User`s guide
5-26
Filters
all traffic that does not match both fields.
All packets destined for the restricted computers (F, G, or H) will
be filtered unless the source address is the address of an
authorized user (B, C, or D). Only authorized users will be able to
access stations F, G, or H on LAN 2.
Note that the ATX is not storing information designed to identify
restricted devices or authorized or unauthorized users. Instead it is
using address information (which it does store) to act on filters
which have been carefully configured to meet a desired objective:
restrict access to certain devices to authorized users only.
Example 4 — Filtering by vendor ID
If you needed to know where all of the equipment from a
particular vendor was located, you could set up a filter that would
allow you to filter on the vendor ID. This could be useful if you
need to find all the adapter cards from a vendor who had just
released a new version of their driver software.
The first three bytes of a MAC address are always the vendor ID. If
you want to filter by that ID, use the vendor ID followed by three
octets of zeros and use ff:ff:ff:00:00:00 as the mask. For example,
Sun Microsystems’s vendor ID is 08:00:20, so you would use:
Source Range: [NA] (True/False/NA)> true
Source Range Start: [00:00:00:00:00:00] >08:00:20:00:00:00
Source Range End: [00:00:00:00:00:00] >
Source Range Mask: [ff:ff:ff:ff:ff:ff] >ff:ff:ff:00:00:00
You could then set a threshold, so that an alarm would be sent
every time a packet with that vendor ID was processed. The alarm
would include the MAC address of the originating device. Over a
fixed amount of time, the probability is high that you would
receive an alarm from every device from the specified vendor
(which would include some duplicates).