On 19.04.2009 19:43 Chris Caputo wrote > On Sun, 19 Apr 2009, Mikael Abrahamsson wrote: >> On Sat, 18 Apr 2009, Nick Hilliard wrote: >> > - ruthless and utterly fascist enforcement of one mac address per >> > port, using either L2 ACLs or else mac address counting, with no >> > exceptions for any reason, ever. This is probably the single more >> > important stability / security enforcement mechanism for any IXP. >> >> Well, as long as it simply drops packets and doesn't shut the port or >> some other "fascist" enforcement. We've had AMSIX complain that our >> Cisco 12k with E5 linecard was spitting out a few tens of packets per >> day during two months with random source mac addresses. Started >> suddenly, stopped suddenly. It's ok for them to drop the packets, but >> not shut the port in a case like that. > > From the IX operator perspective it is important to immediately shut down > a port showing a packet from an extra MAC address, rather than just > silently dropping them.
We (DE-CIX) simply nail each MAC statically to the customer port and allow traffic from these statically configured MAC addresses to enter the switch fabric. Initially this was done as a workaround as the F10 boxes didn't support port-security. Meanwhile we think this is the best way to handle MAC management. As a benefit there is no need to shut down customer ports when frames from additional MACs arrive. These are simply ignored. Works really great for us. YMMV. Arnold -- Arnold Nipper / nIPper consulting, Sandhausen, Germany email: arn...@nipper.de phone: +49 6224 9259 299 mobile: +49 172 2650958 fax: +49 6224 9259 333
signature.asc
Description: OpenPGP digital signature