This is a multi-part message in MIME format. --------------BFB259ADB7DC6A39F9566071 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I would be planning deploy it on the Juniper Platforms and it appears that at least the 4 port FE PICs support it as well. I would imagine (without actually investigating it) you could do some sort of port security on the 65xx/76xx platform though. Primarily I am questioning whether it would be scalable in the long term or whether it would become more trouble than what it would be worth. Also while Deepak pointed out that you could perform line rate packet filtering only allowing packets to valid destinations on your network, this would only stop someone defaulting you but would not stop someone repointing next hop to valid destinations on your network. -Dave Lane Patterson wrote:
I'm aware that Juniper GigE interfaces support a mac-filter-list. I'm not well versed on which versions of Cisco router products support this well (and line rate), but I didn't think GSRs and 7xxx had any support for this. Are the L2/L3 family (65xx, 76xx) able to handle mac-filters at line rate w/o a slow path?
I too would be interested in knowing if folks perform mac-filtering.
Certainly there are other measures you can take as well, such as scripting some default-pointing traceroute checks, to check both peers and non-peers on an IXP fabric. These have been documented at various times, and Avi at one point posted some form of this to Nanog (moons ago...search archives).
My impression of "best practices" would be to:
1. implement mac-filter or mac-counters to prevent any illegally statically routed non-peer traffic. 2. implement traceroute scripts to check that peers are not defaulting any partial transit thru you.
Feedback welcome :-)
Cheers, -Lane
On Fri, Feb 08, 2002 at 10:29:07AM -0800, David McGaugh <david_mcgaugh@eli.net> wrote:
Hello NANOG,
Just curious if anyone is performing MAC Address Filtering at any of the Ethernet Exchange Points. If so has it been found to be easy to administer or difficult where by peers may be changing Layer 3 devices or Interfaces without notice? Alternately is MAC Address Filtering considered an unneeded security measure?
Thanks, Dave Content-Description: Card for Dave McGaugh
--------------BFB259ADB7DC6A39F9566071 Content-Type: text/x-vcard; charset=us-ascii; name="david_mcgaugh.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Dave McGaugh Content-Disposition: attachment; filename="david_mcgaugh.vcf" begin:vcard n:McGaugh;David tel;fax:360.816.3297 tel;work:360.816.3718 x-mozilla-html:FALSE url:http://www.eli.net org:Electric Lightwave, Inc.;Network Planning and Engineering adr:;;4400 NE 77th Ave.;Vancouver;WA;98662;USA version:2.1 email;internet:dmcgaugh@eli.net title:Internetwork Engineer x-mozilla-cpt:;26448 fn:David McGaugh end:vcard --------------BFB259ADB7DC6A39F9566071--