From: Robert Slaski (robin@atm.com.pl)
Date: Thu Dec 12 2002 - 17:13:25 GMT-3
Adam Crisp wrote:
> Actually, this may be wrong, but it all depends upon you interpredation.
>
> If you want to block an IP/MAC from a particular port on a switch then I
> think:
>
> 1.solution 1
> ip access-group and mac access group ---- ok solution
>
> 2. ip access-group and port security ---- ok solution
>
> 3. static arp, no dynamic arp and port security ----- blocks access to the
> swicth vlan interface - but not other L2 ports in the same VLAN
My solution is not complete but it's the only one we can apply based on
the requirements we had. Of course, ARPs work at the router level, so
their static configuration would block traffic crossing VLANs only
(solution 3). At bridge level Cisco supports port/mac access lists (port
level) and so called vlan maps (vlan level). In this case any
access-lists are prohibited by requirements and vlan maps would block
this IP on other ports in a given VLAN also.
As you see there might be better solution, but this depends on the
context (ex. if there's no routing on a given switch, my solution will
be useless).
OT: L2-L4 access lists applicable at the bridge level is a fascinating
feature, especially in such a tiny box. One might think "Wow! Cisco is
great for inventing such a fascinating technology". But know that other
vendors did this years ago (I would especially appreciate here
Cabletron/Enterasys SmartSwitch series, that not only allows L2-L4
filtering at bridge port level but also L2-L4 based VLAN classification
and 802.1Q COS tagging).
mikrobi,
-- .
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:44 GMT-3