Messages

Hey, how about trying bridge domains (not sure)? If you have them connected to different physical interfaces and have EFPs/Service instances defined then i believe that would work (example below).

Interface Gi0/0/1
service instance 1 ethernet
  description **Provider 1**
  encapsulation dot1q 100-200
  rewrite ingress tag pop 1 symmetric
  bridge-domain 1

Interface Gi0/0/2
service instance 2 ethernet
  description **Provider 2**
  encapsulation dot1q 201-300
  rewrite ingress tag pop 1 symmetric
  bridge-domain 2

Interface Gi0/0/3
service instance 3 ethernet
  description **Provider 3**
  encapsulation dot1q 201-300
  rewrite ingress tag pop 1 symmetric
  bridge-domain 3

So basically anything arriving on those interfaces with dot1q tags as defined will be placed in the bridge domain listed under the interface. From there you can do L2 / L3 to where ever.

Anyone? Just want to know were i would restrict the vlans using the the following command.

Switchport trunk allowed Vlan X

Is this placed in the port-channel 1 section or the physical interface Fa0/23

Should be an easy onw to answer


cheers

Technically it goes on both but u can add it on the port-channel and the switch should automatically copy the config to the physical interfaces.

Congrats!

Congratulations! Was this your last one for the CCNP?

Yes. He did a post here back in December when he passed ROUTE.

We have made every effort to remain neutral, despite both being Juniper Networks employees when we were writing this. If you spot any kind of favoritism, we can assure you that it was not intentional.

Thanks a lot for this.

Seems like a good book from the sample i saw so i will be getting myself a copy. Should be helpful for me at this stage and should hopefully allow me to learn and apply some new knowledge in my ISP capacity.

The first subnet you worked out is all you have available. That's what the ISP gave you.

Net ID: 208.200.200.200
Broadcast Address – 208.200.200.207
Host address range: 208.200.200.201 - 208.200.200.206

I would start by drawing out a diagram with all of the components you need for your network (Firewall, switches, routers servers etc.) for each department and assign private and public addresses to those that need them as mentioned in your question.

So by implementing loop-guard, you're basically saying that this port should ALWAYS receive BPDUs and if the BPDUs stop then something is very wrong, block the link.

Yes correct (its a loop prevention mechanism to stop the port from going into forwarding state when it really shouldn't be, causing loops until the STP reconverges). When the blocked port is in loop inconsistent state it will stay that way until it starts receiving BPDUs again, and go back to a "normal blocked state". I wanted it to work exactly like that so that i wouldn't have to intervene with the link too much. I'll go with this over UDLD because of that fact as i believe that after it err-disables then you either have to manually bring it back up or wait for the set timer to expire.

dingdingding

its similar to UDLD in that its basically for catching unidirectional fibre links - have never seen loop guard triggered by faulty copper or RJ45 ports

Neither have I but my situation was kind of perfect for it. This was actually the first time i had to use it. Its only by chance that the secondary link is basically a wireless bridge. Usually we don't get any issues with the microwave but there is probably some interference that is causing the wireless to be disrupted even thought nothing is wrong with the equipment at the 2 ends.

I can't believe flex links are still a thing. I only remember reading about it prepping for the CCIE v4 written.

I had to cover flex links for my CCNA service provider exam.

3.5 Describe Ethernet link bundling, LACP, and PAgP and Flex Links

Well it certainly came in handy for me here lol. Glad my post could enlighten someone.

I find that a lot of people tend to cringe at the sound of STP and the various aspects of it partially due to the fact that STP was revamped and had so many changes/additions made, that it takes some reading and going over to actually know the topic inside and out.

The problem with all this is that at the end of the day, as an ISP, you do not want anything to do with your customers' actual mail setup. You can't very well control their domain, MX records, etc. UNLESS its part of some kind of managed services agreement. The impression I'm getting is that the OP is purely providing carriage.

In which case I believe the only thing you can really do is block port 25 and offer opt-out if they host their own mail.

Sorry I missed these posts. Thanks for all the replies.

You are correct...only carriage however, we do modify the MX records etc. at the request of our business customers. I am looking at a solution from Sandvine....not sure if you guys are familiar with it but we have a number of these boxes already deployed in other parts of the network, so if deployed we will send all traffic through there for inspection.

Hi Roddy,

Sorry this post has been missed. I've never used flex links but from memory I think you're correct.
I found a quick link and had a skim through there as a refresh: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/flexlink.html

Can you give some examples where your "service could be down, but the line protocol could be up"?

I think something like a fibre link, which has one direction broken, eg. the Tx is broke could cause this?

But if this is true, then you could use UDLD on the links. I use UDLD a lot, basically UDLD forms a relationship across links and sends keepalives from A to B and expects B to return the keepalive. At the same time, keepalives are sent from B to A and expects A to return them to B. If the keepalives stop being returned, the link is put into error disabled state.

The good thing about UDLD is that you can enable it during normal business. If you have a link and need to enable UDLD, you must enable udld on both sides for the relationship to be formed. If you only enable UDLD on one side, nothing happens until the relationship is formed the first time.


To summarise; I think with UDLD it can detect and shut bad links in a situation which causes line protocol to be up but the link is bad. Along with flexlink, backup link(s) could be made active in the event UDLD has torn broken link(s) down.

Hi Dieselboy, firstly thanks for the response and assistance on this. I should have updated/added more info to this post TBH.

Basically we have a primary fiber link into our office and added a secondary link for redundancy which is via microwave (wireless transmission). Following this (a long while after), we noticed a number of MAC flaps in our network so it seems we were getting forwarding loops but weren't sure of the source as it is a fairly massive network. I traced the problem down to the office link and determined that something weird was happening with the spanning tree (RPVSTP) that was implemented.

This post was somewhat laziness on my part but after further investigation I found that the microwave/wireless link was flapping, so the transmission medium between the switches at opposite ends was going down but the link to the transmission equipment/line protocol was still showing as up as the interface/equipment didn't actually go down....just the wireless link between the 2 antennas which could possibly be due to interference on that frequency even though this shouldn't be the case as its regulated (this should answer your question).

So what was happening was the BPDUs weren't being received from the root bridge on the port that was being blocked when the microwave link went down, which changed the blocked port to a forwarding state, and when the microwave connection came back up.....forwarding loop. I was looking for an alternative but i simply added the command "spanning-tree guard loop" so that when the port stops receiving BPDUs it goes to a loop inconsistent state and continues to block the port without ever transitioning it to forwarding state. In the meantime i have the TX/microwave guys working on getting the flapping resolved on their equipment.

The logs will now show the below:
Sep 13 19:05:58.786 BGI: %SPANTREE-2-LOOPGUARD_BLOCK: Loop guard blocking port GigabitEthernet0/23 on VLAN0431.
Sep 13 19:16:55.072 BGI: %SPANTREE-2-LOOPGUARD_UNBLOCK: Loop guard unblocking port GigabitEthernet0/23 on VLAN0431.

Instead of:
Sep 10 07:25:13.573 BGI: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0d64.fe93 in vlan 431 is flapping between port Gi0/23 and port Po1

NO MORE LOOPS!!!

Hope I explained everything in enough detail now.

i am a Cisco Guy but the way Juniper works with the control plane/forwarding plane is really cool and the commit feature is really a life/jov saver if you  dont know what the hell are you doing  lol

+1 on getting Juniper exposure. They have LOTS of free training material, and it is very high quality. It will help you learn more about networking from a non-Cisco perspective and you learn what works best when you have a multi-vendor environment.

Cisco has commit as well.... #XR

It doesn't work the same way.  Arista has it as well but doesn't work the same way either.  I don't believe either do a check before attempting to commit config... like on Juniper you can do a "commit check" to verify integrity.

Just realized what you said here after i saw the joke below lol. Cisco IOS XR does a check as well (unless you mean the Juniper check is different in some way).

i am a Cisco Guy but the way Juniper works with the control plane/forwarding plane is really cool and the commit feature is really a life/jov saver if you  dont know what the hell are you doing  lol

+1 on getting Juniper exposure. They have LOTS of free training material, and it is very high quality. It will help you learn more about networking from a non-Cisco perspective and you learn what works best when you have a multi-vendor environment.

Cisco has commit as well.... #XR

It doesn't work the same way.  Arista has it as well but doesn't work the same way either.  I don't believe either do a check before attempting to commit config... like on Juniper you can do a "commit check" to verify integrity.

Sounds nice. I will look it up as i'm not very knowledgeable on the juniper world.

i am a Cisco Guy but the way Juniper works with the control plane/forwarding plane is really cool and the commit feature is really a life/jov saver if you  dont know what the hell are you doing  lol

+1 on getting Juniper exposure. They have LOTS of free training material, and it is very high quality. It will help you learn more about networking from a non-Cisco perspective and you learn what works best when you have a multi-vendor environment.

Cisco has commit as well.... #XR

Hi Guys,

Quick question. I was looking at flex links as an alternative to STP, but remind me again.....this only monitors line protocol right? So my service could be down but as long as the line protocol is saying UP then it wont fail over to the standby right?

-Roddy

In fact, if there is no legal agreement in which you stipulate that you will terminate services due to abuse, intentional or due to a third party, then you CANNOT undertake such measures without permission. And then the legal/financial issues rear their heads... do they have to pay for the time you have their internet blocked? If you block port 25 only, will their service be prorated? Do you filter all traffic in this way? Does this mean that you are legally responsible if some malicious thing gets past your filtering? If someone sends an email with illegal content and it gets through your filter, and you are filtering the traffic, you can be held responsible for not blocking it if the prosecution/litigant is able to demonstrate that you are not taking due care and showing due diligence in keeping the filters up-to-date and properly functioning.


It may be time better spent to cultivate relationships with guys that run blacklists and let them know how your address space is broken down, and hope for the best on that front.

In the meantime, have your legal guys draw up new contracts that stipulate if outbound spam is detected from any IP, then email will be blocked from that IP until such time as the issue is resolved, not responsible for false positives, lost revenue, normal wear and tear, yadda yadda yadda, more legal stuff, etc... then get that contract language to your clients and have them sign off. If any refuse, work to terminate or not extend their current contract, as they represent a huge risk.

***

Another thought: just hit port 25 on all your IPs and try to use them as an open relay. If any work as open relays, contact the customer immediately to remediate. If the customer refuses or treats it lightly, inform the customer that should his negligence result in business losses to other clients of yours, you will provide those clients with his contact info so they can work out compensation for their losses... if they don't accept that risk, then let them know that you'll proactively contact your other clients with this information so that they can draw up the invoices and court petitions in advance...

My point exactly with the legal aspect/implications Dean. I do appreciate your suggestions as I like the way you are thinking. Customers should hold some of the responsibility if they are not securing themselves well enough.

I do not want a case where customers can then have a legal case against us to say that we have not done due diligence regarding securing our network.

Perhaps you are right in that we should look more at dealing with the blacklist companies. Otanx, as it stands right now we do not publish reassignments with ARIN but will look at the feasibility of doing that. In the meantime we have gotten most of our clients to get the PTR records point to their mail server which should help a bit.

I'd be more concerned with inbound rather than outbound filtering,  let stuff go out. who really cares?  just don't let the bad stuff in.

Agreed...but at present the outbound is presenting more of a problem. Inbound going to the client is at them really. They should do the right thing and invest in a decent firewall however, outbound affects be greatly. I am the ISP and i have a /24 block which i divide into /29s and /30s and give to customers for their use. When they allow their systems to be infected and it begins to send spam out, then the blacklist sites usually blacklist the entire /24 and not just the /29 they use. So one bad customer spoils the entire bunch??? lol

I am looking for an all around complete solution and as an ISP we need to tighten up in all areas. We have some checkpoint devices deployed in most of our network. I will probably contact them for this additional segment.