nanog mailing list archives
IX port security
From: Greg VILLAIN <nanog () grrrrreg net>
Date: Sat, 23 Feb 2008 12:19:14 +0100
Hi all,Thinking back about this thread we've had lately around IXes, I have some extra questions. It is I assume the IX's responsibility to protect members from harming each other through the peering LAN. For that purpose, the IX has to do some minimum sanity checks before letting a member in into the production VLAN, for instance by using a quarantine VLAN to probe its traffic first. Then, once those checks are done, the IX shall apply a minimum security configuration to each member port:
1/ limiting broadcast/unknown unicast on each member port 2/ filtering bpdu 3/ locking mac addresses Here are my questions:- re 1/, any clue about the PPS or %bandwidth values to be configured to limit broadcast/unknown unicast ? - re 3/ should a certain number of allowed mac-addresses be configured to the port (1 or 2) ? or should the customer's port mac be explicitly configured on the port ? - more importantly, is there any other standard precaution that I'm missing and that should be considered ?
cheers, Greg VILLAIN Independant Network/Telco Architecture Consultant
Current thread:
- IX port security Greg VILLAIN (Feb 23)
- Re: IX port security sthaug (Feb 23)
- Re: IX port security Andy Davidson (Feb 24)
- Re: IX port security Arnold Nipper (Feb 24)
- Re: IX port security Greg VILLAIN (Feb 24)
- Re: IX port security Patrick W. Gilmore (Feb 24)