Mathew S. Capron
Principle Network Engineer
AimNet Solutions, Inc.
Define, Design, Deliver, Secure & Manage
Phone: 508-893-8136
Fax: 508-429-0500
Email: mcapron (AT) aimnetsolutions (DOT) com
URL: http://www.aimnetsolutions.com
I have a situation in which I need to have two routers that need to talk
on a VLAN and I need to ensure that only those two router's MAC
addresses can talk to each other. If any other MAC's somehow get
plugged into that VLAN I need to deny and log it.
I am using the latest code (Release 12.2(25)SEE) and have tried to use
the VLAN filter/map functionality. This allows for me to filter on MAC
addresses with a MAC ACL and an "action forward" statement on the first
entry. The second entry I can add a MAC Access list to and have an
"action drop" statement. But since MAC acl's don't have a log function
and there is no "action log" as on the 6500 series, how can I get the
3550 to log violations to this policy?
is there another way of doing this and still only allow NLY these
two Devices at the MAC address level to talk to each other on this VLAN?
PS: EIGRP, Multicast, and HSRP (Don't ask - it's a customer thing) also
traverse this link, so these need to be able to talk also, and I
understand that at least multicast and HSRP also have a MAC address at
Layer 2.
- Mathew
cisco-nsp mailing list cisco-nsp (AT) puck (DOT) nether.net
archive at

port-security might help as wellIt has violation mode "restrict" which
may be what You are looking for
#wp1184844
restrict-When the number of secure MAC addresses reaches the limit allowed
on the port, packets with unknown source addresses are dropped until you
remove a sufficient number of secure MAC addresses or increase the number of
maximum allowable addresses. An SNMP trap is sent, a syslog message is
logged, and the violation counter increments.
This has to be configured on EVERY THER port (beside ports which have
routers plugged into them) but it should be trivial using "interface-range"
or macros
Cheers
Alex

Message
From: "Capron, Mathew" <mcapron (AT) aimnetsolutions (DOT) com>
To: <cisco-nsp (AT) puck (DOT) nether.net>
Sent: Friday, May 12, 2006 3:41 PM
Subject: [c-nsp] Filtering MAC addresses on a VLAN with a Catlyst 3550

--
Mathew S. Capron
Principle Network Engineer
AimNet Solutions, Inc.
Define, Design, Deliver, Secure & Manage
Phone: 508-893-8136
Fax: 508-429-0500
Email: mcapron (AT) aimnetsolutions (DOT) com
URL: http://www.aimnetsolutions.com
--
I have a situation in which I need to have two routers that need to talk
on a VLAN and I need to ensure that only those two router's MAC
addresses can talk to each other. If any other MAC's somehow get
plugged into that VLAN I need to deny and log it.

I am using the latest code (Release 12.2(25)SEE) and have tried to use
the VLAN filter/map functionality. This allows for me to filter on MAC
addresses with a MAC ACL and an "action forward" statement on the first
entry. The second entry I can add a MAC Access list to and have an
"action drop" statement. But since MAC acl's don't have a log function
and there is no "action log" as on the 6500 series, how can I get the
3550 to log violations to this policy?

is there another way of doing this and still only allow NLY these
two Devices at the MAC address level to talk to each other on this VLAN?

PS: EIGRP, Multicast, and HSRP (Don't ask - it's a customer thing) also
traverse this link, so these need to be able to talk also, and I
understand that at least multicast and HSRP also have a MAC address at
Layer 2.

- Mathew
--

cisco-nsp mailing list cisco-nsp (AT) puck (DOT) nether.net

archive at

cisco-nsp mailing list cisco-nsp (AT) puck (DOT) nether.net

archive at