As a reminder, at 10am this morning we'm planning on making the first set of changes below for our beta testers: US Internet, Paul Bunyan Communications, CNS, IP House, and Wikstrom Telephone. I can be reached at 320-234-5539 if anyone has issues.
Cheers,
anthony
Anthony Anderberg
Sr. Systems Analyst
[NUtel_email_logo_1]
320-234-5239
[log in to unmask]
www.nutelecom.net
From: Anthony Anderberg
Sent: Wednesday, October 01, 2014 11:58 PM
To: MICE Discuss ([log in to unmask]); [log in to unmask]
Subject: MICE L2 Security Project
We're at a point where the L2 security team feels ready to make the config changes we've talked about in the past. Although these changes can't protect us from every scenario they should protect the exchange from the many common issues.
As discussed at the last meeting member ports will be limited to 5 MAC addresses, storm control will be enabled at 20%, and spanning tree BPDU packets will be filtered. Additionally the exchange will support jumbo frames should members want to exchange them with each other. Obviously if any member needs alternate configuration we'll strive to be as accommodating as possible within the larger project goals. We do not anticipate any downtime, but will send out a group reminder before starting the configuration work.
Our schedule:
Thursday 10/9/2014 at 10AM = Make global config changes and port changes for beta testers
Thursday 10/16/2014 at 10AM = Make port config changes for all other members
The beta testers are: US Internet, Paul Bunyan Communications, CNS, IP House, and Wikstrom Telephone.
Below is the configuration we'll be using and will publish on our web site for members to review and enjoy.
As always questions and comments are welcome,
anthony
-----------------------------
**Cisco Switch Config **
Global Config:
system mtu 1998 # Already set
system mtu jumbo 9198 # Already set
mac address-table aging-time 14400
errdisable detect cause link-flap
errdisable recovery cause link-flap
errdisable recovery cause storm-control
vtp mode transparent
Cisco Port Config:
switchport block multicast
switchport block unicast # Unknown unicasts that is.
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
storm-control broadcast level 20.00
spanning-tree bpdufilter enable
no cdp enable
-----------------------------
** Juniper Switch Config **
Juniper Core Switch Global:
set protocols rstp bridge-priority 1 # On the main switch stack
set ethernet-switching-options storm-control interface all
Juniper Port Config:
set interface XXX mtu 9216
set protocols rstp interface XXX edge
set ethernet-switching-options bpdu-block interface XXX
set ethernet-switching-options bpdu-block disable-timeout 60
set ethernet-switching-options secure-access-port interface XXX mac-limit 5
set storm-control interface XXX level 20
-----------------------------
