RE: Catalyst 5000 Port Security

From: Bauer, Rick (BAUERR@xxxxxxxxxxx)
Date: Tue Jul 23 2002 - 14:24:00 GMT-3

• Next message: Jeffery S Kimes: "Re: Serial Number Retrieval"
• Previous message: Carlos A. Silva: "RE: Catalyst 5000 Port Security"
• Maybe in reply to: alex fayn: "Catalyst 5000 Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
In that case you need to add a static arp to the router as well.

-----Original Message-----
From: Carlos A. Silva [mailto:carlos@mnet.com.mx]
Sent: Tuesday, July 23, 2002 2:54 PM
To: Bauer, Rick; 'ajitmohanraj'; Johnny Peterson
Cc: ccielab@groupstudy.com
Subject: RE: Catalyst 5000 Port Security

hey, rick:

have ever tried this? because i did and i never got it to work completely.
sure port security works like a charm, but the static arp entry does not in
the sense that
say this is a host on port x/y that has a gateway (router) on the same vlan,
they will find
each other in layer2, not layer3, so the static arp entry will never stop
the router
from seeing any ip you configure on the host connected to the secure port.

(really interested)
thanks,
carlos.

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Bauer, Rick
> Sent: Tuesday, July 23, 2002 4:15 AM
> To: 'ajitmohanraj'; Johnny Peterson
> Cc: ccielab@groupstudy.com
> Subject: RE: Catalyst 5000 Port Security
>
>
> One way to accomplish this would be to use a combination of port security
> and a static arp entry. Port Security associates the mac with the port and
> the static arp would associate the ip address with the mac, done. HTH...
>
> Rick, #9482
>
> -----Original Message-----
> From: ajitmohanraj [mailto:ajitmohanraj@vsnl.com]
> Sent: Tuesday, July 23, 2002 2:13 AM
> To: Johnny Peterson
> Cc: ccielab@groupstudy.com
> Subject: Fw: Catalyst 5000 Port Security
>
>
> follow the example of the vlan-name "purple" and watch how it ties up the
> Mac address -> To Valn name -> To Ip address -> To port at the
> end under the
> VLAN Port Policies !!
>
> Or am I missing something ???
> ----- Original Message -----
> From: "ajitmohanraj" <ajitmohanraj@vsnl.com>
> To: "Johnny Peterson" <johnny@virtualrack.net>
> Cc: <ccielab@groupstudy.com>
> Sent: Tuesday, July 23, 2002 11:30 AM
> Subject: Re: Catalyst 5000 Port Security
>
>
> > Could you not work something out with the VMPS Database ...specifically
> > under the VLAN PORT POLICIES (as indicated towards the end of
> this sample
> > file eg) ?? I think that would answer the question sought
> >
> > Regards
> > Ajit
> >
> >
> > VMPS Database Configuration File Example
> > This example shows a sample VMPS database configuration file. A VMPS
> > database configuration file is an ASCII text file that is
> stored on a TFTP
> > server accessible to the switch that functions as the VMPS server.
> >
> > !vmps domain <domain-name>
> > ! The VMPS domain must be defined.
> > !vmps mode { open | secure }
> > ! The default mode is open.
> > !vmps fallback <vlan-name>
> > !vmps no-domain-req { allow | deny }
> > !
> > ! The default value is allow.
> > vmps domain WBU
> > vmps mode open
> > vmps fallback default
> > vmps no-domain-req deny
> > !
> > !
> > !MAC Addresses
> > !
> > vmps-mac-addrs
> > !
> > ! address <addr> vlan-name <vlan_name>
> > !
> > address 0012.2233.4455 vlan-name hardware
> > address 0000.6509.a080 vlan-name hardware
> > address aabb.ccdd.eeff vlan-name Green
> > address 1223.5678.9abc vlan-name ExecStaff
> > address fedc.ba98.7654 vlan-name --NONE--
> > address fedc.ba23.1245 vlan-name Purple
> > !
> > !Port Groups
> > !
> > !vmps-port-group <group-name>
> > ! device <device-id> { port <port-name> | all-ports }
> > !
> > vmps-port-group WiringCloset1
> > device 198.92.30.32 port 3/2
> > device 172.20.26.141 port 2/8
> > vmps-port-group "Executive Row"
> > device 198.4.254.222 port 1/2
> > device 198.4.254.222 port 1/3
> > device 198.4.254.223 all-ports
> > !
> > !
> > !VLAN groups
> > !
> > !vmps-vlan-group <group-name>
> > ! vlan-name <vlan-name>
> > !
> > vmps-vlan-group Engineering
> > vlan-name hardware
> > vlan-name software
> > !
> > !
> > !VLAN port Policies
> > !
> > !vmps-port-policies {vlan-name <vlan_name> | vlan-group <group-name> }
> > ! { port-group <group-name> | device <device-id> port <port-name> }
> > !
> > vmps-port-policies vlan-group Engineering
> > port-group WiringCloset1
> > vmps-port-policies vlan-name Green
> > device 198.92.30.32 port 4/8
> > vmps-port-policies vlan-name Purple
> > device 198.4.254.22 port 1/2
> > port-group "Executive Row"
> >
> >
> > ----- Original Message -----
> > From: "Johnny Peterson" <johnny@virtualrack.net>
> > To: <ccielab@groupstudy.com>
> > Sent: Tuesday, July 23, 2002 7:16 AM
> > Subject: RE: Catalyst 5000 Port Security
> >
> >
> > > Port security on the Cat 5000/5500 series is restricted to Layer 2,
> which
> > > means you will only be able to restrict by MAC address.
> > >
> > > Regards,
> > > JP
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > alex fayn
> > > Sent: Monday, July 22, 2002 7:50 PM
> > > To: ccielab@groupstudy.com
> > > Subject: Catalyst 5000 Port Security
> > >
> > >
> > > Is it possible to restrict catalyst ports to specific ip addresses in
> > > addition to specific MAC addresses?
> > >
> > > Thanks
> > >
> > >
> > >
> > > ---------------------------------
> > > Do You Yahoo!?
> > > Yahoo! Health - Feel better, live better

• Next message: Jeffery S Kimes: "Re: Serial Number Retrieval"
• Previous message: Carlos A. Silva: "RE: Catalyst 5000 Port Security"
• Maybe in reply to: alex fayn: "Catalyst 5000 Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:36:40 GMT-3