Hi folks, thanks for the lively discussion so far. A few notes and
comments about the more recent technical part of the discussion.
In our shared switch scenario, we intend to limit mac addresses per our
downstream customers on the MICE vlan itsself, not per physical interface.
This seems fairly standard, we would hope that as many as possible are
already doing this. We would advocate this as a requirement for all
customer-facing ports on all switches, remote or otherwise, dedicated or
not dedicated.
We would also welcome an mac limit on the Arista Core set to something
reasonable facing us and other remote switches as well. The current
non-remote switch limit of 5 would work perfectly fine in our scenario.
Perhaps a limit per remote switch based on N+something should also be
enforced as long as it's not a large burden on the MICE operators.
We also use BGP session culling, it's deactivated by default. We'd
activate on the MICE vlan during maintenance.
#### Junos config example for mac limits ####
interfaces {
ae0 {
description "WiscNet Router";
unit 100 {
description "MICE :RP:";
vlan-id 100;
}
}
et-0/0/25 {
description "MICE Arista Core";
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members 100;
}
}
}
}
}
vlans {
vlan-100 {
description "MICE Peering";
vlan-id 100;
interface ae0.100;
inactive: forwarding-options {
/* based on https://tinyurl.com/junos-bgp-culling */
filter {
input CullBGP-MICE;
output CullBGP-MICE;
}
}
switch-options {
interface ae0.100 {
interface-mac-limit {
1;
packet-action drop-and-log;
}
}
}
}
}
As far as graphing per-vlan, this works well on Q5 based systems such as
our Juniper QFX10k. This + buffers is part of the reason we chose this
platform instead of a cheap Broadcom device. This is also a part of the
reason we would prefer to *not* shove a cheap Broadcom/chinaswitch
device in the middle.
We also support SNMP polling per interface. In our case we'd expose just
the MICE interfaces using views.
630 below is a subinterface's snmp ifIndex. 1.10, 1.11, etc are
ifOctests, ifUcastPkts, and so on for that interface. This is manual,
but with only a handful of interfaces, totally do-able:
snmp {
view view-mice {
oid .1 exclude;
oid .1.3.6.1.2.1.2.2.1.10.630 include;
oid .1.3.6.1.2.1.2.2.1.11.630 include;
oid .1.3.6.1.2.1.2.2.1.13.630 include;
oid .1.3.6.1.2.1.2.2.1.14.630 include;
oid .1.3.6.1.2.1.2.2.1.16.630 include;
oid .1.3.6.1.2.1.2.2.1.17.630 include;
oid .1.3.6.1.2.1.2.2.1.18.630 include;
oid .1.3.6.1.2.1.2.2.1.19.630 include;
oid .1.3.6.1.2.1.2.2.1.20.630 include;
}
community wiscnet-mice {
view view-mice;
authorization read-only;
}
}
Cheers,
--
Chris Wopat
Network Engineer, WiscNet
[log in to unmask] 608-210-3965
|