[c-nsp] Filtering MAC addresses on a VLAN with a Catlyst 3550

Alex alex.arseniev at gmail.com
Fri May 12 11:01:46 EDT 2006


port-security might help as well...It has violation mode "restrict" which 
may be what You are looking for...
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swtrafc.htm#wp1184844
restrict-When the number of secure MAC addresses reaches the limit allowed 
on the port, packets with unknown source addresses are dropped until you 
remove a sufficient number of secure MAC addresses or increase the number of 
maximum allowable addresses. An SNMP trap is sent, a syslog message is 
logged, and the violation counter increments.
This has to be configured on EVERY OTHER port (beside ports which have 
routers plugged into them) but it should be trivial using "interface-range" 
or macros...
Cheers
Alex


----- Original Message ----- 
From: "Capron, Mathew" <mcapron at aimnetsolutions.com>
To: <cisco-nsp at puck.nether.net>
Sent: Friday, May 12, 2006 3:41 PM
Subject: [c-nsp] Filtering MAC addresses on a VLAN with a Catlyst 3550


>
>
> Mathew S. Capron
> Principle Network Engineer
> AimNet Solutions, Inc.
> Define, Design, Deliver, Secure & Manage
> Phone:     508-893-8136
> Fax:         508-429-0500
> Email:      mcapron at aimnetsolutions.com
> URL:        http://www.aimnetsolutions.com
>
>
> I have a situation in which I need to have two routers that need to talk
> on a VLAN and I need to ensure that only those two router's MAC
> addresses can talk to each other.  If any other MAC's somehow get
> plugged into that VLAN I need to deny and log it.
>
> I am using the latest code (Release 12.2(25)SEE) and have tried to use
> the VLAN filter/map functionality.  This allows for me to filter on MAC
> addresses with a MAC ACL and an "action forward" statement on the first
> entry.  The second entry I can add a MAC Access list to and have an
> "action drop" statement.  But since MAC acl's don't have a log function
> and there is no "action log" as on the 6500 series, how can I get the
> 3550 to log violations to this policy?
>
> Or is there another way of doing this and still only allow ONLY these
> two Devices at the MAC address level to talk to each other on this VLAN?
>
> PS: EIGRP, Multicast, and HSRP (Don't ask - it's a customer thing) also
> traverse this link, so these need to be able to talk also, and I
> understand that at least multicast and HSRP also have a MAC address at
> Layer 2.
>
> - Mathew
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 



More information about the cisco-nsp mailing list