Re: IXP

[Arnold Nipper <arnold () nipper de>]

On 19.04.2009 19:43 Chris Caputo wrote

> On Sun, 19 Apr 2009, Mikael Abrahamsson wrote:
> > On Sat, 18 Apr 2009, Nick Hilliard wrote:
> > > - ruthless and utterly fascist enforcement of one mac address per 
> > > port, using either L2 ACLs or else mac address counting, with no 
> > > exceptions for any reason, ever.  This is probably the single more 
> > > important stability / security enforcement mechanism for any IXP.
> >
> > Well, as long as it simply drops packets and doesn't shut the port or 
> > some other "fascist" enforcement. We've had AMSIX complain that our 
> > Cisco 12k with E5 linecard was spitting out a few tens of packets per 
> > day during two months with random source mac addresses. Started 
> > suddenly, stopped suddenly. It's ok for them to drop the packets, but 
> > not shut the port in a case like that.
>
> From the IX operator perspective it is important to immediately shut down 
> a port showing a packet from an extra MAC address, rather than just 
> silently dropping them.

We (DE-CIX) simply nail each MAC statically to the customer port and
allow traffic from these statically configured MAC addresses to enter
the switch fabric.

Initially this was done as a workaround as the F10 boxes didn't support
port-security. Meanwhile we think this is the best way to handle MAC
management. As a benefit there is no need to shut down customer ports
when frames from additional MACs arrive. These are simply ignored.

Works really great for us. YMMV.



Arnold
-- 
Arnold Nipper / nIPper consulting, Sandhausen, Germany
email: arnold () nipper de       phone: +49 6224 9259 299
mobile: +49 172 2650958         fax: +49 6224 9259 333

Attachment: signature.asc
Description: OpenPGP digital signature