On 19.04.2009 19:43 Chris Caputo wrote
On Sun, 19 Apr 2009, Mikael Abrahamsson wrote:
On Sat, 18 Apr 2009, Nick Hilliard wrote:
- ruthless and utterly fascist enforcement of one mac address per port, using either L2 ACLs or else mac address counting, with no exceptions for any reason, ever. This is probably the single more important stability / security enforcement mechanism for any IXP.
Well, as long as it simply drops packets and doesn't shut the port or some other "fascist" enforcement. We've had AMSIX complain that our Cisco 12k with E5 linecard was spitting out a few tens of packets per day during two months with random source mac addresses. Started suddenly, stopped suddenly. It's ok for them to drop the packets, but not shut the port in a case like that.
From the IX operator perspective it is important to immediately shut down a port showing a packet from an extra MAC address, rather than just silently dropping them.
We (DE-CIX) simply nail each MAC statically to the customer port and allow traffic from these statically configured MAC addresses to enter the switch fabric. Initially this was done as a workaround as the F10 boxes didn't support port-security. Meanwhile we think this is the best way to handle MAC management. As a benefit there is no need to shut down customer ports when frames from additional MACs arrive. These are simply ignored. Works really great for us. YMMV. Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arnold@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333