[rbridge] Rbridge port security
Radia Perlman
Radia.Perlman at sun.com
Tue May 15 16:58:18 PDT 2007
Hmm. I must have not noticed Caitlin's suggestion. I think it's a good
idea to discard
TRILL-encapsulated frames on links for which you do not have any IS-IS
ajacency.
I assume this is specific to a VLAN: In other words, if R1 and R2 have a
VLAN-A
tagged adjacency on
R1's port p, but R1 has no VLAN B IS-IS adjacency on port p, and
R1 receives a VLAN-B tagged encapsulated packet on port p, R1 should
drop it, even
though R1 *does* have a VLAN-A tagged IS-IS adjacency on that port.
Radia
Eastlake III Donald-LDE008 wrote:
> In connection with the topics in this thread:
>
> I've looked at IS-IS security some more and the more recent versions of
> it seem to provide strong protection against forged IS-IS hellos or
> other control traffic. This generally seems to be an existing and better
> way of handling this problem than my original suggestion of "turning
> off" IS-IS on a port.
>
> Caitlin's suggestion that TRILL encapsulated frames be ignored when
> received on ports on which there is not an Rbridge adjacency is a good
> one and it could be expanded a little to also drop such frames if their
> source MAC address isn't that of a known Rbridge.
>
> Thanks,
> Donald
>
> _______________________________________________
> rbridge mailing list
> rbridge at postel.org
> http://mailman.postel.org/mailman/listinfo/rbridge
>
More information about the rbridge
mailing list