This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Layer-2 security (IP-address conflict etc).
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Layer-2 security (IP-address conflict etc).
Layer-2 security (IP-address conflict etc).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2017 01:43 PM
Hello,
The company i work for recently has a new network to maintain, this network consists of multiple Extreme Network switches which haven’t been configured right security wise (IMO).
Me or my colleagues don’t have much experiance with Extreme switches so i hope any of you can help me/us.
The case:
- The switch (X670-G1) has three ports (20,21 and 22) which are connected to “carriers”.
- The “carriers” provide VLAN(s) which are all combined into one VLAN (Port-specific Tag).
- The VLANS(s) are customer locations beyond our control.
- Layer-2 only, routing is done with a (Juniper) router connected to port 24.
My problem with this setup:
- The customers can configure any IP-address they want (possibly causing an IP conflict).
- The customers can possibly exhaust the mac table.
- ????
The config:
create vlan "WAN-devices"
configure vlan WAN-devices tag 2
disable igmp snooping vlan "WAN-devices"
configure vlan WAN-devices add ports 24 tagged
configure vlan WAN-devices add ports 21 tagged 251
configure vlan WAN-devices add ports 21 tagged 252
configure vlan WAN-devices add ports 21 tagged 253
configure vlan WAN-devices add ports 21 tagged 254
configure vlan WAN-devices add ports 21 tagged 255
configure vlan WAN-devices add ports 22 tagged 1372
configure vlan WAN-devices add ports 22 tagged 1373
configure vlan WAN-devices add ports 22 tagged 1374
configure vlan WAN-devices add ports 22 tagged 1375
configure vlan WAN-devices add ports 22 tagged 1376
configure vlan WAN-devices add ports 22 tagged 1377
configure vlan WAN-devices add ports 22 tagged 1378
configure vlan WAN-devices add ports 22 tagged 1379
configure vlan WAN-devices add ports 22 tagged 1380
configure vlan WAN-devices add ports 20 tagged 2001
VLANS 25X, 13XX and 2001 are outside of my controll, all devices use the same (/25) subnet, the (Juniper) router
acts as a gateway for the /25 subnet.
My question:
Can i do anywhing in the X670 switch to prevent the customers from using more than (1) IP-address and mac-address?
The network consists of both static and DHCP IP-addresses. Any other advice is offcourse welcome!
I really appreciate any help you can provide.
The company i work for recently has a new network to maintain, this network consists of multiple Extreme Network switches which haven’t been configured right security wise (IMO).
Me or my colleagues don’t have much experiance with Extreme switches so i hope any of you can help me/us.
The case:
- The switch (X670-G1) has three ports (20,21 and 22) which are connected to “carriers”.
- The “carriers” provide VLAN(s) which are all combined into one VLAN (Port-specific Tag).
- The VLANS(s) are customer locations beyond our control.
- Layer-2 only, routing is done with a (Juniper) router connected to port 24.
My problem with this setup:
- The customers can configure any IP-address they want (possibly causing an IP conflict).
- The customers can possibly exhaust the mac table.
- ????
The config:
create vlan "WAN-devices"
configure vlan WAN-devices tag 2
disable igmp snooping vlan "WAN-devices"
configure vlan WAN-devices add ports 24 tagged
configure vlan WAN-devices add ports 21 tagged 251
configure vlan WAN-devices add ports 21 tagged 252
configure vlan WAN-devices add ports 21 tagged 253
configure vlan WAN-devices add ports 21 tagged 254
configure vlan WAN-devices add ports 21 tagged 255
configure vlan WAN-devices add ports 22 tagged 1372
configure vlan WAN-devices add ports 22 tagged 1373
configure vlan WAN-devices add ports 22 tagged 1374
configure vlan WAN-devices add ports 22 tagged 1375
configure vlan WAN-devices add ports 22 tagged 1376
configure vlan WAN-devices add ports 22 tagged 1377
configure vlan WAN-devices add ports 22 tagged 1378
configure vlan WAN-devices add ports 22 tagged 1379
configure vlan WAN-devices add ports 22 tagged 1380
configure vlan WAN-devices add ports 20 tagged 2001
VLANS 25X, 13XX and 2001 are outside of my controll, all devices use the same (/25) subnet, the (Juniper) router
acts as a gateway for the /25 subnet.
My question:
Can i do anywhing in the X670 switch to prevent the customers from using more than (1) IP-address and mac-address?
The network consists of both static and DHCP IP-addresses. Any other advice is offcourse welcome!
I really appreciate any help you can provide.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-07-2017 05:14 PM
Hi Gilu,
I don't understand, since your X670 is working on L2 only, why are you asking about IP address conflict? It should be Juniper router problem not Extreme switch problem. Regarding MAC capacity, do you think 128K MAC capacity will give you problem?
Anyway, why don't you put separate VLAN for each subnet and send them all to Juniper router so each VLAN will have their own gateway? It seem that you only do VLAN translation from many tags to single VLAN tag.
Best regards,
I don't understand, since your X670 is working on L2 only, why are you asking about IP address conflict? It should be Juniper router problem not Extreme switch problem. Regarding MAC capacity, do you think 128K MAC capacity will give you problem?
Anyway, why don't you put separate VLAN for each subnet and send them all to Juniper router so each VLAN will have their own gateway? It seem that you only do VLAN translation from many tags to single VLAN tag.
Best regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2017 04:18 PM
You add vlan "Wan-devices" to different STP-domains or you are misconfigured and you try to add private-vlans into one vlan?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-06-2017 04:18 PM
I think the second one is the case here since the router for all VLANS are routed by the router on port 24.
