the IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.
Can I have any other method to control IP packets based on MAC address? ( permit IP packets by authorized MAC address, deny others ), have any sizing limit? ( my customer have more than 3000 PCs )
port security is a good solution, but we must implement at each edge switch, my customer really need a solution that can centrally restricted unauthorized MAC address to access network, only known & authorized MAC address can access to network?
It is centralized. You could set it up to where if the MAC detected on the port is not in the VLAN-MAC database, it will either shut the port down or just deny the frames from that MAC:
"The source MAC address from the first packet of a new host on the dynamic port is sent to VMPS, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, VMPS provides the VLAN number to assign to the port. If there is no match, VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting)."
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...