joel jaeggli wrote: > sure l3 acls can be applied to l2 ports. > > most ixps are going to have a set of filters that prevent certain kinda > of activity, e.g. spanning tree PDUs, router-advertisement, proxy-arp > and so on. these are all within the technical capabilties of most > high-end-ethernet switch platforms. this is a vast overstatement of ingress port filtering capabilities. STP BPDUs are ignored because disabling STP on a port will cause the packet to be silently dropped. Most hardware which uses tcam for acls will choke on even ostensibly simple configs, e.g. uniquely keyed L2 + ipv4/ipv6 + L4 port filters applied on all ports. Inspecting deep into packets is rarely easy. Overall the entire area is fraught with limitations and corner cases. Nick