IXP
Chris Caputo
ccaputo at alt.net
Sun Apr 19 17:43:18 UTC 2009
On Sun, 19 Apr 2009, Mikael Abrahamsson wrote:
> On Sat, 18 Apr 2009, Nick Hilliard wrote:
> > - ruthless and utterly fascist enforcement of one mac address per
> > port, using either L2 ACLs or else mac address counting, with no
> > exceptions for any reason, ever. This is probably the single more
> > important stability / security enforcement mechanism for any IXP.
>
> Well, as long as it simply drops packets and doesn't shut the port or
> some other "fascist" enforcement. We've had AMSIX complain that our
> Cisco 12k with E5 linecard was spitting out a few tens of packets per
> day during two months with random source mac addresses. Started
> suddenly, stopped suddenly. It's ok for them to drop the packets, but
> not shut the port in a case like that.
>From the IX operator perspective it is important to immediately shut down
a port showing a packet from an extra MAC address, rather than just
silently dropping them. The "fascist" reason being that it is a quick and
effective way of informing the participant that their recent maintenance
has gone afoul. At the SIX we have err-disable recovery set to 5 minutes
so that the port will come back up automatically. (sometimes only to be
shutdown again two packets later, and usually before any BGP sessions have
returned)
If the port is left up with the rogue packets simply being dropped, and
the exchange sends the participant a followup email informing them of the
problem, the participant's maintenance window may have already have passed
and so problem resolution tends to get extended.
In cases that are temporarily unfixable, such as router bug, we have been
known to change the port config such that the rogue packets are just
dropped/logged rather than answered with a shutdown, but that is rare.
Chris
SIX Janitor
More information about the NANOG
mailing list