We have a mac filter on a port of a Cisco 3560. That port connects to the uplink port of a 4-port unmanaged switch. It works great.
Today, a different 4-port switch was connected. I would expect that no traffic would pass since the mac address is wrong. Sure enough, the clients of the little 4-port switch could not communicate. So far, so good.
But I monitor the incoming communication on the filtered port on our 3560. And while the clients could not connect, I was still seeing a small amount of switch-to-switch communication occurring.
Shouldn't ALL communication be dropped when the mac filter is engaged? Why wasn't my graph a flat line? True, there wasn't much, but it wasn't zero. Why not?
Then this is a fault in Cisco's mac filter. What's the point of the filter if it still accepts packets from the far side? No banned device should get ANY information (even a single packet) from our network.
Or are the incoming packet counts (the basis of the graphs) incremented even if the packets are then dropped? That would explain the small traffic: they are ATTEMPTS to connect, but are dropped. No large traffic since the connections never complete so no application data roared across.
Of course, if that is indeed true, this would make my monitoring much more useful since I could see successful traffic (large spikes) as well as attempted but unsuccessful traffic (small spikes). As long as no info leaks to the outside to unknown devices, I guess it's good to see when attempts are made (so I can call the police).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...