From: Adam Crisp (adam.crisp@totalise.co.uk)
Date: Thu Dec 12 2002 - 16:18:44 GMT-3
Actually, this may be wrong, but it all depends upon you interpredation.
If you want to block an IP/MAC from a particular port on a switch then I
think:
1.solution 1
ip access-group and mac access group ---- ok solution
2. ip access-group and port security ---- ok solution
3. static arp, no dynamic arp and port security ----- blocks access to the
swicth vlan interface - but not other L2 ports in the same VLAN
what do you think?
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Adam Crisp
Sent: 12 December 2002 18:24
To: Robert Slaski
Cc: Andre Teku; 'Hedi Abdelkafi'; GroupStudy (E-mail)
Subject: RE: Switching port security- Follow up
nice one ;-)
-----Original Message-----
From: Robert Slaski [mailto:robin@atm.com.pl]
Sent: 12 December 2002 18:18
To: Adam Crisp
Cc: Andre Teku; 'Hedi Abdelkafi'; GroupStudy (E-mail)
Subject: Re: Switching port security- Follow up
Adam Crisp wrote:
> vlan acl then, but the ip access-list is the best way (but not allowed!)
>
Well, an idea has come and hit me straight in me head ;-)
Of course static ARP will work, but you have to _disable dynamic ARPs_
on this interface as well.
So here is the complete solution:
(config)# arp 10.10.10.10 AAAA.BBBB.CCCC arpa
(config)# int fa0/1
(config-if)# no arp arpa
(config-if)# switchport port-security
(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
(config-if)# switchport port-security maximum 1
mikrobi,
-- . .
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:44 GMT-3