Layer-2 security (IP-address conflict etc).

Gilu_Debee — Tue, 06 Jun 2017 20:43:00 GMT

Hello,

The company i work for recently has a new network to maintain, this network consists of multiple Extreme Network switches which haven’t been configured right security wise (IMO).
Me or my colleagues don’t have much experiance with Extreme switches so i hope any of you can help me/us.

The case:
- The switch (X670-G1) has three ports (20,21 and 22) which are connected to “carriers”.
- The “carriers” provide VLAN(s) which are all combined into one VLAN (Port-specific Tag).
- The VLANS(s) are customer locations beyond our control.
- Layer-2 only, routing is done with a (Juniper) router connected to port 24.

My problem with this setup:
- The customers can configure any IP-address they want (possibly causing an IP conflict).
- The customers can possibly exhaust the mac table.
- ????
The config:

create vlan "WAN-devices"
configure vlan WAN-devices tag 2
disable igmp snooping vlan "WAN-devices"
configure vlan WAN-devices add ports 24 tagged
configure vlan WAN-devices add ports 21 tagged 251
configure vlan WAN-devices add ports 21 tagged 252
configure vlan WAN-devices add ports 21 tagged 253
configure vlan WAN-devices add ports 21 tagged 254
configure vlan WAN-devices add ports 21 tagged 255
configure vlan WAN-devices add ports 22 tagged 1372
configure vlan WAN-devices add ports 22 tagged 1373
configure vlan WAN-devices add ports 22 tagged 1374
configure vlan WAN-devices add ports 22 tagged 1375
configure vlan WAN-devices add ports 22 tagged 1376
configure vlan WAN-devices add ports 22 tagged 1377
configure vlan WAN-devices add ports 22 tagged 1378
configure vlan WAN-devices add ports 22 tagged 1379
configure vlan WAN-devices add ports 22 tagged 1380
configure vlan WAN-devices add ports 20 tagged 2001

VLANS 25X, 13XX and 2001 are outside of my controll, all devices use the same (/25) subnet, the (Juniper) router
acts as a gateway for the /25 subnet.
My question:
Can i do anywhing in the X670 switch to prevent the customers from using more than (1) IP-address and mac-address?
The network consists of both static and DHCP IP-addresses. Any other advice is offcourse welcome!

I really appreciate any help you can provide.

RE: Layer-2 security (IP-address conflict etc).

Nick_Yakimenko — Tue, 06 Jun 2017 23:18:00 GMT

You add vlan "Wan-devices" to different STP-domains or you are misconfigured and you try to add private-vlans into one vlan?

RE: Layer-2 security (IP-address conflict etc).

Gilu_Debee — Tue, 06 Jun 2017 23:18:00 GMT

I think the second one is the case here since the router for all VLANS are routed by the router on port 24.

RE: Layer-2 security (IP-address conflict etc).

Mrxlazuardin — Thu, 08 Jun 2017 00:14:00 GMT

Hi Gilu,

I don't understand, since your X670 is working on L2 only, why are you asking about IP address conflict? It should be Juniper router problem not Extreme switch problem. Regarding MAC capacity, do you think 128K MAC capacity will give you problem?

Anyway, why don't you put separate VLAN for each subnet and send them all to Juniper router so each VLAN will have their own gateway? It seem that you only do VLAN translation from many tags to single VLAN tag.

Best regards,

topic RE: Layer-2 security (IP-address conflict etc). in ExtremeSwitching (EXOS/Switch Engine)

Layer-2 security (IP-address conflict etc).

RE: Layer-2 security (IP-address conflict etc).

RE: Layer-2 security (IP-address conflict etc).

RE: Layer-2 security (IP-address conflict etc).