[102638] in North American Network Operators' Group
IX port security
daemon@ATHENA.MIT.EDU (Greg VILLAIN)
Sat Feb 23 06:27:19 2008
From: Greg VILLAIN <nanog@grrrrreg.net>
To: nanog@nanog.org
Date: Sat, 23 Feb 2008 12:19:14 +0100
Errors-To: owner-nanog@merit.edu
Hi all,
Thinking back about this thread we've had lately around IXes, I have
some extra questions.
It is I assume the IX's responsibility to protect members from harming
each other through the peering LAN.
For that purpose, the IX has to do some minimum sanity checks before
letting a member in into the production VLAN, for instance by using a
quarantine VLAN to probe its traffic first.
Then, once those checks are done, the IX shall apply a minimum
security configuration to each member port:
1/ limiting broadcast/unknown unicast on each member port
2/ filtering bpdu
3/ locking mac addresses
Here are my questions:
- re 1/, any clue about the PPS or %bandwidth values to be configured
to limit broadcast/unknown unicast ?
- re 3/ should a certain number of allowed mac-addresses be configured
to the port (1 or 2) ? or should the customer's port mac be explicitly
configured on the port ?
- more importantly, is there any other standard precaution that I'm
missing and that should be considered ?
cheers,
Greg VILLAIN
Independant Network/Telco Architecture Consultant
