The Question is:
DECnet MAC Addresses and Cisco port security
We want to enable port security on out Cisco Routers. This feature disables a
port if more than one Ethernet source address is seen on a given port.
DECnet changes the NIC's MAC address during boot, apparently before
transmitting anything. Does DECnet, IP or LAT in any circumstance ever send
packets with the Ethernet source address set to the "Hardware address"
(08-00-2B... and the like), and not the
DECnet based "MAC address" (AA-00-04-00-xx-xx)?
It appears not (except for machines that MOP boot), but I would like to know
for sure before enabling port security. Any packet transmitted with a
different source Ethernet address will cause the port to shut down.
The Answer is :
Existing OpenVMS networking protocols do use unique source addresses.
For instance, an OpenVMS Cluster configuration will transmit and will
use a special source address independent of the hardware address.
The OpenVMS Wizard would thus not assume that there would be only one
source IEEE 802.3 address eminating from an OpenVMS host; you may now
be unable to successfully enable this option and/or you may well
encounter future problems with this option if/when future changes are
made to OpenVMS and its networking or when you enable specific options.
(And such filtering would be difficult to locate.)
The OpenVMS Wizard cannot recommend placing protocol or address filters
among the hosts of an OpenVMS Cluster, for instance -- an OpenVMS Cluster
is considered a single security domain, and the installation of filters
within such configurations could result in instabilities and/or in
potentially difficult-to-diagnose operational networking problems.