[c-nsp] MAC limiting/ ACL on an IX environment

[Arnold Nipper]

On 01.03.2007 03:04 Rubens Kuhl Jr. wrote

> I'm considering doing some protective measures on an IX layer-2
> connection, and would like to hear some thoughts or experiences on
> that. Directly connected hardware is a Cat6500-derivate with PFC3C and
> IOS, but I think this would extend to any PFC3x-based configuration.
> BGP-speaking routers are 1 hop to many hops away, some with 1 Gbps
> capacity and others with just a couple of Mbps.
> 
> I'm trying to prevent the following scenarios:
> - Flooding of traffic to slower links

In general you should see no flooding. To prevent a device from sending
traffic to unknown destinations apply

 switchport block unicast


> - Excessive broadcasts
> 

E.g. storm-control broadcast level 0.10

> Some ideas:
> - Filter traffic based on MAC addresses.

I wouldn't do that unless you really have that the situation that
everyone is able to plug in any device. Otherwise limiting the number of
MAC addresses should do. This does allow customers to change his device
w/o notifying you. E.g.

 switchport port-security maximum 1
 switchport port-security
 switchport port-security aging time 7
 switchport port-security violation restrict
 switchport port-security aging type inactivity



> - Use MAC ACL to forward traffic only from know MAC addresses, IP
> traffic unicast only, ARP traffic to broadcast allowed but QoS'ed

afaik that's not possible

> - Disabling MAC learning on that VLAN.

Why do you want to do that?

> - Use ARP ACLs
> 

What exactly do you mean by that? Use arpwatch to monitor ARP traffic.

> Some gotchas:
> - IP traffic used to bypass MAC filters. (may be filtering by IP CIDR
> blocks on VACLs ?)
> - ARP ACLs that aren't done in hardware and fallback to RP (aka MSFC) ?
> 


Arnold
-- 
Arnold Nipper / nIPper consulting, Sandhausen, Germany
email: arnold at nipper.de       phone: +49 6224 9259 299
mobile: +49 172 2650958         fax: +49 6224 9259 333