blog.sarlok.com

Today I was subtly reminded why piling 3 class C's onto a single 802.1q sub-interface is a bad idea.
1327 broadcast packets per second, spat out again on 8 other ports wasn't a good thing. 12,000 packets per seconds of garbage tends to be a significant wrench in the works on a router that peaks at 20,000 under ideal circumstances. I'm sure there's some quirks I'm not accounting for with the performance lost over the module rather than the router itself, but meh.
Fortunately, it was from a single host with, what seems to be (after a closer inspection of the packet capture), a seriously damaged D-Link router. I know, I know! You can hardly believe it... a messed-up D-Link router!

As a result of this occurrence, I realized I should probably test MAC filtering on a router with IOS, as it's come up once or twice before for other various amusing reasons.

Unfortunately, the only feasible way I've found that works seems like a bit of a stupid hack.
Seeing as MAC filtering ACL's can only be applied to an L2 interface, ports configured for VLAN access or routing are a no-go. Though I was surprised that a dot1q trunk wouldn't work either... I may have to look into that one further some other time.

Soooo...

Works:

Does not work:

Now, if I could just get that to work with vlan sub-interfaces, it might be more useful. Oh-well... maybe if I'm feeling bored one day I'll give it another shot.
There might be a typo or two in there, but I've already shut down the sim and can't be bothered to start it up again to pull out the configs I wound up with.

Huh. 00:18am. On the plus side, It's friday I guess...