From: Evgeny Tantsura (ivgen@castel.nl)
Date: Thu Feb 06 2003 - 20:30:00 GMT-3
But it doesn't work..
With arp timeout=0, with clear arp-cache and all the staff
Does anybody know a practical (not theoretical) solution to this ?
Not what you think but what you've test.
> I think, accorgding to scenario conditions, that the original solution is
> the only good one. It will work perfectly if we ony add the following line
> udner catalyst interface configuration
>
> switchport port-security maximum 1
>
> This is from cisco cofig guide:
>
> switchport port-security maximum {value}
> - (Optional) Set the maximum number of secure MAC addresses for the
> interface. The range is 1 to 128; the default is 128.
>
>
> switchport port-security mac-address {mac-address}
> - (Optional) Enter a secure MAC address for the interface. You can use
> this command to enter the maximum number of secure MAC addresses.
> If you configure fewer secure MAC addresses than the maximum, the
> remaining MAC addresses are dynamically learned.
>
>
> In combination with a static arp entry this should work.
>
> Any coments?
>
> Regards.
>
> Cezar Fistik
>
>
> ---------enyi abajue wrote:
> >Hi,
> >I am not too sure I can agree, there are three types of ACLs for the 3550
> viz Router (L3) ACLs, Port (L2) ACLs and Vlan access-maps and the
> requirement was not to use L3 nor L2 ACLs, where I really worry is whether
> putting the port in a separate Vlan is an issue as only flows with that ip
> address or mac address as source will be allowed in any direction within
> the vlan.
> > Sam.MicroGate@usa.telekom.de wrote:Forgot this one. The requirement for
> this question is not to use an access
> >list. Vlan map needs either name mac extended access list or an access
> list.
> >Therefore the vlan map solution does not meet the requirements.
> >
> >Sam
> >
> >
> >
> >
> >-----Original Message-----
> >From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
> >Sent: Thursday, February 06, 2003 9:29 AM
> >To: 'Sam.MicroGate@usa.telekom.de'; 'cciekt@yahoo.com';
> >'ccielab@groupstudy.com'
> >Subject: RE: 3550 port security w/o L2 or L3 access-list
> >
> >
> >
> >I wonder could you use a vlan-access-map in conjunction with port security
> >
> >Put port in vlax x
> >Add port security for the mac-address you want,
> >And the add a vlan-access-map for this vlan stating traffic only from the
> >particular ip address you want,
> >This might achieve the desired solution.
> >
> >Just throwing up ideas..
> >
> >-----Original Message-----
> >From: Sam.MicroGate@usa.telekom.de [mailto:Sam.MicroGate@usa.telekom.de]
> >Sent: 06 February 2003 13:31
> >To: cciekt@yahoo.com; Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
> >Subject: RE: 3550 port security w/o L2 or L3 access-list
> >
> >
> >Any input/help from the 3550 experts out there?
> >
> >Sam
> >
> >
> >-----Original Message-----
> >From: KT Wee [mailto:cciekt@yahoo.com]
> >Sent: Thursday, February 06, 2003 8:29 AM
> >To: Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
> >Subject: RE: 3550 port security w/o L2 or L3 access-list
> >
> >
> >
> >I clear the arp cache before changeing the ip address. Didn't help.
> >
> >
> >Sam.MicroGate@usa.telekom.de wrote:
> >
> >
> >Did you clear the arp cache before changing the IP address?
> >
> >Sam
> >
> >
> >-----Original Message-----
> >From: KT Wee [mailto:cciekt@yahoo.com]
> >Sent: Thursday, February 06, 2003 7:18 AM
> >To: ccielab@groupstudy.com
> >Subject: 3550 port security w/o L2 or L3 access-list
> >
> >
> >Hi Guys,
> >
> >Got a scenario on 3550. Only allow packet with mac-address 1234.1234.1234
> >and ip address 1.1.1.1 to access port fa0/1. Cannot use L2 or L3 access
> >list. I though of using switchport port-security and arp static mapping as
> >follow:
> >
> >interface FastEthernet0/1
> >switchport mode access
> >switchport port-security
> >switchport port-security mac-address 1234.1234.1234
> >
> >arp 1.1.1.1 1234.1234.1234 ARPA
> >
> >I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I am
> >still able to ping to 1.1.1.2. This would go against the condition only the
> >host with 1.1.1.1 is allowed. I saw some thread similar before but can't
> >find anything in archive. Please help thanks.
> >
> >
> >
> >Regards
> >
> >
> >
> >---------------------------------
> >Do you Yahoo!?
> >Yahoo! Mail Plus - Powerful. Affordable. Sign up now
> >_____
> >
> >Do you Yahoo!?
> >Yahoo! News - Today's headlines
> >***************************************************************************
> *
> >************
> >
> >This E-mail is from O2. The E-mail and any files
> >transmitted with it are confidential and may also be privileged and
> intended
> >solely for the use of the individual or entity to whom they are addressed.
> >Any unauthorised direct or indirect dissemination, distribution or copying
> >of this message and any attachments is strictly prohibited. If you have
> >received the E-mail in error please notify postmaster@O2.com or
> >telephone ++ 353 1 6095000.
> >
> >***************************************************************************
> *
> >*************
> >..
> >---------------------------------
> >With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits
> your needs
> >..
> .
With kind regards/ met vriendelijke groeten,
------------------------------------------------
E. Tantsura
Network Developer
Essent Kabelcom N.V.
Dr.van Deenweg 84
8025BN Zwolle, The Netherlands
Tel: +31-(0)38-850-7642
Fax: +31-(0)38-850-7410
Mob: +31-(0)6-290-80458
------------------------------------------------
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:14 GMT-3