From: Filyurin, Yan (yan.filyurin@eds.com)
Date: Wed Mar 14 2007 - 23:55:48 ART
I was recently doing one of the Internetwork Expert labs (v4 lab 14,
task 2.5 to be exact) and I was presented with a scenario to configure
traffic filtering to accept traffic from a certain mac address on a
regular L2 access switch port. The answer was to do a variation of port
security and make allow one mac address and make it a sticky port, if I
understood it correctly and configure mac address on a device to match
the mac address specified in a requirement, but I was wondering if
alternative solutions could be used. So I was thinking of using a
regular mac address based named access list. I created one and allowing
that particular mac host and denying everything else, put on the
switchport interface and created a special SVI to be used for testing.
I tried pinging that SVI from the router device and it worked.
Than I went back to the router and changed the interface mac address to
the burned in address and tried pinging again and it failed. I still
however had CDP neighbors established, on both sides of the connection,
so somehow CDP multicast traffic made it. Is that normal?
So my first question is: would that constitute an alternative solution
to a task like that? If you were a proctor, would you except it?
My second question is when it comes to port access lists, if I were to
define a mac access list, would IP traffic be handled by that list, or
would I still have to do an IP access list to take care of IP traffic?
If I do both a mac access list and an IP access list, does it mean that
the mac access list would handle all non-ip traffic and IP access list
would handle IP traffic?
This is what it seems like from documentation, but I wanted to be sure.
Thank you for assistance!
Yan
This archive was generated by hypermail 2.1.4 : Sun Apr 01 2007 - 06:35:51 ART