I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch. As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch. The uplink to the main switch will remain the same. Pending feedback, I'm planning to perform the move sometime in early January. Thanks, Jay ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process. Owen Sent from my iPad On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
I don't see how anyone needs to update anything. Once the dynamically learned old mac address ages out the new one could be learned or perhaps as soon as the interface goes down the dynamically learned mac address is flushed depending on how it works on Junos. -----Original Message----- From: Owen DeLong <owend@HE.NET> Sender: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> Date: Fri, 23 Dec 2011 09:24:03 To: <MICE-DISCUSS@LISTS.IPHOUSE.NET> Reply-To: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] New Switch Proposal What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process. Owen Sent from my iPad On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Depending on the transport, the interface at the IX switch may not go down when the MICE participant swaps out their equipment. Frank -----Original Message----- From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Justin Krejci Sent: Thursday, December 22, 2011 8:36 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] New Switch Proposal I don't see how anyone needs to update anything. Once the dynamically learned old mac address ages out the new one could be learned or perhaps as soon as the interface goes down the dynamically learned mac address is flushed depending on how it works on Junos. -----Original Message----- From: Owen DeLong <owend@HE.NET> Sender: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> Date: Fri, 23 Dec 2011 09:24:03 To: <MICE-DISCUSS@LISTS.IPHOUSE.NET> Reply-To: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] New Switch Proposal What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process. Owen Sent from my iPad On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
True but dynamic mac addresses will still age out either way, it would just be a matter of how quickly if you can't bounce the IX port or get some administrative assistance to manually the flush the MAC entries on your IX port. On Mon, 2011-12-26 at 20:12 -0600, Frank Bulk wrote:
Depending on the transport, the interface at the IX switch may not go down when the MICE participant swaps out their equipment.
Frank
-----Original Message----- From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Justin Krejci Sent: Thursday, December 22, 2011 8:36 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] New Switch Proposal
I don't see how anyone needs to update anything. Once the dynamically learned old mac address ages out the new one could be learned or perhaps as soon as the interface goes down the dynamically learned mac address is flushed depending on how it works on Junos.
-----Original Message----- From: Owen DeLong <owend@HE.NET> Sender: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> Date: Fri, 23 Dec 2011 09:24:03 To: <MICE-DISCUSS@LISTS.IPHOUSE.NET> Reply-To: MICE Discuss <MICE-DISCUSS@LISTS.IPHOUSE.NET> Subject: Re: [MICE-DISCUSS] New Switch Proposal
What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process.
Owen
Sent from my iPad
On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
The benefit is it will block traffic from other mac addresses in the event of a loop or other misconfiguration. The learned mac address will clear automatically when the port goes down so it should not require admin assistance. On Dec 22, 2011 8:28 PM, "Owen DeLong" <owend@he.net> wrote:
What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process.
Owen
Sent from my iPad
On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
mac address limiting to tiny numbers, especially qty 1 won't work. There are a lot of administrative packets that go across a link coming from specific well-known MAC addresses, if that administrative packet gets in before any real traffic, that administrative MAC address will be learned and real traffic locked out. (this is mentioned in the JunOS documentation). mac-address limiting is mainly used for untrusted environments such that you are protecting the switch from having its CAM table blasted out turning the switch into broadcast all packets down all ports mode since its CAM table is full. Then the attacker can sniff for traffic they are looking for, hopefully grabbing the traffic they are trying to intercept before the hardware CPU pegged at 100% signals the NOC that something is amiss and they start looking for what is going on. In practice, in such an untrusted environment( untrusted site, untrusted ports, with max of one device per user. ), I found that at a minimum 3 MAC address limit was the practical smallest size I could go, with typically a range of 5 to 10. Otherwise, administrative and other weird packets would shut down the ports due to flase security alerts all the time, and it wasn't practical to have such low limits. On Thu, Dec 22, 2011 at 08:41:47PM -0600, Jay Hanke wrote:
The benefit is it will block traffic from other mac addresses in the event of a loop or other misconfiguration. The learned mac address will clear automatically when the port goes down so it should not require admin assistance. On Dec 22, 2011 8:28 PM, "Owen DeLong" <owend@he.net> wrote:
What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process.
Owen
Sent from my iPad
On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
-- Doug McIntyre <merlyn@iphouse.net> -- ipHouse/Goldengate/Bitstream/ProNS -- Network Engineer/Provisioning/Jack of all Trades ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On Dec 22, 2011, at 9:01 PM, Doug McIntyre wrote:
mac address limiting to tiny numbers, especially qty 1 won't work. There are a lot of administrative packets that go across a link coming from specific well-known MAC addresses, if that administrative packet gets in before any real traffic, that administrative MAC address will be learned and real traffic locked out.
(this is mentioned in the JunOS documentation).
That's why you get those 'administrative packets' to not happen in the first place. No offense, but I don't want to see your cdp/lldp, ospf, stp, keepalives, etc. coming across the IX. On an IX, realistically, we should only be seeing one router/mac address per port, and only IP traffic from said router. AMSIX has a good guide on how to make your devices be quiet for most platforms, here: http://www.ams-ix.net/config-guide/ Now, I could see making exceptions for devices which don't seem to have a way to be quiet, but in 99% of the cases here, a few lines of config can avoid this problem. -- Andrew Hoyos hoyosa@gmail.com ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On Thu, Dec 22, 2011 at 09:17:08PM -0600, Andrew Hoyos wrote:
On Dec 22, 2011, at 9:01 PM, Doug McIntyre wrote:
mac address limiting to tiny numbers, especially qty 1 won't work. There are a lot of administrative packets that go across a link coming from specific well-known MAC addresses, if that administrative packet gets in before any real traffic, that administrative MAC address will be learned and real traffic locked out.
(this is mentioned in the JunOS documentation).
That's why you get those 'administrative packets' to not happen in the first place. No offense, but I don't want to see your cdp/lldp, ospf, stp, keepalives, etc. coming across the IX.
There are other protocols that do take more than one MAC address that some people might find required. For example, a JunOS RVI has two MAC adddresses, the port address, and the RVI MAC address. I assume a Cisco SVI would be the same, although I haven't dug into it. Cisco UDLD also does broadcasts using a well-known MAC address. I don't think it would be allowed anyway at the IX, but LACP and PAgP are also ones to talk on different MAC addresses to setup the LAG before talking real traffic. -- Doug McIntyre <merlyn@iphouse.net> -- ipHouse/Goldengate/Bitstream/ProNS -- Network Engineer/Provisioning/Jack of all Trades ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On Dec 22, 2011, at 10:26 PM, Doug McIntyre wrote:
On Thu, Dec 22, 2011 at 09:17:08PM -0600, Andrew Hoyos wrote:
On Dec 22, 2011, at 9:01 PM, Doug McIntyre wrote:
mac address limiting to tiny numbers, especially qty 1 won't work. There are a lot of administrative packets that go across a link coming from specific well-known MAC addresses, if that administrative packet gets in before any real traffic, that administrative MAC address will be learned and real traffic locked out.
(this is mentioned in the JunOS documentation).
That's why you get those 'administrative packets' to not happen in the first place. No offense, but I don't want to see your cdp/lldp, ospf, stp, keepalives, etc. coming across the IX.
There are other protocols that do take more than one MAC address that some people might find required. For example, a JunOS RVI has two MAC adddresses, the port address, and the RVI MAC address. I assume a Cisco SVI would be the same, although I haven't dug into it.
Yes, but if the switchport is properly configured, no frames should be emitted with the switchport mac address. We should only see the RVI/SVI mac addr.
Cisco UDLD also does broadcasts using a well-known MAC address.
UDLD is proprietary, and most (if not all now?) of the exchange appears to be running on Juniper equipment, so it's not of much use to run anyway. 'udld disable' fixes that up.
I don't think it would be allowed anyway at the IX, but LACP and PAgP are also ones to talk on different MAC addresses to setup the LAG before talking real traffic.
I'm sure there is some working config we could come up with in that case, if a participant did want LACP. I'd be curious if vendor implementations actually factor in the LACP packets to mac addr limits, since it's port to port, and they really don't transit outside of that. The only reason I'm pushing this too, is as the exchange grows, and more unfiltered layer2 traffic (and broken downstream L2 devices) enter the exchange, it *can* and *will* have a negative effect, as we've already seen once before. The model works well for IX's like Equinix, TIE, SIX, AMSIX, etc. I don't see a reason why it can't work here too, and prevent future issues. -- Andrew Hoyos hoyosa@gmail.com ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
If this is done can we get DNS turned on again? Traceroute by name >> by IP for humans and their word memories, and each DNS server can issue different results, ya know? And I like a good argument... -- Mike Horwath via iPad 2, electric boogaloo! ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On Fri, Dec 23, 2011 at 10:11 AM, Mike Horwath <drechsau@iphouse.net> wrote:
If this is done can we get DNS turned on again?
U talking about reverse? It's working but some of the newer participants need to be added. Jay ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
On Dec 22, 2011, at 9:17 PM, Andrew Hoyos wrote:
That's why you get those 'administrative packets' to not happen in the first place. No offense, but I don't want to see your cdp/lldp, ospf, stp, keepalives, etc. coming across the IX.
While, at the time I found it annoying, I am glad that another IX put my router into a quarantine vlan before allowing access for the first time. I discovered that on a new router with new IOS that I was running (Advanced Enterprise), DEC MOP was enabled by default on the port. Just like the protocols listed above, it was not something that should be seen on an IX. MOP is something I thought died many years ago, but obviously not. I am glad that the protections that IX enforced helped me to eliminate my unwanted frames. This was from a professionally run IX. I don't expect for our community run IX to have the resources to troubleshoot and quarantine new participants. I wanted to express the point that we may not all realize the extraneous stuff our routers may be doing. New participants may, however, find it useful to grab a capture of the traffic they are emitting and evaluate if it is proper or necessary before connecting to the IX port.
On an IX, realistically, we should only be seeing one router/mac address per port, and only IP traffic from said router.
AMSIX has a good guide on how to make your devices be quiet for most platforms, here:
http://www.ams-ix.net/config-guide/
Now, I could see making exceptions for devices which don't seem to have a way to be quiet, but in 99% of the cases here, a few lines of config can avoid this problem.
I second the recommendation to use this config guide and for each port to have a single router/MAC attached. There should be no reason for a second MAC to be seen on any port except those that are connecting sanctioned remote switches. Whatever the consensus is on allowed traffic, MAC usage, etc. - the policy should be available to participants and posted to the webpage. Andy Koch TDS Telecom - IP Network Operations andrew.koch@tdstelecom.com Desk: 608-664-4694 ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Owen - were you thinking 'sticky-mac' style config, where you must have someone manually config a mac address allowed list for the port? That's not what Jay is suggesting here. On Dec 22, 2011, at 8:41 PM, Jay Hanke wrote:
The benefit is it will block traffic from other mac addresses in the event of a loop or other misconfiguration. The learned mac address will clear automatically when the port goes down so it should not require admin assistance.
On Dec 22, 2011 8:28 PM, "Owen DeLong" <owend@he.net> wrote: What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process.
Owen
Sent from my iPad
On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
-- Andrew Hoyos hoyosa@gmail.com ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Yes. On Dec 22, 2011, at 7:12 PM, Andrew Hoyos wrote:
Owen - were you thinking 'sticky-mac' style config, where you must have someone manually config a mac address allowed list for the port? That's not what Jay is suggesting here.
On Dec 22, 2011, at 8:41 PM, Jay Hanke wrote:
The benefit is it will block traffic from other mac addresses in the event of a loop or other misconfiguration. The learned mac address will clear automatically when the port goes down so it should not require admin assistance.
On Dec 22, 2011 8:28 PM, "Owen DeLong" <owend@he.net> wrote: What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process.
Owen
Sent from my iPad
On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
-- Andrew Hoyos hoyosa@gmail.com
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Couldn't that port be configured to allow all MACs in advance of the cut, and then tightened down again afterwards? Frank -----Original Message----- From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Owen DeLong Sent: Thursday, December 22, 2011 8:24 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] New Switch Proposal What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process. Owen Sent from my iPad On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1 ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
Yes, but, if that's necessary, it's the administrative intervention required that I was saying wasn't necessarily a good thing. However, it sounds like what Jay is talking about is different from what I was thinking and his choice may be feasible. I'm still not necessarily convinced it gains us much vs. running a fast STP on the IX, but, since there's apparently desire not to run any fast STP on the IX, this seems like a reasonable alternative. Owen On Dec 26, 2011, at 6:13 PM, Frank Bulk wrote:
Couldn't that port be configured to allow all MACs in advance of the cut, and then tightened down again afterwards?
Frank
-----Original Message----- From: MICE Discuss [mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET] On Behalf Of Owen DeLong Sent: Thursday, December 22, 2011 8:24 PM To: MICE-DISCUSS@LISTS.IPHOUSE.NET Subject: Re: [MICE-DISCUSS] New Switch Proposal
What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process.
Owen
Sent from my iPad
On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
participants (8)
-
Andrew Hoyos -
Doug McIntyre -
Frank Bulk -
Jay Hanke -
Justin Krejci -
Koch, Andrew -
Mike Horwath -
Owen DeLong