RE: MAC and IP security in Catalyst

From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Tue Nov 27 2001 - 17:58:44 GMT-3

• Next message: Donald: "Re: Alias Commands"
• Previous message: Jason Graun: "RE: command change OSPF routerID ?"
• Maybe in reply to: Vincent Zhang: "MAC and IP security in Catalyst"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
There is a feature called VLAN ACLs (VACL), however REQUIRES a
Supervisor with PFC (policy feature card).

Note, you can apply one VACL per protocol per VLAN, however you can
apply the same VACL across multiple VLANs:

! Define VACL "TEST" - implicit deny any any at end of VACL
set security acl ip TEST permit tcp any any eq www
set security acl ip TEST permit tcp any any eq ftp
!
! Commit the VACL "TEST" to hardware
commit security acl TEST
!
! Apply VACL "TEST" to VLAN 10
set security acl map TEST 10

Note that VACLs are also useful for traffic capturing, in that you can
use a 'capture' keyword at the end of each VACL line. You define a
capture port (where any traffic that matches the VACL line is mirrored)
with the following command:

! Define capture port
set security acl capture-ports 4/1
!
! Define VACL "TEST" - capture only www traffic
set security acl ip TEST permit tcp any any eq www capture
set security acl ip TEST permit tcp any any eq ftp

This is one method of how the Catalyst 6000 Intrusion Detection System
Module (IDSM) can work....

Regards

Justin Menga CCIE#6640 CCDP CCNP+Voice+ATM MCSE+I CCSE
Network Solutions Architect
Compaq Computer NZ Ltd
Wireless & E-Infrastructure
Phone: +64-9-918-9381 Mobile: +64-21-349-599
http://www.compaq.co.nz

-----Original Message-----
From: kwhudson@ventech.com [mailto:kwhudson@ventech.com]
Sent: Wednesday, 28 November 2001 3:37 a.m.
To: ccielab@groupstudy.com
Subject: Re: MAC and IP security in Catalyst

I think you can add a static ARP entry.

                    "Vincent

                    Zhang" To: ccielab@groupstudy.com

                    <vincentzhang@ cc:

                    yahoo.com> Subject: MAC and IP
security in Catalyst
                    Sent by:

                    nobody@groupst

                    udy.com

                    11/26/01 09:55

                    PM

                    Please respond

                    to "Vincent

                    Zhang"

Hi All,

We all know that, if port security is setup for a port in catalyst, only
the permitted mac addr host could be attached to the port. is there any
solution to setup port security on IP level, only configured IP addr is
permitted be attached.

Thanks, V

• Next message: Donald: "Re: Alias Commands"
• Previous message: Jason Graun: "RE: command change OSPF routerID ?"
• Maybe in reply to: Vincent Zhang: "MAC and IP security in Catalyst"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:23 GMT-3