Peering VLANs and MAC addresses
Randy Bush
randy at psg.com
Thu Nov 10 02:35:27 UTC 2005
[ the voice of experience speaks ]
> We used to police this policy semi-manually, but now the switch vendors do
> decent hardware-based port-security/mac-locking functionality, so that
> does it for us, and actually does it pretty well.
>
> - The switch learns the first address received on the interface, which
> should be the first ingress frame (usually an ARP generated by the router
> sending a BGP Open), and remembers it (with a 3 minute ageing time).
>
> - This has the affect of applying an acl to the port (in hardware), which
> permits traffic from the "good" address, and drops frames from other
> addresses.
>
> - Should more than 100 different source MACs be learned (99 of which will
> be filtered and dropped) on the interface, the port will then log a
> critical violation and shut the port down.
>
> It works pretty well, it prevents all the usual badness we'd normally
> associate with switches on the IXP.
>
> So at the end of the day, it looks like we've been able to find a happy
> medium, maintaining decent "hygiene", while being able to let people
> indulge in deploying switches if they so choose.
thanks! this approaches reassuring. why does it tolerate 100
macs? at first blush, i would think three or four would be a
bad enough sign.
randy
More information about the NANOG
mailing list