juniper port security piut nework down

I have a core and several access switches. I have RVI configured for my VLAN at the core. I have 1 RVI configured for each access switch for the gateway. When I configured arp-inspection and dhcp-examine for all of my VLANs. The whole network went down. The access switches do not like those port security commands for all VLANs.
I am trying to understand why my network went down when I configured those port security commands. Thx
LVL 1
leblancAccountingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pergrCommented:
https://www.juniper.net/documentation/en_US/junos11.4/topics/example/port-security-server-on-second-switch-same-vlan.html

You need to configure the ports between the access switches and core switch as TRUNK ports, which by default are "trusted" interfaces. If you do not have these as trunks (with vlan tags) then you need to manually configure the uplink ports as trusted interfaces.
0
leblancAccountingAuthor Commented:
The port between access switches and the core are trunk.
0
harbor235Commented:
Since arp-inspection relies on the dhcp snooping database and is enforced per vlan , make sure to to enable dhcp snooping first, verify dhcp snooping database is populated with all active macs for that vlan then turn on arp-inspection. arp-inspection works by relying on the dhcp snooping database so if it is not populated when you turn on arp-inspection it will drop all macs not in the table.

Good reference:
http://www.juniper.net/techpubs/en_US/junos11.4/topics/example/port-security-protect-from-arp-spoofing.html


harbor235 ;}
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

leblancAccountingAuthor Commented:
That is what I did.
0
harbor235Commented:
Did you verify the dhcp-snooping database before enabling DAI?

harbor235 ;}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
harbor235Commented:
Also, did you set mac-limit per? and did you set trunk ports to be untrusted or trusted? Can you post your config?


harbor235 ;}
0
leblancAccountingAuthor Commented:
I'd like to make a correction to my problem. those port security did not put my network down. I could not access the Internet when I input those commands. I did the configuration remotely and after entering those commands, it kick my out of the telnet session. I had to be onsite to access the switches and removed those commands.

I did not set mac-limit per port because we do not want to limit the MAc address. By default the trunk are trusted so I did not configured anything. I verified the db and there are IP addresses.
I removed those commands from my switch because it crashed my network.
0
leblancAccountingAuthor Commented:
Any thoughts?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.