[ the voice of experience speaks ] > We used to police this policy semi-manually, but now the switch vendors do > decent hardware-based port-security/mac-locking functionality, so that > does it for us, and actually does it pretty well. > > - The switch learns the first address received on the interface, which > should be the first ingress frame (usually an ARP generated by the router > sending a BGP Open), and remembers it (with a 3 minute ageing time). > > - This has the affect of applying an acl to the port (in hardware), which > permits traffic from the "good" address, and drops frames from other > addresses. > > - Should more than 100 different source MACs be learned (99 of which will > be filtered and dropped) on the interface, the port will then log a > critical violation and shut the port down. > > It works pretty well, it prevents all the usual badness we'd normally > associate with switches on the IXP. > > So at the end of the day, it looks like we've been able to find a happy > medium, maintaining decent "hygiene", while being able to let people > indulge in deploying switches if they so choose.
thanks! this approaches reassuring. why does it tolerate 100 macs? at first blush, i would think three or four would be a bad enough sign. randy