mac address limiting to tiny numbers, especially qty 1 won't work. There are a lot of administrative packets that go across a link coming from specific well-known MAC addresses, if that administrative packet gets in before any real traffic, that administrative MAC address will be learned and real traffic locked out. (this is mentioned in the JunOS documentation). mac-address limiting is mainly used for untrusted environments such that you are protecting the switch from having its CAM table blasted out turning the switch into broadcast all packets down all ports mode since its CAM table is full. Then the attacker can sniff for traffic they are looking for, hopefully grabbing the traffic they are trying to intercept before the hardware CPU pegged at 100% signals the NOC that something is amiss and they start looking for what is going on. In practice, in such an untrusted environment( untrusted site, untrusted ports, with max of one device per user. ), I found that at a minimum 3 MAC address limit was the practical smallest size I could go, with typically a range of 5 to 10. Otherwise, administrative and other weird packets would shut down the ports due to flase security alerts all the time, and it wasn't practical to have such low limits. On Thu, Dec 22, 2011 at 08:41:47PM -0600, Jay Hanke wrote:
The benefit is it will block traffic from other mac addresses in the event of a loop or other misconfiguration. The learned mac address will clear automatically when the port goes down so it should not require admin assistance. On Dec 22, 2011 8:28 PM, "Owen DeLong" <owend@he.net> wrote:
What is the perceived benefit of doing this? The down-side is that whenever anyone has to replace a line card or do an equipment swap, they need to coordinate with someone who can update the port security on the switch. Worse, they need to remember that's an issue at the time or figure it out through a (not terribly convenient) troubleshooting process.
Owen
Sent from my iPad
On Dec 23, 2011, at 4:23 AM, Jay Hanke <jayhanke@MANKATONETWORKS.NET> wrote:
I have purchased a new EX 2200 switch for the Mankato Networks rack. The new switch will be dedicated and will enable traffic stats for those connected to my switch.
As a trial, I plan to enable port security on the downstream access ports limiting the port to one learned mac-address. The port security mechanism is the same on the EX 2200 as the EX 4200 so if successful, a similar strategy could be applied to the main switch.
The uplink to the main switch will remain the same.
Pending feedback, I'm planning to perform the move sometime in early January.
Thanks,
Jay
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
-- Doug McIntyre <merlyn@iphouse.net> -- ipHouse/Goldengate/Bitstream/ProNS -- Network Engineer/Provisioning/Jack of all Trades ######################################################################## To unsubscribe from the MICE-DISCUSS list, click the following link: http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1