Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Peering VLANs and MAC addresses

  • From: Randy Bush
  • Date: Wed Nov 09 21:36:34 2005

[ the voice of experience speaks ]
> We used to police this policy semi-manually, but now the switch vendors do 
> decent hardware-based port-security/mac-locking functionality, so that 
> does it for us, and actually does it pretty well.
> 
> - The switch learns the first address received on the interface, which 
> should be the first ingress frame (usually an ARP generated by the router 
> sending a BGP Open), and remembers it (with a 3 minute ageing time).
> 
> - This has the affect of applying an acl to the port (in hardware), which 
> permits traffic from the "good" address, and drops frames from other 
> addresses. 
> 
> - Should more than 100 different source MACs be learned (99 of which will 
> be filtered and dropped) on the interface, the port will then log a 
> critical violation and shut the port down.
> 
> It works pretty well, it prevents all the usual badness we'd normally 
> associate with switches on the IXP.
> 
> So at the end of the day, it looks like we've been able to find a happy
> medium, maintaining decent "hygiene", while being able to let people
> indulge in deploying switches if they so choose.

thanks!  this approaches reassuring.  why does it tolerate 100
macs?  at first blush, i would think three or four would be a
bad enough sign.

randy





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.