RE: 3550 port security w/o L2 or L3 access-list

From: Olive, Darren (Darren.Olive@globalcrossing.com)
Date: Thu Feb 06 2003 - 11:00:30 GMT-3

• Next message: Sam.MicroGate@usa.telekom.de: "RE: 3550 port security w/o L2 or L3 access-list"
• Previous message: Thomas Stuart: "Re: IS-IS recommendation"
• Maybe in reply to: KT Wee: "3550 port security w/o L2 or L3 access-list"
• Next in thread: Sam.MicroGate@usa.telekom.de: "RE: 3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Does switching off ARP work in this scenario?

When using port security to allow only the specified MAC, can we assign the
port to a unique VLAN and use a VLAN map to permit only the 1.1.1.1 IP
address for that VLAN. That is of course assuming that Layer 3 routing is
available to allow the 1.1.1.1 IP to talk to other devices. Not too sure on
the exact wording of the scenario though as a VLAN map would require a L3
access-list to match the 1.1.1.1 address.

Can anyone clarify whether this is the correct solution to this problem.

 -----Original Message-----
From: KT Wee [mailto:cciekt@yahoo.com]
Sent: 06 February 2003 13:29
To: Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
Subject: RE: 3550 port security w/o L2 or L3 access-list

I clear the arp cache before changeing the ip address. Didn't help.
 Sam.MicroGate@usa.telekom.de wrote:Did you clear the arp cache before
changing the IP address?

Sam

-----Original Message-----
From: KT Wee [mailto:cciekt@yahoo.com]
Sent: Thursday, February 06, 2003 7:18 AM
To: ccielab@groupstudy.com
Subject: 3550 port security w/o L2 or L3 access-list

Hi Guys,

Got a scenario on 3550. Only allow packet with mac-address 1234.1234.1234
and ip address 1.1.1.1 to access port fa0/1. Cannot use L2 or L3 access
list. I though of using switchport port-security and arp static mapping as
follow:

interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address 1234.1234.1234

arp 1.1.1.1 1234.1234.1234 ARPA

I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I am
still able to ping to 1.1.1.2. This would go against the condition only the
host with 1.1.1.1 is allowed. I saw some thread similar before but can't
find anything in archive. Please help thanks.

Regards

---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
---------------------------------
Do you Yahoo!?
Yahoo! News - Today's headlines
.
.

• Next message: Sam.MicroGate@usa.telekom.de: "RE: 3550 port security w/o L2 or L3 access-list"
• Previous message: Thomas Stuart: "Re: IS-IS recommendation"
• Maybe in reply to: KT Wee: "3550 port security w/o L2 or L3 access-list"
• Next in thread: Sam.MicroGate@usa.telekom.de: "RE: 3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:12 GMT-3