[ the voice of experience speaks ]
We used to police this policy semi-manually, but now the switch vendors do decent hardware-based port-security/mac-locking functionality, so that does it for us, and actually does it pretty well.
- The switch learns the first address received on the interface, which should be the first ingress frame (usually an ARP generated by the router sending a BGP Open), and remembers it (with a 3 minute ageing time).
- This has the affect of applying an acl to the port (in hardware), which permits traffic from the "good" address, and drops frames from other addresses.
- Should more than 100 different source MACs be learned (99 of which will be filtered and dropped) on the interface, the port will then log a critical violation and shut the port down.
It works pretty well, it prevents all the usual badness we'd normally associate with switches on the IXP.
So at the end of the day, it looks like we've been able to find a happy medium, maintaining decent "hygiene", while being able to let people indulge in deploying switches if they so choose.
thanks! this approaches reassuring. why does it tolerate 100 macs? at first blush, i would think three or four would be a bad enough sign. randy