From: PhiL (theccie@gmail.com)
Date: Sun Feb 20 2005 - 15:27:27 GMT-3
If you want to block arp requests from mac 1111.1111.1111 and the PC
with mac 1111.1111.1111 is connected on port f0/1 the following should
work:
mac access-list extended arp
deny host 1111.1111.1111 any 0x806 0x0
permit any any
!
interface FastEthernet0/1
mac access-group arp in
On Sat, 19 Feb 2005 01:50:09 -0500, nhqky888@ybb.ne.jp
<nhqky888@ybb.ne.jp> wrote:
> Hi,
>
> I tried mac access-list with ARP eth type code as follow,
>
> mac access-list extend arp
> permit any host ffff.ffff.ffff 0x806 0x0
> deny any any
>
> int fa 0/1
> switch access vlan 2
> switch mode access
> mac access-group arp in
>
> int fa 0/2
> switch access vlan 2
> switch mode access
>
> monitor session 1 source interface fa 0/2 rx
> monitor session 1 destina interface fa 0/10
>
> When source port is fa 0/1, all traffic is spaned to destin port,
> when source port is 0/2, only ARP is spaned to destin port,
> ( assume that ingress traffic enters into only fa 0/1)
>
> But other real traffic is filtered on source port cause mac ACL has
> ONLY IN DIRECTION.
>
> If it had OUT direction, I may try to apply it to SPAN destin port.
>
> Any idea?
>
> Thanks,
>
> Katsu
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- PhiL
This archive was generated by hypermail 2.1.4 : Thu Mar 03 2005 - 08:51:23 GMT-3