How to block traffic with U/L bit set, on certain ports on Catalyst 2950
Posted on 2006-05-15
We have some industrial terminals which can't handle a lot of network traffic.
So we isolated them by ACL's which only allow traffics too and from the proxy server that controls those terminals. No broadcasts, etc ...
Works fine, except still a lot of unwanted traffic goes through.
With Ethereal we discovered that those packets do not have the terminals as destination, nor do they have the proxy server as source.
And still they get through. All those packets come from our MS-Networked Load Balanced servers. Using NLB sets the U/L bit of the mac-address, because NLB assigns it's own MAC-address to the NLB-NIC's.
Those packets are broadcasted throughout the whole of our network, even bypassing the ACL's. Because of the high speed backbone, those poor industrial terminals with 10 Mbps NIC's and a DOS IP-stack get on their knees.
How can we block this traffic? So, all packets at layer 2 with the U/L bit set on the ports of the terminals. (Using Catalyst 2950)
Urgent and difficult, so 500 points.