From: Cezar Fistik (cfistik@moldovacc.md)
Date: Thu Feb 06 2003 - 20:08:18 GMT-3
I think, accorgding to scenario conditions, that the original solution is
the only good one. It will work perfectly if we ony add the following line
udner catalyst interface configuration
switchport port-security maximum 1
This is from cisco cofig guide:
switchport port-security maximum {value}
- (Optional) Set the maximum number of secure MAC addresses for the
interface. The range is 1 to 128; the default is 128.
switchport port-security mac-address {mac-address}
- (Optional) Enter a secure MAC address for the interface. You can use
this command to enter the maximum number of secure MAC addresses.
If you configure fewer secure MAC addresses than the maximum, the
remaining MAC addresses are dynamically learned.
In combination with a static arp entry this should work.
Any coments?
Regards.
Cezar Fistik
---------enyi abajue wrote:
>Hi,
>I am not too sure I can agree, there are three types of ACLs for the 3550
viz Router (L3) ACLs, Port (L2) ACLs and Vlan access-maps and the
requirement was not to use L3 nor L2 ACLs, where I really worry is whether
putting the port in a separate Vlan is an issue as only flows with that ip
address or mac address as source will be allowed in any direction within
the vlan.
> Sam.MicroGate@usa.telekom.de wrote:Forgot this one. The requirement for
this question is not to use an access
>list. Vlan map needs either name mac extended access list or an access
list.
>Therefore the vlan map solution does not meet the requirements.
>
>Sam
>
>
>
>
>-----Original Message-----
>From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
>Sent: Thursday, February 06, 2003 9:29 AM
>To: 'Sam.MicroGate@usa.telekom.de'; 'cciekt@yahoo.com';
>'ccielab@groupstudy.com'
>Subject: RE: 3550 port security w/o L2 or L3 access-list
>
>
>
>I wonder could you use a vlan-access-map in conjunction with port security
>
>Put port in vlax x
>Add port security for the mac-address you want,
>And the add a vlan-access-map for this vlan stating traffic only from the
>particular ip address you want,
>This might achieve the desired solution.
>
>Just throwing up ideas..
>
>-----Original Message-----
>From: Sam.MicroGate@usa.telekom.de [mailto:Sam.MicroGate@usa.telekom.de]
>Sent: 06 February 2003 13:31
>To: cciekt@yahoo.com; Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
>Subject: RE: 3550 port security w/o L2 or L3 access-list
>
>
>Any input/help from the 3550 experts out there?
>
>Sam
>
>
>-----Original Message-----
>From: KT Wee [mailto:cciekt@yahoo.com]
>Sent: Thursday, February 06, 2003 8:29 AM
>To: Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
>Subject: RE: 3550 port security w/o L2 or L3 access-list
>
>
>
>I clear the arp cache before changeing the ip address. Didn't help.
>
>
>Sam.MicroGate@usa.telekom.de wrote:
>
>
>Did you clear the arp cache before changing the IP address?
>
>Sam
>
>
>-----Original Message-----
>From: KT Wee [mailto:cciekt@yahoo.com]
>Sent: Thursday, February 06, 2003 7:18 AM
>To: ccielab@groupstudy.com
>Subject: 3550 port security w/o L2 or L3 access-list
>
>
>Hi Guys,
>
>Got a scenario on 3550. Only allow packet with mac-address 1234.1234.1234
>and ip address 1.1.1.1 to access port fa0/1. Cannot use L2 or L3 access
>list. I though of using switchport port-security and arp static mapping as
>follow:
>
>interface FastEthernet0/1
>switchport mode access
>switchport port-security
>switchport port-security mac-address 1234.1234.1234
>
>arp 1.1.1.1 1234.1234.1234 ARPA
>
>I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I am
>still able to ping to 1.1.1.2. This would go against the condition only the
>host with 1.1.1.1 is allowed. I saw some thread similar before but can't
>find anything in archive. Please help thanks.
>
>
>
>Regards
>
>
>
>---------------------------------
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now
>_____
>
>Do you Yahoo!?
>Yahoo! News - Today's headlines
>***************************************************************************
*
>************
>
>This E-mail is from O2. The E-mail and any files
>transmitted with it are confidential and may also be privileged and
intended
>solely for the use of the individual or entity to whom they are addressed.
>Any unauthorised direct or indirect dissemination, distribution or copying
>of this message and any attachments is strictly prohibited. If you have
>received the E-mail in error please notify postmaster@O2.com or
>telephone ++ 353 1 6095000.
>
>***************************************************************************
*
>*************
>..
>---------------------------------
>With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits
your needs
>..
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:13 GMT-3