Ethernet EP - MAC Address Filtering

Mailman List Mirror (Read Only)
1

This is a multi-part message in MIME format.
--------------F6CAE1307F74A9B549145066
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello NANOG,

  Just curious if anyone is performing MAC Address Filtering at any of
the Ethernet Exchange Points. If so has it been found to be easy to
administer or difficult where by peers may be changing Layer 3 devices
or Interfaces without notice? Alternately is MAC Address Filtering
considered an unneeded security measure?

Thanks,
Dave
--------------F6CAE1307F74A9B549145066
Content-Type: text/x-vcard; charset=us-ascii;
name="dmcgaugh.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Dave McGaugh
Content-Disposition: attachment;
filename="dmcgaugh.vcf"

begin:vcard
n:McGaugh;David
tel;fax:360.816.3297
tel;work:360.816.3718
x-mozilla-html:FALSE
url:http://www.eli.net
org:Electric Lightwave, Inc.;Network Planning and Engineering
adr:;;4400 NE 77th Ave.;Vancouver;WA;98662;USA
version:2.1
email;internet:dmcgaugh@eli.net
title:Internetwork Engineer
x-mozilla-cpt:;26448
fn:David McGaugh
end:vcard

--------------F6CAE1307F74A9B549145066--

2

David McGaugh wrote:

Just curious if anyone is performing MAC Address Filtering at any of
the Ethernet Exchange Points. If so has it been found to be easy to
administer or difficult where by peers may be changing Layer 3 devices
or Interfaces without notice? Alternately is MAC Address Filtering
considered an unneeded security measure?

If you're peering with a switch fabric, it could be a pain to do full
filtering as if non-peer X and peer Y are both on the fabric, and peer
Y sends out ICMP redirects to non-peer X who is trying to communicate
with you, then you would drop the traffic from non-peer X (due to a
config error at peer Y, who shouldn't have sent the redirects).

Static ARP entries and "no arp arpa" may be a better solution, and
you'll give your NOC something to do (ie. ring up and chat with
your peer's NOC) when they get a "BGP peer down" notice from the
monitoring system due to an upgrade. As well as an opportunity
to check out the MAC address of the new peer and look at what
vendor they've switched from/to :slight_smile: However you'd still have an
issue if you accepted an ICMP redirect and then couldn't find the
IP mentioned in that redirect, as it wasn't in your (static) ARP table.

David.