IXP
Jack Bates
jbates at brightok.net
Sat Apr 18 17:44:37 UTC 2009
Paul Vixie wrote:
> in terms of solid and predictable i would take per-peering VLANs with IP
> addresses assigned by the peers themselves, over switches that do unicast
> flood control or which are configured to ignore bpdu's in imaginative ways.
>
Simplicity only applies when it doesn't hinder security (the baseline
complexity). PE/BRAS systems suffer from a subset of IXP issues with a
few of their own. It amazes me how much "security" has been pushed from
the PE out into switches and dslams. Enough so, that I've found many
vendors that break IPv6 because of their "security" features. 1Q tagging
is about the simplest model I have seen for providing the necessary
isolation, mimicking PNI. For PE, it has allowed complete L3 ignorance
in the L2 devices while enforcing security policies at the aggregation
points. For an IXP it provides the necessary isolation and security
without having an expectation of the type of L3 traffic crossing through
the IXP.
It's true that 1Q tagging requires a configuration component, but I'd
hesitate to call it complex. 10,000 line router configs may be long, but
often in repetition due to configuration limitations rather than
complex. HE's IPv6 tunnel servers are moderately more complex and have
handled provisioning well in my experience.
Multicast was brought up as an issue, but it's not less efficient than
if PNI had been used, and a structure could be designed to meet the
needs of multicast when needed.
Jack
More information about the NANOG
mailing list