how to filter based on ethertype ?

Discussion in 'Cisco' started by RJ45, Jul 27, 2004.

  1. RJ45

    RJ45 Guest

    Hello,
    I need to implement a MAC filter which allows certain
    mac addresses to pass and forbids all the other
    mac addresses but for these it should allow ethertype
    0x806 which is ARP requests.

    I did something like this.
    for example lets suppose

    0800.ac5a.12e3

    is allowed mac addres and all the others are not allowed.

    so I did:

    mac access-list extended mac1
    permit any any 0x806 0x0
    permit host 0800.ac5a.12e3 any
    deny any any

    but the first rule always takes precedence over the others.
    so any host is always permitted to do anything while
    I Wanted to permit only ARP requests for unregistered
    MAC Addresses on my LAN.

    is there a way to solve this problem with MAC acl ?

    thanks

    Rick
     
    RJ45, Jul 27, 2004
    #1
    1. Advertisements

  2. RJ45

    Solomon Guest

    What is the problem you are trying to solve?
     
    Solomon, Jul 28, 2004
    #2
    1. Advertisements

  3. RJ45

    RJ45 Guest

    Hi,
    the problem I am trying to solve is this.
    I have a LAN with public IPs and private IPs.
    The Public IPs are associated to mac addresses
    and I put these MAC Addresses in a mac extended ACL
    as permitted MAC Addresses to be routed out to
    the internet, the default rule is deny all all,
    in this way I prevent an unknown MAC Address to join the network
    stole an IP and do nasty things.
    THe problem is that the private IP on my network
    are natted by another machine and here is fine because
    this NAT machine MAC address is in the permit access list
    on the catalyst. THe problem rises when these privete IP
    on my network try to contact public IP on my same network,
    with internal routing,
    what happens is that the catalyst ACL blocks them.
    THe reason is the ARP reply.
    For this reason I WAnted to allow ARP requestes and replies
    to pass and deny all the rest.

    thanks

    Rick
     
    RJ45, Jul 29, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.