mac address limiting to tiny numbers, especially qty 1 won't work.
There are a lot of administrative packets that go across a link coming
from specific well-known MAC addresses, if that administrative packet
gets in before any real traffic, that administrative MAC address will
be learned and real traffic locked out.
(this is mentioned in the JunOS documentation).
mac-address limiting is mainly used for untrusted environments such
that you are protecting the switch from having its CAM table blasted
out turning the switch into broadcast all packets down all ports mode
since its CAM table is full. Then the attacker can sniff for traffic
they are looking for, hopefully grabbing the traffic they are trying
to intercept before the hardware CPU pegged at 100% signals the NOC
that something is amiss and they start looking for what is going on.
In practice, in such an untrusted environment( untrusted site,
untrusted ports, with max of one device per user. ), I found that at a
minimum 3 MAC address limit was the practical smallest size I could
go, with typically a range of 5 to 10.
Otherwise, administrative and other weird packets would shut down the
ports due to flase security alerts all the time, and it wasn't practical
to have such low limits.
On Thu, Dec 22, 2011 at 08:41:47PM -0600, Jay Hanke wrote:
> The benefit is it will block traffic from other mac addresses in the event
> of a loop or other misconfiguration. The learned mac address will clear
> automatically when the port goes down so it should not require admin
> assistance.
> On Dec 22, 2011 8:28 PM, "Owen DeLong" <[log in to unmask]> wrote:
>
> > What is the perceived benefit of doing this? The down-side is that
> > whenever anyone has to replace a line card or do an equipment swap, they
> > need to coordinate with someone who can update the port security on the
> > switch. Worse, they need to remember that's an issue at the time or figure
> > it out through a (not terribly convenient) troubleshooting process.
> >
> > Owen
> >
> >
> > Sent from my iPad
> >
> > On Dec 23, 2011, at 4:23 AM, Jay Hanke <[log in to unmask]>
> > wrote:
> >
> > > I have purchased a new EX 2200 switch for the Mankato Networks rack.
> > > The new switch will be dedicated and will enable traffic stats for
> > > those connected to my switch.
> > >
> > > As a trial, I plan to enable port security on the downstream access
> > > ports limiting the port to one learned mac-address. The port security
> > > mechanism is the same on the EX 2200 as the EX 4200 so if successful,
> > > a similar strategy could be applied to the main switch.
> > >
> > > The uplink to the main switch will remain the same.
> > >
> > > Pending feedback, I'm planning to perform the move sometime in early
> > January.
> > >
> > > Thanks,
> > >
> > > Jay
> > >
> > > ########################################################################
> > >
> > > To unsubscribe from the MICE-DISCUSS list, click the following link:
> > > http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
> >
> > ########################################################################
> >
> > To unsubscribe from the MICE-DISCUSS list, click the following link:
> > http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
> >
>
> ########################################################################
>
> To unsubscribe from the MICE-DISCUSS list, click the following link:
> http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
--
Doug McIntyre <[log in to unmask]>
-- ipHouse/Goldengate/Bitstream/ProNS --
Network Engineer/Provisioning/Jack of all Trades
########################################################################
To unsubscribe from the MICE-DISCUSS list, click the following link:
http://lists.iphouse.net/cgi-bin/wa?SUBED1=MICE-DISCUSS&A=1
|