From: Evgeny Tantsura (ivgen@castel.nl)
Date: Fri Feb 07 2003 - 11:50:57 GMT-3
Yes !!!
Cisco people - what do you think ?
> This is amazing. The groupstudy is not able to reach a consensus for this
> question. I tried all the combination, it did not work. You must use a
> router access list or a port access list to accomplish this task.
> Peoples idea should always be valued, even theoretical.
> That's how most things start, in theory.!!
I know and I really have respect for ideas of another people
but in this case I'd like to hear someone who knows the answer
not "try this and try that"
>
> I Don't think this can be achieved using just port security, since it's the
> same mac-address address each time on the interface , and you are just
> changing the IP address of the host,
>
> This is an interesting requirement.
> It sounds like to need to do some layer 3 filtering somehow,
>
> You Lab requirement could be miss phrased,., or your interpreting it wrong.
I believe most of us have seen this question before :)
>
> Can't think how this can be achieved, though,
>
> Kind regards.
>
>
>
>
> -----Original Message-----
> From: Evgeny Tantsura [mailto:ivgen@castel.nl]
> Sent: 06 February 2003 23:30
> To: Cezar Fistik
> Cc: ccielab@groupstudy.com
> Subject: Re: RE: 3550 port security w/o L2 or L3 access-list
>
>
> But it doesn't work..
>
> With arp timeout=0, with clear arp-cache and all the staff
> Does anybody know a practical (not theoretical) solution to this ? Not what
> you think but what you've test.
>
> > I think, accorgding to scenario conditions, that the original solution
> > is the only good one. It will work perfectly if we ony add the
> > following line udner catalyst interface configuration
> >
> > switchport port-security maximum 1
> >
> > This is from cisco cofig guide:
> >
> > switchport port-security maximum {value}
> > - (Optional) Set the maximum number of secure MAC addresses for the
> > interface. The range is 1 to 128; the default is 128.
> >
> >
> > switchport port-security mac-address {mac-address}
> > - (Optional) Enter a secure MAC address for the interface. You can use
> > this command to enter the maximum number of secure MAC addresses. If
> > you configure fewer secure MAC addresses than the maximum, the
> > remaining MAC addresses are dynamically learned.
> >
> >
> > In combination with a static arp entry this should work.
> >
> > Any coments?
> >
> > Regards.
> >
> > Cezar Fistik
> >
> >
> > ---------enyi abajue wrote:
> > >Hi,
> > >I am not too sure I can agree, there are three types of ACLs for the
> > >3550
> > viz Router (L3) ACLs, Port (L2) ACLs and Vlan access-maps and the
> > requirement was not to use L3 nor L2 ACLs, where I really worry is
> > whether putting the port in a separate Vlan is an issue as only flows
> > with that ip address or mac address as source will be allowed in any
> > direction within the vlan.
> > > Sam.MicroGate@usa.telekom.de wrote:Forgot this one. The requirement
> > > for
> > this question is not to use an access
> > >list. Vlan map needs either name mac extended access list or an
> > >access
> > list.
> > >Therefore the vlan map solution does not meet the requirements.
> > >
> > >Sam
> > >
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
> > >Sent: Thursday, February 06, 2003 9:29 AM
> > >To: 'Sam.MicroGate@usa.telekom.de'; 'cciekt@yahoo.com';
> > >'ccielab@groupstudy.com'
> > >Subject: RE: 3550 port security w/o L2 or L3 access-list
> > >
> > >
> > >
> > >I wonder could you use a vlan-access-map in conjunction with port
> > >security
> > >
> > >Put port in vlax x
> > >Add port security for the mac-address you want,
> > >And the add a vlan-access-map for this vlan stating traffic only from
> > >the particular ip address you want, This might achieve the desired
> > >solution.
> > >
> > >Just throwing up ideas..
> > >
> > >-----Original Message-----
> > >From: Sam.MicroGate@usa.telekom.de
> > >[mailto:Sam.MicroGate@usa.telekom.de]
> > >Sent: 06 February 2003 13:31
> > >To: cciekt@yahoo.com; Sam.MicroGate@usa.telekom.de;
> ccielab@groupstudy.com
> > >Subject: RE: 3550 port security w/o L2 or L3 access-list
> > >
> > >
> > >Any input/help from the 3550 experts out there?
> > >
> > >Sam
> > >
> > >
> > >-----Original Message-----
> > >From: KT Wee [mailto:cciekt@yahoo.com]
> > >Sent: Thursday, February 06, 2003 8:29 AM
> > >To: Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
> > >Subject: RE: 3550 port security w/o L2 or L3 access-list
> > >
> > >
> > >
> > >I clear the arp cache before changeing the ip address. Didn't help.
> > >
> > >
> > >Sam.MicroGate@usa.telekom.de wrote:
> > >
> > >
> > >Did you clear the arp cache before changing the IP address?
> > >
> > >Sam
> > >
> > >
> > >-----Original Message-----
> > >From: KT Wee [mailto:cciekt@yahoo.com]
> > >Sent: Thursday, February 06, 2003 7:18 AM
> > >To: ccielab@groupstudy.com
> > >Subject: 3550 port security w/o L2 or L3 access-list
> > >
> > >
> > >Hi Guys,
> > >
> > >Got a scenario on 3550. Only allow packet with mac-address
> > >1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1. Cannot
> > >use L2 or L3 access list. I though of using switchport port-security
> > >and arp static mapping as
> > >follow:
> > >
> > >interface FastEthernet0/1
> > >switchport mode access
> > >switchport port-security
> > >switchport port-security mac-address 1234.1234.1234
> > >
> > >arp 1.1.1.1 1234.1234.1234 ARPA
> > >
> > >I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I
> > >am still able to ping to 1.1.1.2. This would go against the condition
> > >only the host with 1.1.1.1 is allowed. I saw some thread similar
> > >before but can't find anything in archive. Please help thanks.
> > >
> > >
> > >
> > >Regards
> > >
> > >
> > >
> > >---------------------------------
> > >Do you Yahoo!?
> > >Yahoo! Mail Plus - Powerful. Affordable. Sign up now
> > >_____
> > >
> > >Do you Yahoo!?
> > >Yahoo! News - Today's headlines
> > >*********************************************************************
> > >******
> > *
> > >************
> > >
> > >This E-mail is from O2. The E-mail and any files
> > >transmitted with it are confidential and may also be privileged and
> > intended
> > >solely for the use of the individual or entity to whom they are
> > >addressed. Any unauthorised direct or indirect dissemination,
> > >distribution or copying of this message and any attachments is
> > >strictly prohibited. If you have received the E-mail in error please
> > >notify postmaster@O2.com or telephone ++ 353 1 6095000.
> > >
> > >*********************************************************************
> > >******
> > *
> > >*************
> > >..
> > >---------------------------------
> > >With Yahoo! Mail you can get a bigger mailbox -- choose a size that
> > >fits
> > your needs
> > >..
> > .
> With kind regards/ met vriendelijke groeten,
> ------------------------------------------------
> E. Tantsura
> Network Developer
> Essent Kabelcom N.V.
> Dr.van Deenweg 84
> 8025BN Zwolle, The Netherlands
> Tel: +31-(0)38-850-7642
> Fax: +31-(0)38-850-7410
> Mob: +31-(0)6-290-80458
> ------------------------------------------------
> ****************************************************************************
> ************
>
> This E-mail is from O2. The E-mail and any files
> transmitted with it are confidential and may also be privileged and intended
> solely for the use of the individual or entity to whom they are addressed.
> Any unauthorised direct or indirect dissemination, distribution or copying
> of this message and any attachments is strictly prohibited. If you have
> received the E-mail in error please notify postmaster@O2.com or
> telephone ++ 353 1 6095000.
>
> ****************************************************************************
> *************
With kind regards/ met vriendelijke groeten,
------------------------------------------------
E. Tantsura
Network Developer
Essent Kabelcom N.V.
Dr.van Deenweg 84
8025BN Zwolle, The Netherlands
Tel: +31-(0)38-850-7642
Fax: +31-(0)38-850-7410
Mob: +31-(0)6-290-80458
------------------------------------------------
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:15 GMT-3