North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Ethernet EP - MAC Address Filtering

  • From: David Luyer
  • Date: Tue Feb 12 05:50:07 2002

David McGaugh wrote:

> Just curious if anyone is performing MAC Address Filtering at any of
> the Ethernet Exchange Points. If so has it been found to be easy to
> administer or difficult where by peers may be changing Layer 3 devices
> or Interfaces without notice? Alternately is MAC Address Filtering
> considered an unneeded security measure?

If you're peering with a switch fabric, it could be a pain to do full
filtering as if non-peer X and peer Y are both on the fabric, and peer
Y sends out ICMP redirects to non-peer X who is trying to communicate
with you, then you would drop the traffic from non-peer X (due to a
config error at peer Y, who shouldn't have sent the redirects).

Static ARP entries and "no arp arpa" may be a better solution, and
you'll give your NOC something to do (ie. ring up and chat with
your peer's NOC) when they get a "BGP peer down" notice from the
monitoring system due to an upgrade.  As well as an opportunity
to check out the MAC address of the new peer and look at what
vendor they've switched from/to :-)  However you'd still have an
issue if you accepted an ICMP redirect and then couldn't find the
IP mentioned in that redirect, as it wasn't in your (static) ARP table.

David Luyer                                     Phone:   +61 3 9674 7525
Network Development Manager    P A C I F I C    Fax:     +61 3 9699 8693
Pacific Internet (Australia)  I N T E R N E T   Mobile:  +61 4 1111 BYTE                      NASDAQ:  PCNTF