IXP

[arnold at nipper.de (Arnold Nipper)]

On 19.04.2009 19:43 Chris Caputo wrote

> On Sun, 19 Apr 2009, Mikael Abrahamsson wrote:
>> On Sat, 18 Apr 2009, Nick Hilliard wrote:
>> > - ruthless and utterly fascist enforcement of one mac address per 
>> > port, using either L2 ACLs or else mac address counting, with no 
>> > exceptions for any reason, ever.  This is probably the single more 
>> > important stability / security enforcement mechanism for any IXP.
>> 
>> Well, as long as it simply drops packets and doesn't shut the port or 
>> some other "fascist" enforcement. We've had AMSIX complain that our 
>> Cisco 12k with E5 linecard was spitting out a few tens of packets per 
>> day during two months with random source mac addresses. Started 
>> suddenly, stopped suddenly. It's ok for them to drop the packets, but 
>> not shut the port in a case like that.
> 
> From the IX operator perspective it is important to immediately shut down 
> a port showing a packet from an extra MAC address, rather than just 
> silently dropping them.

We (DE-CIX) simply nail each MAC statically to the customer port and
allow traffic from these statically configured MAC addresses to enter
the switch fabric.

Initially this was done as a workaround as the F10 boxes didn't support
port-security. Meanwhile we think this is the best way to handle MAC
management. As a benefit there is no need to shut down customer ports
when frames from additional MACs arrive. These are simply ignored.

Works really great for us. YMMV.



Arnold
-- 
Arnold Nipper / nIPper consulting, Sandhausen, Germany
email: arnold at nipper.de       phone: +49 6224 9259 299
mobile: +49 172 2650958         fax: +49 6224 9259 333

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090419/eedcacf1/attachment.bin>