juniper port security piut nework down

I have a core and several access switches. I have RVI configured for my VLAN at the core. I have 1 RVI configured for each access switch for the gateway. When I configured arp-inspection and dhcp-examine for all of my VLANs. The whole network went down. The access switches do not like those port security commands for all VLANs.
I am trying to understand why my network went down when I configured those port security commands. Thx
LVL 1
leblancAccountingAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pergrCommented:
https://www.juniper.net/documentation/en_US/junos11.4/topics/example/port-security-server-on-second-switch-same-vlan.html

You need to configure the ports between the access switches and core switch as TRUNK ports, which by default are "trusted" interfaces. If you do not have these as trunks (with vlan tags) then you need to manually configure the uplink ports as trusted interfaces.
leblancAccountingAuthor Commented:
The port between access switches and the core are trunk.
harbor235Commented:
Since arp-inspection relies on the dhcp snooping database and is enforced per vlan , make sure to to enable dhcp snooping first, verify dhcp snooping database is populated with all active macs for that vlan then turn on arp-inspection. arp-inspection works by relying on the dhcp snooping database so if it is not populated when you turn on arp-inspection it will drop all macs not in the table.

Good reference:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/example/port-security-protect-from-arp-spoofing.html


harbor235 ;}
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

leblancAccountingAuthor Commented:
That is what I did.
harbor235Commented:
Did you verify the dhcp-snooping database before enabling DAI?

harbor235 ;}

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
harbor235Commented:
Also, did you set mac-limit per? and did you set trunk ports to be untrusted or trusted? Can you post your config?


harbor235 ;}
leblancAccountingAuthor Commented:
I'd like to make a correction to my problem. those port security did not put my network down. I could not access the Internet when I input those commands. I did the configuration remotely and after entering those commands, it kick my out of the telnet session. I had to be onsite to access the switches and removed those commands.

I did not set mac-limit per port because we do not want to limit the MAc address. By default the trunk are trusted so I did not configured anything. I verified the db and there are IP addresses.
I removed those commands from my switch because it crashed my network.
leblancAccountingAuthor Commented:
Any thoughts?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.