Re: Peering VLANs and MAC addresses

[Randy Bush <randy () psg com>]

[ the voice of experience speaks ]
> We used to police this policy semi-manually, but now the switch vendors do 
> decent hardware-based port-security/mac-locking functionality, so that 
> does it for us, and actually does it pretty well.
>
> - The switch learns the first address received on the interface, which 
> should be the first ingress frame (usually an ARP generated by the router 
> sending a BGP Open), and remembers it (with a 3 minute ageing time).
>
> - This has the affect of applying an acl to the port (in hardware), which 
> permits traffic from the "good" address, and drops frames from other 
> addresses. 
>
> - Should more than 100 different source MACs be learned (99 of which will 
> be filtered and dropped) on the interface, the port will then log a 
> critical violation and shut the port down.
>
> It works pretty well, it prevents all the usual badness we'd normally 
> associate with switches on the IXP.
>
> So at the end of the day, it looks like we've been able to find a happy
> medium, maintaining decent "hygiene", while being able to let people
> indulge in deploying switches if they so choose.

thanks!  this approaches reassuring.  why does it tolerate 100
macs?  at first blush, i would think three or four would be a
bad enough sign.

randy