[ednog] wireless bridging problem

[John Kristoff]

On Wed, 18 May 2005 14:11:08 -0400
Jeff Murphy <jcmurphy at oss.buffalo.edu> wrote:

> the following is a forwarded message of a problem we're having here at
> UB. the last paragraph has some possible solutions. i'm wondering if
> anyone has any other solutions? 

Kevin's suggestion of port security is a good one.  I've used that
before and it has caught exactly this type of scenario and other weird
configurations.  Interestingly, it was setup with the intention as
being a mitigation against certain 2 threats, but I never saw any.
Instead, it ended up being helpful to mitigation more common than I
realized misconfiguration problems.

There may be some operational concerns with port security however.
For example, if you have to legitimately move a station from one port
to another, perhaps for wiring testing or troubleshooting, you may
run into problems.  Here is a more detailed description of my past
experience and comments from others:

  <http://ops.ietf.org/lists/opsec/opsec.2005/msg00033.html>

One thing I've been thinking about is to build a layer 2 spanning tree
monitor.  This involves putting a host on every segment, but in our case
we could possibly do that by spanning all the aggregated VLANs that come
back to a area router node on a monitor port.  It may not be an entirely
proactive solution, but perhaps a good trending tool and insightful into
finding layer 2 issues you never knew you had.  The idea is based on a
similar concept of monitoring OSPF messages from this paper:

  <http://www.research.att.com/~ashaikh/papers/ospf-mon-nsdi04.ps>

John