From: Michael L. Williams (MichaelWilliams@swbell.net)
Date: Thu Feb 06 2003 - 13:50:06 GMT-3
Turning on port security and making a static arp entry for 1.1.1.1
wouldn't keep you from pinging any other IP that the device may be
using. So if you use the config as below, and change the IP on the
device with mac 1234.1234.1234 to 1.1.1.2, arp should still operate
normally and there would then be an arp entry for 1.1.1.2 with mac
1234.1234.1234.
Mike W.
-----Original Message-----
From: KT Wee [mailto:cciekt@yahoo.com]
Sent: Thursday, February 06, 2003 7:18 AM
To: ccielab@groupstudy.com
Subject: 3550 port security w/o L2 or L3 access-list
Hi Guys,
Got a scenario on 3550. Only allow packet with mac-address
1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1. Cannot use
L2 or L3 access list. I though of using switchport port-security and arp
static mapping as
follow:
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address 1234.1234.1234
arp 1.1.1.1 1234.1234.1234 ARPA
I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I am
still able to ping to 1.1.1.2. This would go against the condition only
the host with 1.1.1.1 is allowed. I saw some thread similar before but
can't find anything in archive. Please help thanks.
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:12 GMT-3