Re: Ethernet EP - MAC Address Filtering
I'm aware that Juniper GigE interfaces support a mac-filter-list. I'm not well versed on which versions of Cisco router products support this well (and line rate), but I didn't think GSRs and 7xxx had any support for this. Are the L2/L3 family (65xx, 76xx) able to handle mac-filters at line rate w/o a slow path? I too would be interested in knowing if folks perform mac-filtering. Certainly there are other measures you can take as well, such as scripting some default-pointing traceroute checks, to check both peers and non-peers on an IXP fabric. These have been documented at various times, and Avi at one point posted some form of this to Nanog (moons ago...search archives). My impression of "best practices" would be to: 1. implement mac-filter or mac-counters to prevent any illegally statically routed non-peer traffic. 2. implement traceroute scripts to check that peers are not defaulting any partial transit thru you. Feedback welcome :-) Cheers, -Lane On Fri, Feb 08, 2002 at 10:29:07AM -0800, David McGaugh <david_mcgaugh@eli.net> wrote:
Hello NANOG,
Just curious if anyone is performing MAC Address Filtering at any of the Ethernet Exchange Points. If so has it been found to be easy to administer or difficult where by peers may be changing Layer 3 devices or Interfaces without notice? Alternately is MAC Address Filtering considered an unneeded security measure?
Thanks, Dave Content-Description: Card for Dave McGaugh
My impression of "best practices" would be to:
1. implement mac-filter or mac-counters to prevent any illegally statically routed non-peer traffic.
See my response to David McGaugh's e-mail - ICMP redirects could present some serious pain here. I've seen them present pain at peering points where for some reason during a routing glitch an incorrect ICMP redirect is sent and cached by a router or host (in Australia we have news servers at some peering exchanges, run by the peering exchange), and the router or host caching the redirect then continues to route traffic via a router with an access list dropping said traffic. You could see the same if you were doing MAC-layer filtering and seeing traffic pointed directly at you due to a non-peer accepting an ICMP redirect from a peer.
2. implement traceroute scripts to check that peers are not defaulting any partial transit thru you.
Sounds like an application for a MPLS virtual network without any default or upstream routes for peer traffic, or separate routers at peering exchanges which don't have default routes or routes from peers at other peering exchanges. Rather than checking peers aren't abusing you, make sure they can't. David. -- David Luyer Phone: +61 3 9674 7525 Network Development Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE http://www.pacific.net.au/ NASDAQ: PCNTF
participants (2)
-
David Luyer
-
Lane Patterson