Re: RE: 3550 port security w/o L2 or L3 access-list

From: Desmond (cciestudy@sympatico.ca)
Date: Fri Feb 07 2003 - 12:31:57 GMT-3

I could not find solution myself. I suspect this question cannot be
achieved with Ip access-list.

Here are my suggested solutions

1. Change the port to level 3 interface with 30 bit subnet mask. I don't
recall the mask on the host.
2. Create DHCP Server on the switch and assign the IP to that mac address.
It doesn't provide level 3 security.
3. Assign the port to a VLAN and use VLAN-MAP. The question only mentioned
"no access-lists on the interface".

Des

----- Original Message -----
From: "Evgeny Tantsura" <ivgen@castel.nl>
To: <Sam.MicroGate@usa.telekom.de>
Cc: <Paul.Casey@o2.com>; <cfistik@moldovacc.md>; <ccielab@groupstudy.com>
Sent: Friday, February 07, 2003 9:50 AM
Subject: RE: RE: 3550 port security w/o L2 or L3 access-list

> Yes !!!
>
> Cisco people - what do you think ?
>
> > This is amazing. The groupstudy is not able to reach a consensus for
this
> > question. I tried all the combination, it did not work. You must use a
> > router access list or a port access list to accomplish this task.
>
> > Peoples idea should always be valued, even theoretical.
> > That's how most things start, in theory.!!
>
> I know and I really have respect for ideas of another people
> but in this case I'd like to hear someone who knows the answer
> not "try this and try that"
>
> >
> > I Don't think this can be achieved using just port security, since it's
the
> > same mac-address address each time on the interface , and you are just
> > changing the IP address of the host,
> >
> > This is an interesting requirement.
> > It sounds like to need to do some layer 3 filtering somehow,
> >
> > You Lab requirement could be miss phrased,., or your interpreting it
wrong.
>
> I believe most of us have seen this question before :)
>
> >
> > Can't think how this can be achieved, though,
> >
> > Kind regards.
> >
> >
> >
> >
> > -----Original Message-----
> > From: Evgeny Tantsura [mailto:ivgen@castel.nl]
> > Sent: 06 February 2003 23:30
> > To: Cezar Fistik
> > Cc: ccielab@groupstudy.com
> > Subject: Re: RE: 3550 port security w/o L2 or L3 access-list
> >
> >
> > But it doesn't work..
> >
> > With arp timeout=0, with clear arp-cache and all the staff
> > Does anybody know a practical (not theoretical) solution to this ? Not
what
> > you think but what you've test.
> >
> > > I think, accorgding to scenario conditions, that the original solution
> > > is the only good one. It will work perfectly if we ony add the
> > > following line udner catalyst interface configuration
> > >
> > > switchport port-security maximum 1
> > >
> > > This is from cisco cofig guide:
> > >
> > > switchport port-security maximum {value}
> > > - (Optional) Set the maximum number of secure MAC addresses for the
> > > interface. The range is 1 to 128; the default is 128.
> > >
> > >
> > > switchport port-security mac-address {mac-address}
> > > - (Optional) Enter a secure MAC address for the interface. You can use
> > > this command to enter the maximum number of secure MAC addresses. If
> > > you configure fewer secure MAC addresses than the maximum, the
> > > remaining MAC addresses are dynamically learned.
> > >
> > >
> > > In combination with a static arp entry this should work.
> > >
> > > Any coments?
> > >
> > > Regards.
> > >
> > > Cezar Fistik
> > >
> > >
> > > ---------enyi abajue wrote:
> > > >Hi,
> > > >I am not too sure I can agree, there are three types of ACLs for the
> > > >3550
> > > viz Router (L3) ACLs, Port (L2) ACLs and Vlan access-maps and the
> > > requirement was not to use L3 nor L2 ACLs, where I really worry is
> > > whether putting the port in a separate Vlan is an issue as only flows
> > > with that ip address or mac address as source will be allowed in any
> > > direction within the vlan.
> > > > Sam.MicroGate@usa.telekom.de wrote:Forgot this one. The requirement
> > > > for
> > > this question is not to use an access
> > > >list. Vlan map needs either name mac extended access list or an
> > > >access
> > > list.
> > > >Therefore the vlan map solution does not meet the requirements.
> > > >
> > > >Sam
> > > >
> > > >
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
> > > >Sent: Thursday, February 06, 2003 9:29 AM
> > > >To: 'Sam.MicroGate@usa.telekom.de'; 'cciekt@yahoo.com';
> > > >'ccielab@groupstudy.com'
> > > >Subject: RE: 3550 port security w/o L2 or L3 access-list
> > > >
> > > >
> > > >
> > > >I wonder could you use a vlan-access-map in conjunction with port
> > > >security
> > > >
> > > >Put port in vlax x
> > > >Add port security for the mac-address you want,
> > > >And the add a vlan-access-map for this vlan stating traffic only from
> > > >the particular ip address you want, This might achieve the desired
> > > >solution.
> > > >
> > > >Just throwing up ideas..
> > > >
> > > >-----Original Message-----
> > > >From: Sam.MicroGate@usa.telekom.de
> > > >[mailto:Sam.MicroGate@usa.telekom.de]
> > > >Sent: 06 February 2003 13:31
> > > >To: cciekt@yahoo.com; Sam.MicroGate@usa.telekom.de;
> > ccielab@groupstudy.com
> > > >Subject: RE: 3550 port security w/o L2 or L3 access-list
> > > >
> > > >
> > > >Any input/help from the 3550 experts out there?
> > > >
> > > >Sam
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: KT Wee [mailto:cciekt@yahoo.com]
> > > >Sent: Thursday, February 06, 2003 8:29 AM
> > > >To: Sam.MicroGate@usa.telekom.de; ccielab@groupstudy.com
> > > >Subject: RE: 3550 port security w/o L2 or L3 access-list
> > > >
> > > >
> > > >
> > > >I clear the arp cache before changeing the ip address. Didn't help.
> > > >
> > > >
> > > >Sam.MicroGate@usa.telekom.de wrote:
> > > >
> > > >
> > > >Did you clear the arp cache before changing the IP address?
> > > >
> > > >Sam
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: KT Wee [mailto:cciekt@yahoo.com]
> > > >Sent: Thursday, February 06, 2003 7:18 AM
> > > >To: ccielab@groupstudy.com
> > > >Subject: 3550 port security w/o L2 or L3 access-list
> > > >
> > > >
> > > >Hi Guys,
> > > >
> > > >Got a scenario on 3550. Only allow packet with mac-address
> > > >1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1. Cannot
> > > >use L2 or L3 access list. I though of using switchport port-security
> > > >and arp static mapping as
> > > >follow:
> > > >
> > > >interface FastEthernet0/1
> > > >switchport mode access
> > > >switchport port-security
> > > >switchport port-security mac-address 1234.1234.1234
> > > >
> > > >arp 1.1.1.1 1234.1234.1234 ARPA
> > > >
> > > >I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I
> > > >am still able to ping to 1.1.1.2. This would go against the condition
> > > >only the host with 1.1.1.1 is allowed. I saw some thread similar
> > > >before but can't find anything in archive. Please help thanks.
> > > >
> > > >
> > > >
> > > >Regards
> > > >
> > > >
> > > >
> > > >---------------------------------
> > > >Do you Yahoo!?
> > > >Yahoo! Mail Plus - Powerful. Affordable. Sign up now
> > > >_____
> > > >
> > > >Do you Yahoo!?
> > > >Yahoo! News - Today's headlines
> > > >*********************************************************************
> > > >******
> > > *
> > > >************
> > > >
> > > >This E-mail is from O2. The E-mail and any files
> > > >transmitted with it are confidential and may also be privileged and
> > > intended
> > > >solely for the use of the individual or entity to whom they are
> > > >addressed. Any unauthorised direct or indirect dissemination,
> > > >distribution or copying of this message and any attachments is
> > > >strictly prohibited. If you have received the E-mail in error please
> > > >notify postmaster@O2.com or telephone ++ 353 1 6095000.
> > > >
> > > >*********************************************************************
> > > >******
> > > *
> > > >*************
> > > >..
> > > >---------------------------------
> > > >With Yahoo! Mail you can get a bigger mailbox -- choose a size that
> > > >fits
> > > your needs
> > > >..
> > > .
> > With kind regards/ met vriendelijke groeten,
> > ------------------------------------------------
> > E. Tantsura
> > Network Developer
> > Essent Kabelcom N.V.
> > Dr.van Deenweg 84
> > 8025BN Zwolle, The Netherlands
> > Tel: +31-(0)38-850-7642
> > Fax: +31-(0)38-850-7410
> > Mob: +31-(0)6-290-80458
> > ------------------------------------------------
> >
****************************************************************************
> > ************
> >
> > This E-mail is from O2. The E-mail and any files
> > transmitted with it are confidential and may also be privileged and
intended
> > solely for the use of the individual or entity to whom they are
addressed.
> > Any unauthorised direct or indirect dissemination, distribution or
copying
> > of this message and any attachments is strictly prohibited. If you have
> > received the E-mail in error please notify postmaster@O2.com or
> > telephone ++ 353 1 6095000.
> >
> >
****************************************************************************
> > *************
> With kind regards/ met vriendelijke groeten,
> ------------------------------------------------
> E. Tantsura
> Network Developer
> Essent Kabelcom N.V.
> Dr.van Deenweg 84
> 8025BN Zwolle, The Netherlands
> Tel: +31-(0)38-850-7642
> Fax: +31-(0)38-850-7410
> Mob: +31-(0)6-290-80458
> ------------------------------------------------
> .
.

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:15 GMT-3