My main question is what circumstances would one use a MAC ACL vs an IP ACL?
A few immediate thoughts:
-Just like an IP ACL, in L2 I need a source and destination MAC to filter over, and my immediate thought is 'how would I ever know what undesirable destination MACs are?'
-There will be a MAC address for every NIC on a device, so potentially my storage space for an ACL file is greatly reduced, and similarly the work required to make one is increased as compared to a single IP range that doesn't care about every NIC associated to that IP.
-Otherwise why would I ever want a L3 ACL, for security reasons? Since it is harder to spoof a MAC address. Understood I could potentially use both but if I had to pick one or the other, what would I be losing out on?
Separate question: Why can't I have an ACL that applies between several layers, for example why can't I make a rule that denies a certain IP range to a certain MAC address?
No comments:
Post a Comment