IXP
Mikael Abrahamsson
swmike at swm.pp.se
Sun Apr 19 07:31:19 UTC 2009
On Sat, 18 Apr 2009, Nick Hilliard wrote:
> - ruthless and utterly fascist enforcement of one mac address per port,
> using either L2 ACLs or else mac address counting, with no exceptions
> for any reason, ever. This is probably the single more important
> stability / security enforcement mechanism for any IXP.
Well, as long as it simply drops packets and doesn't shut the port or
some other "fascist" enforcement. We've had AMSIX complain that our Cisco
12k with E5 linecard was spitting out a few tens of packets per day during
two months with random source mac addresses. Started suddenly, stopped
suddenly. It's ok for them to drop the packets, but not shut the port in a
case like that.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the NANOG
mailing list