David McGaugh wrote:
Just curious if anyone is performing MAC Address Filtering at any of the Ethernet Exchange Points. If so has it been found to be easy to administer or difficult where by peers may be changing Layer 3 devices or Interfaces without notice? Alternately is MAC Address Filtering considered an unneeded security measure?
If you're peering with a switch fabric, it could be a pain to do full filtering as if non-peer X and peer Y are both on the fabric, and peer Y sends out ICMP redirects to non-peer X who is trying to communicate with you, then you would drop the traffic from non-peer X (due to a config error at peer Y, who shouldn't have sent the redirects). Static ARP entries and "no arp arpa" may be a better solution, and you'll give your NOC something to do (ie. ring up and chat with your peer's NOC) when they get a "BGP peer down" notice from the monitoring system due to an upgrade. As well as an opportunity to check out the MAC address of the new peer and look at what vendor they've switched from/to :-) However you'd still have an issue if you accepted an ICMP redirect and then couldn't find the IP mentioned in that redirect, as it wasn't in your (static) ARP table. David. -- David Luyer Phone: +61 3 9674 7525 Network Development Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE http://www.pacific.net.au/ NASDAQ: PCNTF