.1.18.630 include; oid .1.3.6.1.2.1.2.2.1.19.630 include; oid .1.3.6.1.2.1.2.2.1.20.630 include; } community wiscnet-mice { view view-mice; authorization read-only; } } Cheers, -- Chris Wopat Network Engineer, WiscNet wopat@wiscnet.net 608-210-3965