RE: RE: 3550 port security w/o L2 or L3 access-list

From: Sam.MicroGate@usa.telekom.de
Date: Fri Feb 07 2003 - 11:25:53 GMT-3

This is amazing. The groupstudy is not able to reach a consensus for this
question. I tried all the combination, it did not work. You must use a
router access list or a port access list to accomplish this task.

Sam

-----Original Message-----
From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
Sent: Thursday, February 06, 2003 7:10 PM
To: 'Evgeny Tantsura'; Cezar Fistik
Cc: ccielab@groupstudy.com
Subject: RE: RE: 3550 port security w/o L2 or L3 access-list

Peoples idea should always be valued, even theoretical.
That's how most things start, in theory.!!

I Don't think this can be achieved using just port security, since it's the
same mac-address address each time on the interface , and you are just
changing the IP address of the host,

This is an interesting requirement.
It sounds like to need to do some layer 3 filtering somehow,

You Lab requirement could be miss phrased,., or your interpreting it wrong.

Can't think how this can be achieved, though,

Kind regards.

-----Original Message-----
From: Evgeny Tantsura [mailto:ivgen@castel.nl]
Sent: 06 February 2003 23:30
To: Cezar Fistik
Cc: ccielab@groupstudy.com
Subject: Re: RE: 3550 port security w/o L2 or L3 access-list

But it doesn't work..

With arp timeout=0, with clear arp-cache and all the staff
Does anybody know a practical (not theoretical) solution to this ? Not what
you think but what you've test.

> I think, accorgding to scenario conditions, that the original solution
> is the only good one. It will work perfectly if we ony add the
> following line udner catalyst interface configuration
>
> switchport port-security maximum 1
>
> This is from cisco cofig guide:
>
> switchport port-security maximum {value}
> - (Optional) Set the maximum number of secure MAC addresses for the
> interface. The range is 1 to 128; the default is 128.
>
>
> switchport port-security mac-address {mac-address}
> - (Optional) Enter a secure MAC address for the interface. You can use
> this command to enter the maximum number of secure MAC addresses. If
> you configure fewer secure MAC addresses than the maximum, the
> remaining MAC addresses are dynamically learned.
>
>
> In combination with a static arp entry this should work.
>
> Any coments?
>
> Regards.
>
> Cezar Fistik
>
>
> ---------enyi abajue wrote:
> >Hi,
> >I am not too sure I can agree, there are three types of ACLs for the
> >3550
> viz Router (L3) ACLs, Port (L2) ACLs and Vlan access-maps and the
> requirement was not to use L3 nor L2 ACLs, where I really worry is
> whether putting the port in a separate Vlan is an issue as only flows
> with that ip address or mac address as source will be allowed in any
> direction within the vlan.
> > Sam.MicroGate@usa.telekom.de wrote:Forgot this one. The requirement
> > for
> this question is not to use an access
> >list. Vlan map needs either name mac extended access list or an
> >access
> list.
> >Therefore the vlan map solution does not meet the requirements.
> >
> >Sam
> >
> >
> >
> >
> >-----Original Message-----
> >From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
> >Sent: Thursday, February 06, 2003 9:29 AM
> >To: 'Sam.MicroGate@usa.telekom.de'; 'cciekt@yahoo.com';
> >'ccielab@groupstudy.com'
> >Subject: RE: 3550 port security w/o L2 or L3 access-list
> >
> >
> >
> >I wonder could you use a vlan-access-map in conjunction with port
> >security
> >
> >Put port in vlax x
> >Add port security for the mac-address you want,
> >And the add a vlan-access-map for this vlan stating traffic only from
> >the particular ip address you want, This might achieve the desired
> >solution.
> >
> >Just throwing up ideas..
> >
> >-----Original Message-----
> >From: Sam.MicroGate@usa.telekom.de
> >[mailto:Sam.MicroGate@usa.telekom.de]
> >Sent: 06 February 2003 13:31
> >To: cciekt@yahoo.com; Sam.MicroGate@usa.telekom.de;
ccielab@groupstudy.com
> >Subject: RE: 3550 port security w/o L2 or L3 access-list
> >
> >
> >Any input/help from the 3550 experts out there?
> >
> >Sam
> >
> >
> >-----Original Message-----
> >From: KT Wee [mailto:cciekt@yahoo.com]
> >Sent: Thursday, February 06, 2003 8:29 AM
> >To: Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
> >Subject: RE: 3550 port security w/o L2 or L3 access-list
> >
> >
> >
> >I clear the arp cache before changeing the ip address. Didn't help.
> >
> >
> >Sam.MicroGate@usa.telekom.de wrote:
> >
> >
> >Did you clear the arp cache before changing the IP address?
> >
> >Sam
> >
> >
> >-----Original Message-----
> >From: KT Wee [mailto:cciekt@yahoo.com]
> >Sent: Thursday, February 06, 2003 7:18 AM
> >To: ccielab@groupstudy.com
> >Subject: 3550 port security w/o L2 or L3 access-list
> >
> >
> >Hi Guys,
> >
> >Got a scenario on 3550. Only allow packet with mac-address
> >1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1. Cannot
> >use L2 or L3 access list. I though of using switchport port-security
> >and arp static mapping as
> >follow:
> >
> >interface FastEthernet0/1
> >switchport mode access
> >switchport port-security
> >switchport port-security mac-address 1234.1234.1234
> >
> >arp 1.1.1.1 1234.1234.1234 ARPA
> >
> >I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I
> >am still able to ping to 1.1.1.2. This would go against the condition
> >only the host with 1.1.1.1 is allowed. I saw some thread similar
> >before but can't find anything in archive. Please help thanks.
> >
> >
> >
> >Regards
> >
> >
> >
> >---------------------------------
> >Do you Yahoo!?
> >Yahoo! Mail Plus - Powerful. Affordable. Sign up now
> >_____
> >
> >Do you Yahoo!?
> >Yahoo! News - Today's headlines
> >*********************************************************************
> >******
> *
> >************
> >
> >This E-mail is from O2. The E-mail and any files
> >transmitted with it are confidential and may also be privileged and
> intended
> >solely for the use of the individual or entity to whom they are
> >addressed. Any unauthorised direct or indirect dissemination,
> >distribution or copying of this message and any attachments is
> >strictly prohibited. If you have received the E-mail in error please
> >notify postmaster@O2.com or telephone ++ 353 1 6095000.
> >
> >*********************************************************************
> >******
> *
> >*************
> >..
> >---------------------------------
> >With Yahoo! Mail you can get a bigger mailbox -- choose a size that
> >fits
> your needs
> >..
> .
With kind regards/ met vriendelijke groeten,
------------------------------------------------
E. Tantsura
Network Developer
Essent Kabelcom N.V.
Dr.van Deenweg 84
8025BN Zwolle, The Netherlands
Tel: +31-(0)38-850-7642
Fax: +31-(0)38-850-7410
Mob: +31-(0)6-290-80458
------------------------------------------------
****************************************************************************
************

This E-mail is from O2. The E-mail and any files
transmitted with it are confidential and may also be privileged and intended
solely for the use of the individual or entity to whom they are addressed.
Any unauthorised direct or indirect dissemination, distribution or copying
of this message and any attachments is strictly prohibited. If you have
received the E-mail in error please notify postmaster@O2.com or
                  telephone ++ 353 1 6095000.

****************************************************************************
*************
.

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:15 GMT-3