HP OpenVMS Systems

ask the wizard
Content starts here

Router-level Ethernet Security Filtering?

» close window

The Question is:

DECnet MAC Addresses and Cisco port security
We want to enable port security on out Cisco Routers. This feature disables a
 port if more than one Ethernet source address is seen on a given port.
DECnet changes the NIC's MAC address during boot, apparently before
 transmitting anything. Does DECnet, IP or LAT in any circumstance ever send
 packets with the Ethernet source address set to the "Hardware address"
 (08-00-2B... and the like), and not the
DECnet based "MAC address" (AA-00-04-00-xx-xx)?
It appears not (except for machines that MOP boot), but I would like to know
 for sure before enabling port security. Any packet transmitted with a
 different source Ethernet address will cause the port to shut down.
  Phil Tregoning

The Answer is :

  Existing OpenVMS networking protocols do use unique source addresses.
  For instance, an OpenVMS Cluster configuration will transmit and will
  use a special source address independent of the hardware address.
  The OpenVMS Wizard would thus not assume that there would be only one
  source IEEE 802.3 address eminating from an OpenVMS host; you may now
  be unable to successfully enable this option and/or you may well
  encounter future problems with this option if/when future changes are
  made to OpenVMS and its networking or when you enable specific options.
  (And such filtering would be difficult to locate.)
  The OpenVMS Wizard cannot recommend placing protocol or address filters
  among the hosts of an OpenVMS Cluster, for instance -- an OpenVMS Cluster
  is considered a single security domain, and the installation of filters
  within such configurations could result in instabilities and/or in
  potentially difficult-to-diagnose operational networking problems.

answer written or last revised on ( 24-NOV-2003 )

» close window