[124280] in North American Network Operators' Group
Re: Auto MDI/MDI-X + conference rooms + bored == loop
daemon@ATHENA.MIT.EDU (John Kristoff)
Mon Mar 29 18:08:37 2010
Date: Mon, 29 Mar 2010 17:07:44 -0500
From: John Kristoff <jtk@cymru.com>
To: Chuck Anderson <cra@WPI.EDU>
In-Reply-To: <20100326220922.GH12189@angus.ind.WPI.EDU>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, 26 Mar 2010 18:09:22 -0400
Chuck Anderson <cra@WPI.EDU> wrote:
> Anyone have suggestions on Ethernet LAN loop-prevention? With the
> advent of Auto MDI/MDI-X ports on switches, it seems way too easy to
> accidentally or maliciously create loops between network jacks. We
Some time ago I did some work on implementing what cisco called 'port
security'. The idea was to add some layer 2 protection from a security
perspective. It turns out in practice, at least in the environment I
was in, they never happen. However, it did offer protection for loops
since if a secured port saw a source address show up another another
port, it would block it and generate logs, which we monitored and could
then go deal with while the network remained up.
There are some potential gotchas depending on how you implement port
security so you need consider carefully how you implement it if you do
it. Its been awhile since I've done anything in this space, but this
better captures my experience since my memory of it is beginning to
fade:
<http://www.ops.ietf.org/lists/opsec/opsec.2005/msg00033.html>
John
