RE: Peering VLANs and MAC addresses
*********************** Your mail has been scanned by InterScan VirusWall. ***********-*********** Hi, This should sort you out. no keepalive spanning-tree bpdufilter enable Kind Regards Ben -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Simon Brilus Sent: 09 November 2005 10:40 To: nanog@merit.edu Subject: Peering VLANs and MAC addresses *********************** Your mail has been scanned by InterScan VirusWall. ***********-*********** Hi , We are unable to resolve a problem with our peering exchange connection and would like any assistance. Our peering setup is a follows: - Our peering exchange connection goes into switch A - Switch A has a dark fibre connection to switch B, which is in a different PoP - Our peering router is connected to switch B We use spanning tree across our network to allow the VLANs connectivity across our network. The peering exchange has an MoU that only 1 MAC address should be visible on their switch. However they see 2 MAC addresses on our port. - MAC address of Peering router - MAC address of the port they are connected to on switch A Is there any way to prevent switch A from presenting the interface MAC address? Or is this a symptom of spanning tree that cannot be stopped? Your input will be most welcome. The config on switch A is as follows: interface GigabitEthernet0/5 description Peering Link switchport access vlan 148 switchport mode access speed nonegotiate storm-control broadcast level 5.00 no cdp enable spanning-tree portfast spanning-tree bpdufilter enable spanning-tree guard root Regards Simon Brilus
On 09.11.2005 11:50 Ben Butler wrote
*********************** Your mail has been scanned by InterScan VirusWall. ***********-***********
Hi,
This should sort you out.
no keepalive spanning-tree bpdufilter enable
add no mop enabled if your IOS also supports DECnet. Having no ip gratuitous-arps (general command) and no ip proxy-arp (interface subcommand) makes your IXP-Operator even more happier. Arnold -- Arnold Nipper, AN45
On Wed, 2005-11-09 at 12:29 +0100, Arnold Nipper wrote:
no ip gratuitous-arps (general command)
and
no ip proxy-arp (interface subcommand)
makes your IXP-Operator even more happier.
Depends on the IXP operator and the equipment being configured. Speaking for my particular neck of the woods, I can say that whatever you can do to shut up your L2 devices (including ripping them out and powering them down) is a bonus. Yes, we also have the 1 MAC rule and this means that badly configured (or manufactured) L2 devices will typically trigger port security. Proxy ARP should be off on all IXP facing devices, period. Gratuitous ARP is something that we (AMS-IX) certainly don't object to. We have an automated ARP sponge that will start faking ARP replies if it sees too many queries for a particular IP address. It kicks in automaticlly, and turns itself off automatically. Gratuitous ARPs help it to shut up as soon as a downed device returns to life. Some equipment is better behaved than others. L2/L3 hybrids are notoriously difficult to shut up (hello, Cisco). -- Steven
participants (3)
-
Arnold Nipper
-
Ben Butler
-
Steven Bakker