[ixpmanager] Additional Virtual Interfaces Not Included In Auto-generated RS Configs
Andreas Polyrakis
apolyr at noc.grnet.gr
Tue Sep 12 17:14:03 IST 2017
Hello Nick,
We also do the same here. Some customers with a single port have two
IPs; our L2 filters allow only the two MACs of their routers.
Can you (or someone else) please elaborate on why this is a bad
practice? Obviously in that case the physical connection will terminate
in a switch of theirs; and their two routers will be connected on this
switch; and the IX peering lan will traverse this switch. However, this
can happen with a single router anyway (esp. on a L3 switch). And it
often happens with remote members.
In order to protect from this, we have strict rules about stp bpdus,
broadcasts, L2 filters etc. So why 2 IPs are so bad?
I had asked the same question a couple of months ago in one of our lists
(I cannot recall if it was this one or euro-ix) and the answer that I
got was "It is ok". Isn't it? Is there an evil scenario that we miss?
thank you in advance.
Regards,
On 12/09/17 18:32, Nick Hilliard wrote:
> Kyle Spencer wrote:
>> I have a peer using two IP addresses on a single physical interface.
> This is deliberately not supported. Give them two interfaces and lock
> down the number of MAC addresses to one per interface, preferably with a
> static layer 2 ACL. If there are issues relating to getting a
> cross-connect to this organization, this may require you to host one of
> their switches in your rack with local cross-connect into the IXP fabric
> - if they do this, make sure that they've split out the vlans properly
> and that you can only see one MAC address on each port.
>
> Essentially what you're doing here is extending your IXP into someone
> else's network, which is a strategically bad move from a variety of
> different reasons, mostly because it will shoot your network's
> security/stability in the foot.
>
> This may not be the answer that's most convenient for you guys right
> now, but it's something that we would take really seriously and have
> burn wounds to show for it :-|
>
> Nick
> _______________________________________________
> INEX IXP Manager mailing list
> ixpmanager at inex.ie
> https://www.inex.ie/mailman/listinfo/ixpmanager
>
--
-----------------------------------------------------------------------
Andreas Polyrakis - apolyr at noc.grnet.gr
GRNET NOC Technical Manager
Greek Research & Technology Network - http://www.grnet.gr
7, Kifisias Av., 11523 Athens, Greece
Mobile: +30 6972832445 Office: +30 2107474249 Fax: +30 2107474490
-----------------------------------------------------------------------
More information about the ixpmanager
mailing list