RE: 3550 security

From: A (aparadela@myacc.net)
Date: Thu Jan 16 2003 - 12:43:55 GMT-3

• Next message: Jonathan V Hays: "RE: Menu command will not pause"
• Previous message: Peng Zheng: "RE: BGP synchronization"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Going back to the original question, how about:

arp 192.168.1.8 3333.4444.5555 arpa vlan42 ; or maybe even fa0/3

int fa0/3
 switchport mode access
 switchport access vlan 42
 switchport port-security mac-address 3333.4444.5555
 switchport port-security maximum 1
 switchport port-security violation restrict
end

Alex

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Adam Crisp
Sent: Monday, December 16, 2002 1:06 PM
To: Mark Vann; Bob Sinclair; Massimiliano Tognon; ccielab@groupstudy.com
Subject: RE: 3550 security

Mark, if you search back on group study you'll see me complaining about the
"ip access-group" bug. ;-(

The workaround is to create a "permit all" access-group and apply it to all
other interfaces.

You need to do this if you use a "mac access-group" as well, although the
"bug/feature" only happens after you reboot the switch.

I'm not sure I'm completely happy with Bob's statement saying the IP address
is a red herring.
As it happens the 3550 has a brilliant feature where you can deny access to
L3 IP addresses, when the switch is in L2 mode..... you just need to massage
the switch when using "ip access-group". If the switch was a 5500, then I
would tend to agree that it could be a red herring.

If anybody can tell me how to not get the bug that Mark describes then
please shout!

Adam

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Mark Vann
Sent: 14 December 2002 23:48
To: Bob Sinclair; Massimiliano Tognon; ccielab@groupstudy.com
Subject: Re: 3550 security

Heh, using an ip access list on the switched caused a
bug for me, the whole switch would not pass traffic.
Just my .02
--- Bob Sinclair <bsin@cox.net> wrote:
> I think the IP information in the question is a red
> herring - it is there
> only to complicate and confuse. If your port is a
> layer 2 port, then by
> definition it has no knowledge of the IP address. I
> would do port security
> using the MAC address and leave it at that.
>
> -Bob Sinclair
> CCIE #10427
>
> ----- Original Message -----
> From: "Massimiliano Tognon" <mtognon@tecnonetspa.it>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, December 14, 2002 5:57 AM
> Subject: 3550 security
>
>
> > hi folks, question for you...
> > how can i secure a 3550 port?
> > question is :
> > i can allow only 1 pc with specific mac-address
> (something like
> > 3333.4444.5555) AND specific IP ADDRESS (something
> like 192.168.1.8).
> > for mac-address i think to use port security, but
> what can i use for ip
> > address?
> > 3550 fasteth is a layer 2 port not a routed
> (layer3) port...
> > any idea ?
> >
> > thanks
> > .
> .
>

• Next message: Jonathan V Hays: "RE: Menu command will not pause"
• Previous message: Peng Zheng: "RE: BGP synchronization"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:51 GMT-3