> the corresponding leg of the router. Then the snort box gets to see all > packets to or from another network, and doesn't need to know about packets > within a single network which are handled by the switch (or was the problem > in this case that one host on a network was flooding another host on the same > network ?). Host on LAN1 spoofs packets to source of other host on LAN1 and sends them to the Internet. This is the scenario i am trying to deal with.
The Cisco router, stores the MAC/IP table like arpwatch, by seeing arp replies, so when i spoofed the address, i could not see the spoofed IP/MAC pair, when i retrieved it once more (yes, over SNMP) The solution Antony introduced here is what i am looking for. Ramin, i can not see, how an cisco ACL can help here. I can not tell whether the packet was spoofed or not if the spoofed address is on the same address range as the source and the router interface is. I need MACs. Maciej
