[c-nsp] MAC limiting/ ACL on an IX environment
Rubens Kuhl Jr.
rubensk at gmail.com
Wed Feb 28 21:04:08 EST 2007
I'm considering doing some protective measures on an IX layer-2
connection, and would like to hear some thoughts or experiences on
that. Directly connected hardware is a Cat6500-derivate with PFC3C and
IOS, but I think this would extend to any PFC3x-based configuration.
BGP-speaking routers are 1 hop to many hops away, some with 1 Gbps
capacity and others with just a couple of Mbps.
I'm trying to prevent the following scenarios:
- Flooding of traffic to slower links
- Excessive broadcasts
Some ideas:
- Filter traffic based on MAC addresses.
- Use MAC ACL to forward traffic only from know MAC addresses, IP
traffic unicast only, ARP traffic to broadcast allowed but QoS'ed
- Disabling MAC learning on that VLAN.
- Use ARP ACLs
Some gotchas:
- IP traffic used to bypass MAC filters. (may be filtering by IP CIDR
blocks on VACLs ?)
- ARP ACLs that aren't done in hardware and fallback to RP (aka MSFC) ?
Any thoughts ?
Thanks,
Rubens
More information about the cisco-nsp
mailing list