This sounds as if it should be simple, but it is giving me problems.
I have a 4506 switch with a number of VLANs. I have used access lists to implement a sort of reverse-path check on some VLANs, so that if the switch sees packet sourced from an IP address that I do not expect to find on the VLAN, then it is denied.
So, now that I have packets hitting the "deny", and being logged, how can I find their source MAC address so I can trace them through the switches? They are not in the ARP cache because the "router" is not expecting to find them on that VLAN, and so never ARPs for them there. I tried setting a host route for that address to that VLAN, but that did not work; they are not answering even an ARP request to the rogue IP address.
It should be simple to find the MAC address, but I don't know how.
BTW, it is not practicable to snoop the whole VLAN because the volume of traffic through this switch is enormous, and the rogue packets are quite infrequent.
Can anyone tell me if there is any way to log the MAC address of a packet that hits a "deny" on an IP access list?