[c-nsp] Filtering MAC addresses on a VLAN with a Catlyst 3550
Capron, Mathew
mcapron at aimnetsolutions.com
Fri May 12 10:41:18 EDT 2006
Mathew S. Capron
Principle Network Engineer
AimNet Solutions, Inc.
Define, Design, Deliver, Secure & Manage
Phone: 508-893-8136
Fax: 508-429-0500
Email: mcapron at aimnetsolutions.com
URL: http://www.aimnetsolutions.com
I have a situation in which I need to have two routers that need to talk
on a VLAN and I need to ensure that only those two router's MAC
addresses can talk to each other. If any other MAC's somehow get
plugged into that VLAN I need to deny and log it.
I am using the latest code (Release 12.2(25)SEE) and have tried to use
the VLAN filter/map functionality. This allows for me to filter on MAC
addresses with a MAC ACL and an "action forward" statement on the first
entry. The second entry I can add a MAC Access list to and have an
"action drop" statement. But since MAC acl's don't have a log function
and there is no "action log" as on the 6500 series, how can I get the
3550 to log violations to this policy?
Or is there another way of doing this and still only allow ONLY these
two Devices at the MAC address level to talk to each other on this VLAN?
PS: EIGRP, Multicast, and HSRP (Don't ask - it's a customer thing) also
traverse this link, so these need to be able to talk also, and I
understand that at least multicast and HSRP also have a MAC address at
Layer 2.
- Mathew
More information about the cisco-nsp
mailing list