nanog mailing list archives

Re: Ethernet EP - MAC Address Filtering

From: "David McGaugh" <david_mcgaugh () eli net>
Date: Fri, 08 Feb 2002 12:59:23 -0800



This is a multi-part message in MIME format.
--------------7DFBF929699F5DC9E36CC8F2
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Actually, I was more speaking in terms of applying the filters to your
router port as an Exchange Point Member to prevent another unscrupulous
exchange point member from default routing you or other things nasty.

-Dave

Deepak Jain wrote:

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
David McGaugh
Sent: Friday, February 08, 2002 3:18 PM
To: nanog () merit edu
Subject: Ethernet EP - MAC Address Filtering

Just curious if anyone is performing MAC Address Filtering at any of
the Ethernet Exchange Points. If so has it been found to be easy to
administer or difficult where by peers may be changing Layer 3 devices
or Interfaces without notice? Alternately is MAC Address Filtering
considered an unneeded security measure?

Thanks,
Dave

----

Speaking of this, is MAC Address filtering [at an IX] really designed to
eliminate the possibility of new hardware showing up on the port or is it
more the idea of keeping lots of boxes from showing up directly [like
hanging another switch off the port]. If its the latter, a seemingly
sensible approach would be to limit the number of unique MAC addresses to
like 2-4 per port.

This way you can change your equipment without prior notice, but you can't
(as easily) violate the integrity of the switching fabric.

I know for our network ports we limit to no more than 2 unique MACs in a
certain time period [~5 minutes or so] which again, allows swapping of
equipment without compromising anything that MAC layer filtering is supposed
to protect.

Deepak Jain
AiNET

--------------7DFBF929699F5DC9E36CC8F2
Content-Type: text/x-vcard; charset=us-ascii;
 name="david_mcgaugh.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Dave McGaugh
Content-Disposition: attachment;
 filename="david_mcgaugh.vcf"

begin:vcard 
n:McGaugh;David
tel;fax:360.816.3297
tel;work:360.816.3718
x-mozilla-html:FALSE
url:http://www.eli.net
org:Electric Lightwave, Inc.;Network Planning and Engineering
adr:;;4400 NE 77th Ave.;Vancouver;WA;98662;USA
version:2.1
email;internet:dmcgaugh () eli net
title:Internetwork Engineer
x-mozilla-cpt:;26448
fn:David McGaugh
end:vcard

--------------7DFBF929699F5DC9E36CC8F2--

Current thread:

RE: Ethernet EP - MAC Address Filtering, (continued)
- RE: Ethernet EP - MAC Address Filtering Deepak Jain (Feb 08)
  - Re: Ethernet EP - MAC Address Filtering David McGaugh (Feb 08)
    - RE: Ethernet EP - MAC Address Filtering Deepak Jain (Feb 08)
- Ethernet EP - MAC Address Filtering David McGaugh (Feb 08)
  - Re: Ethernet EP - MAC Address Filtering Lane Patterson (Feb 11)
    - Re: Ethernet EP - MAC Address Filtering David McGaugh (Feb 11)
    - RE: Ethernet EP - MAC Address Filtering Deepak Jain (Feb 11)
- RE: Ethernet EP - MAC Address Filtering Deepak Jain (Feb 11)
- RE: Ethernet EP - MAC Address Filtering Deepak Jain (Feb 11)
- Ethernet EP - MAC Address Filtering David McGaugh (Feb 11)
- Re: Ethernet EP - MAC Address Filtering David McGaugh (Feb 11)
- RE: Ethernet EP - MAC Address Filtering Deepak Jain (Feb 11)
- Ethernet EP - MAC Address Filtering David McGaugh (Feb 11)
  - RE: Ethernet EP - MAC Address Filtering David Luyer (Feb 12)
- Re: Ethernet EP - MAC Address Filtering David McGaugh (Feb 11)
- Re: Ethernet EP - MAC Address Filtering Lane Patterson (Feb 11)
  - RE: Ethernet EP - MAC Address Filtering David Luyer (Feb 12)