IXP
Arnold Nipper
arnold at nipper.de
Sun Apr 19 18:53:31 UTC 2009
On 19.04.2009 19:43 Chris Caputo wrote
> On Sun, 19 Apr 2009, Mikael Abrahamsson wrote:
>> On Sat, 18 Apr 2009, Nick Hilliard wrote:
>> > - ruthless and utterly fascist enforcement of one mac address per
>> > port, using either L2 ACLs or else mac address counting, with no
>> > exceptions for any reason, ever. This is probably the single more
>> > important stability / security enforcement mechanism for any IXP.
>>
>> Well, as long as it simply drops packets and doesn't shut the port or
>> some other "fascist" enforcement. We've had AMSIX complain that our
>> Cisco 12k with E5 linecard was spitting out a few tens of packets per
>> day during two months with random source mac addresses. Started
>> suddenly, stopped suddenly. It's ok for them to drop the packets, but
>> not shut the port in a case like that.
>
> From the IX operator perspective it is important to immediately shut down
> a port showing a packet from an extra MAC address, rather than just
> silently dropping them.
We (DE-CIX) simply nail each MAC statically to the customer port and
allow traffic from these statically configured MAC addresses to enter
the switch fabric.
Initially this was done as a workaround as the F10 boxes didn't support
port-security. Meanwhile we think this is the best way to handle MAC
management. As a benefit there is no need to shut down customer ports
when frames from additional MACs arrive. These are simply ignored.
Works really great for us. YMMV.
Arnold
--
Arnold Nipper / nIPper consulting, Sandhausen, Germany
email: arnold at nipper.de phone: +49 6224 9259 299
mobile: +49 172 2650958 fax: +49 6224 9259 333
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090419/eedcacf1/attachment.sig>
More information about the NANOG
mailing list