Extreme Networks

Glad you asked. One building that was trying to do some fairly simple things like down load machines were failing miserably. The protocols they were using were not very robust and dropped packets killed them in a short while. Investigating we noticed some 71% of the traffic was multicast. Mind you these are one and ten gig links so that is a major number of bits flowing. Further tracking of the multicast sources revealed UPNP and its underlying protocol SSDP to be the culprit. We built a policy to drop it on the floor and the multicast rate went from 71% to under 1%. Magically the downloads starting working and all was wonderful in the world. Microsoft is doing something similar in the IPV6 domain with 2 types of packets, one using FEC0::/10 as an address which is "Site Local" and the second being RA packets (Router Announce) coming from newer Windows platforms. Goggle "IPV6 FEC0" for information about that address range. On the network protection (spoofed IP/MAC) question we shut the MAC address down. Depending on the issue, it will auto-enable in 15 minutes or be permanent requiring the end user to make contact so we can have a chat. Our database have owner & technical contact names/email addresses who get notified automatically. We have difficulty with our own field services staff deploying IP Phones when they fat finger the IP address and Gateway addresses (typically setting the IP address to the Gateway address.) There are some scenarios where we administratively shut the port down.

Interesting, thanks for the input James. We block the normal stuff you listed such as DHCP, DNS, etc. I haven't looked into the UPNP stuff. Just curious, what kind of issues did you see with UPNP before you started blocking it? For your default gateway protection, are you just dropping spoofed IP/MAC on the edge ports? Thanks again, this is great feedback!!!

Javier, We use quite a few policies actually. We protect our default gateways (both MAC and IP addresses) plus other VLAN's gateways. We protect against network loops and cross network connections. We dump various protocols on the floor. We black hole MAC addresses and sometimes ports, depending upon the reason for the black hole. This is where things fall apart on the stackables and as we have recently discovered the N series. Stackables are just not capable of doing some of the black hole stuff at all. Consider your friends at Microsoft. They developed UPNP (Universal Plug'N'Play). Works great at home but destroys enterprise networks because it uses multicast. We found out it has an IPV6 equivalent. That particular one is really ugly since it sends out packets claiming to be the gateway. It takes deep packet inspections to catch those which the stackables and N series can't do. Along with that we do the easy stuff: Disallow hosts from being DHCP servers, DNS and the like. (BTW, we came up with a work-around for the IPV6 multicast problem with N-Series.) Ever wanted to connect two layer 2 networks together on one VLAN? Watch out for that spanning tree! You don't want those packets crossing multiple networks!