nanog mailing list archives
Re: Peering VLANs and MAC addresses
From: Randy Bush <randy () psg com>
Date: Wed, 9 Nov 2005 16:35:27 -1000
[ the voice of experience speaks ]
We used to police this policy semi-manually, but now the switch vendors do decent hardware-based port-security/mac-locking functionality, so that does it for us, and actually does it pretty well. - The switch learns the first address received on the interface, which should be the first ingress frame (usually an ARP generated by the router sending a BGP Open), and remembers it (with a 3 minute ageing time). - This has the affect of applying an acl to the port (in hardware), which permits traffic from the "good" address, and drops frames from other addresses. - Should more than 100 different source MACs be learned (99 of which will be filtered and dropped) on the interface, the port will then log a critical violation and shut the port down. It works pretty well, it prevents all the usual badness we'd normally associate with switches on the IXP. So at the end of the day, it looks like we've been able to find a happy medium, maintaining decent "hygiene", while being able to let people indulge in deploying switches if they so choose.
thanks! this approaches reassuring. why does it tolerate 100 macs? at first blush, i would think three or four would be a bad enough sign. randy
Current thread:
- Re: Peering VLANs and MAC addresses, (continued)
- Re: Peering VLANs and MAC addresses Randy Bush (Nov 11)
- Re: Peering VLANs and MAC addresses Will Hargrave (Nov 11)
- Re: Peering VLANs and MAC addresses Patrick W. Gilmore (Nov 11)
- Re: Peering VLANs and MAC addresses Randy Bush (Nov 11)
- Re: Peering VLANs and MAC addresses Patrick W. Gilmore (Nov 11)
- Re: Peering VLANs and MAC addresses Randy Bush (Nov 11)
- Re: Peering VLANs and MAC addresses Mike Hughes (Nov 09)
- Re: Peering VLANs and MAC addresses Steven Bakker (Nov 09)
- Re: Peering VLANs and MAC addresses Lincoln Dale (Nov 09)
- Re: Peering VLANs and MAC addresses sthaug (Nov 09)
- Re: Peering VLANs and MAC addresses Randy Bush (Nov 09)
- Re: Peering VLANs and MAC addresses Mike Hughes (Nov 09)
- Re: Peering VLANs and MAC addresses Niels Bakker (Nov 11)
- Re: Peering VLANs and MAC addresses Alexander Koch (Nov 09)
- Re: Peering VLANs and MAC addresses Mike Hughes (Nov 09)
- Re: Peering VLANs and MAC addresses Christopher L. Morrow (Nov 09)
- Re: Peering VLANs and MAC addresses Blaine Christian (Nov 10)
- Re: Peering VLANs and MAC addresses Arnold Nipper (Nov 09)
- Re: Peering VLANs and MAC addresses Steven Bakker (Nov 09)