Print

Print

We’re at a point where the L2 security team feels ready to make the config changes we’ve talked about in the past.  Although these changes can’t protect us from every scenario they should protect the exchange from the many common issues.

 

As discussed at the last meeting member ports will be limited to 5 MAC addresses, storm control will be enabled at 20%, and spanning tree BPDU packets will be filtered.   Additionally the exchange will support jumbo frames should members want to exchange them with each other.  Obviously if any member needs alternate configuration we’ll strive to be as accommodating as possible within the larger project goals.  We do not anticipate any downtime, but will send out a group reminder before starting the configuration work.

 

Our schedule:

Thursday 10/9/2014 at 10AM = Make global config changes and port changes for beta testers

Thursday 10/16/2014 at 10AM = Make port config changes for all other members

 

The beta testers are: US Internet, Paul Bunyan Communications, CNS, IP House, and Wikstrom Telephone.

 

Below is the configuration we’ll be using and will publish on our web site for members to review and enjoy.

 

As always questions and comments are welcome,

anthony

 

-----------------------------

**Cisco Switch Config **

 

Global Config:

 

system mtu 1998      # Already set

system mtu jumbo 9198     # Already set

mac address-table aging-time 14400

errdisable detect cause link-flap

errdisable recovery cause link-flap

errdisable recovery cause storm-control

vtp mode transparent

 

Cisco Port Config:

 

switchport block multicast

switchport block unicast     # Unknown unicasts that is.

switchport port-security maximum 5

switchport port-security

switchport port-security violation restrict

storm-control broadcast level 20.00

spanning-tree bpdufilter enable

no cdp enable

-----------------------------

 

** Juniper Switch Config **

 

Juniper Core Switch Global:

 

set protocols rstp bridge-priority 1  # On the main switch stack

set ethernet-switching-options storm-control interface all

 

Juniper Port Config:

 

set interface XXX mtu 9216

set protocols rstp interface XXX edge

set ethernet-switching-options bpdu-block interface XXX

set ethernet-switching-options bpdu-block disable-timeout 60

set ethernet-switching-options secure-access-port interface XXX mac-limit  5

set storm-control interface XXX level 20

-----------------------------

 


To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1