This first phase is complete, if anyone has trouble peering with the beta testers let us know. Anthony Anderberg Sr. Systems Analyst [NUtel_email_logo_1] 320-234-5239 anthonyanderberg@nu-telecom.net<mailto:anthonyanderberg@nu-telecom.net> www.nutelecom.net<http://www.nutelecom.net> From: Anthony Anderberg Sent: Thursday, October 09, 2014 9:08 AM To: MICE Discuss (MICE-DISCUSS@LISTS.IPHOUSE.NET) Subject: FW: MICE L2 Security Project As a reminder, at 10am this morning we'm planning on making the first set of changes below for our beta testers: US Internet, Paul Bunyan Communications, CNS, IP House, and Wikstrom Telephone. I can be reached at 320-234-5539 if anyone has issues. Cheers, anthony Anthony Anderberg Sr. Systems Analyst [NUtel_email_logo_1] 320-234-5239 anthonyanderberg@nu-telecom.net<mailto:anthonyanderberg@nu-telecom.net> www.nutelecom.net<http://www.nutelecom.net> From: Anthony Anderberg Sent: Wednesday, October 01, 2014 11:58 PM To: MICE Discuss (MICE-DISCUSS@LISTS.IPHOUSE.NET<mailto:MICE-DISCUSS@LISTS.IPHOUSE.NET>); 'MICE-ANNOUNCE@LISTS.IPHOUSE.NET' Subject: MICE L2 Security Project We're at a point where the L2 security team feels ready to make the config changes we've talked about in the past. Although these changes can't protect us from every scenario they should protect the exchange from the many common issues. As discussed at the last meeting member ports will be limited to 5 MAC addresses, storm control will be enabled at 20%, and spanning tree BPDU packets will be filtered. Additionally the exchange will support jumbo frames should members want to exchange them with each other. Obviously if any member needs alternate configuration we'll strive to be as accommodating as possible within the larger project goals. We do not anticipate any downtime, but will send out a group reminder before starting the configuration work. Our schedule: Thursday 10/9/2014 at 10AM = Make global config changes and port changes for beta testers Thursday 10/16/2014 at 10AM = Make port config changes for all other members The beta testers are: US Internet, Paul Bunyan Communications, CNS, IP House, and Wikstrom Telephone. Below is the configuration we'll be using and will publish on our web site for members to review and enjoy. As always questions and comments are welcome, anthony ----------------------------- **Cisco Switch Config ** Global Config: system mtu 1998 # Already set system mtu jumbo 9198 # Already set mac address-table aging-time 14400 errdisable detect cause link-flap errdisable recovery cause link-flap errdisable recovery cause storm-control vtp mode transparent Cisco Port Config: switchport block multicast switchport block unicast # Unknown unicasts that is. switchport port-security maximum 5 switchport port-security switchport port-security violation restrict storm-control broadcast level 20.00 spanning-tree bpdufilter enable no cdp enable ----------------------------- ** Juniper Switch Config ** Juniper Core Switch Global: set protocols rstp bridge-priority 1 # On the main switch stack set ethernet-switching-options storm-control interface all Juniper Port Config: set interface XXX mtu 9216 set protocols rstp interface XXX edge set ethernet-switching-options bpdu-block interface XXX set ethernet-switching-options bpdu-block disable-timeout 60 set ethernet-switching-options secure-access-port interface XXX mac-limit 5 set storm-control interface XXX level 20 -----------------------------