North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Peering VLANs and MAC addresses
- From: Randy Bush
- Date: Wed Nov 09 21:36:34 2005
[ the voice of experience speaks ]
> We used to police this policy semi-manually, but now the switch vendors do
> decent hardware-based port-security/mac-locking functionality, so that
> does it for us, and actually does it pretty well.
> - The switch learns the first address received on the interface, which
> should be the first ingress frame (usually an ARP generated by the router
> sending a BGP Open), and remembers it (with a 3 minute ageing time).
> - This has the affect of applying an acl to the port (in hardware), which
> permits traffic from the "good" address, and drops frames from other
> - Should more than 100 different source MACs be learned (99 of which will
> be filtered and dropped) on the interface, the port will then log a
> critical violation and shut the port down.
> It works pretty well, it prevents all the usual badness we'd normally
> associate with switches on the IXP.
> So at the end of the day, it looks like we've been able to find a happy
> medium, maintaining decent "hygiene", while being able to let people
> indulge in deploying switches if they so choose.
thanks! this approaches reassuring. why does it tolerate 100
macs? at first blush, i would think three or four would be a
bad enough sign.