Ethernet EP - MAC Address Filtering
This is a multi-part message in MIME format. --------------F6CAE1307F74A9B549145066 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hello NANOG, Just curious if anyone is performing MAC Address Filtering at any of the Ethernet Exchange Points. If so has it been found to be easy to administer or difficult where by peers may be changing Layer 3 devices or Interfaces without notice? Alternately is MAC Address Filtering considered an unneeded security measure? Thanks, Dave --------------F6CAE1307F74A9B549145066 Content-Type: text/x-vcard; charset=us-ascii; name="dmcgaugh.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Dave McGaugh Content-Disposition: attachment; filename="dmcgaugh.vcf" begin:vcard n:McGaugh;David tel;fax:360.816.3297 tel;work:360.816.3718 x-mozilla-html:FALSE url:http://www.eli.net org:Electric Lightwave, Inc.;Network Planning and Engineering adr:;;4400 NE 77th Ave.;Vancouver;WA;98662;USA version:2.1 email;internet:dmcgaugh@eli.net title:Internetwork Engineer x-mozilla-cpt:;26448 fn:David McGaugh end:vcard --------------F6CAE1307F74A9B549145066--
David McGaugh wrote:
Just curious if anyone is performing MAC Address Filtering at any of the Ethernet Exchange Points. If so has it been found to be easy to administer or difficult where by peers may be changing Layer 3 devices or Interfaces without notice? Alternately is MAC Address Filtering considered an unneeded security measure?
If you're peering with a switch fabric, it could be a pain to do full filtering as if non-peer X and peer Y are both on the fabric, and peer Y sends out ICMP redirects to non-peer X who is trying to communicate with you, then you would drop the traffic from non-peer X (due to a config error at peer Y, who shouldn't have sent the redirects). Static ARP entries and "no arp arpa" may be a better solution, and you'll give your NOC something to do (ie. ring up and chat with your peer's NOC) when they get a "BGP peer down" notice from the monitoring system due to an upgrade. As well as an opportunity to check out the MAC address of the new peer and look at what vendor they've switched from/to :-) However you'd still have an issue if you accepted an ICMP redirect and then couldn't find the IP mentioned in that redirect, as it wasn't in your (static) ARP table. David. -- David Luyer Phone: +61 3 9674 7525 Network Development Manager P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 BYTE http://www.pacific.net.au/ NASDAQ: PCNTF
participants (2)
-
David Luyer
-
David McGaugh