[45603] in North American Network Operators' Group
Re: Ethernet EP - MAC Address Filtering
daemon@ATHENA.MIT.EDU (Lane Patterson)
Mon Feb 11 14:59:03 2002
Date: Mon, 11 Feb 2002 11:58:27 -0800
From: Lane Patterson <lane@laneandmimi.com>
To: David McGaugh <david_mcgaugh@eli.net>
Cc: nanog@merit.edu
Message-ID: <20020211115827.A31923@laneandmimi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <3C6418F3.9FADBD25@eli.net>
Errors-To: owner-nanog-outgoing@merit.edu
I'm aware that Juniper GigE interfaces support a mac-filter-list. I'm
not well versed on which versions of Cisco router products support this
well (and line rate), but I didn't think GSRs and 7xxx had any support for
this. Are the L2/L3 family (65xx, 76xx) able to handle mac-filters at
line rate w/o a slow path?
I too would be interested in knowing if folks perform mac-filtering.
Certainly there are other measures you can take as well, such as scripting
some default-pointing traceroute checks, to check both peers and non-peers
on an IXP fabric. These have been documented at various times, and Avi
at one point posted some form of this to Nanog (moons ago...search archives).
My impression of "best practices" would be to:
1. implement mac-filter or mac-counters to prevent
any illegally statically routed non-peer traffic.
2. implement traceroute scripts to check that peers are
not defaulting any partial transit thru you.
Feedback welcome :-)
Cheers,
-Lane
On Fri, Feb 08, 2002 at 10:29:07AM -0800, David McGaugh <david_mcgaugh@eli.net> wrote:
> Hello NANOG,
>
> Just curious if anyone is performing MAC Address Filtering at any of
> the Ethernet Exchange Points. If so has it been found to be easy to
> administer or difficult where by peers may be changing Layer 3 devices
> or Interfaces without notice? Alternately is MAC Address Filtering
> considered an unneeded security measure?
>
> Thanks,
> Dave
Content-Description: Card for Dave McGaugh
