RE: RE: 3550 port security w/o L2 or L3 access-list

From: Evgeny Tantsura (ivgen@castel.nl)
Date: Fri Feb 07 2003 - 12:58:06 GMT-3

• Next message: Jeff Ryan: "OT: FW: NCE Position for NMCI"
• Previous message: Corbin, Kevin: "RE: asymmetric routing?"
• Maybe in reply to: Khalid Siddiq: "RE: 3550 port security w/o L2 or L3 access-list"
• Next in thread: Sam.MicroGate@usa.telekom.de: "RE: RE: 3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

John,

What you are saying is :
if
 enddevice has IP 1.1.1.1 and MAC 1234.1234.1234
 it has access to another devices connected to this switch.
if
 enddevice has IP 1.1.1.2 and MAC 1234.1234.1234
 it has't access to another devices connected to this switch.

Am I right ?

Have you test it with trivial ping ?

I did it about 100 time in all combination, without any success.

> If you add the
> 'switchport port-security violation shutdown' to this,
> it works for me..
> > >interface FastEthernet0/1
> > >switchport mode access
> > >switchport port-security
> > >switchport port-security mac-address 1234.1234.1234
> > >switchport port-security maximum 1
> switchport port-security violation shutdown
>
> > >arp 1.1.1.1 1234.1234.1234 ARPA
>
>
> --- Sam.MicroGate@usa.telekom.de wrote: > This is
> amazing. The groupstudy is not able to reach
> > a consensus for this
> > question. I tried all the combination, it did not
> > work. You must use a
> > router access list or a port access list to
> > accomplish this task.
> >
> > Sam
> >
> >
> >
> >
> > -----Original Message-----
> > From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
> > Sent: Thursday, February 06, 2003 7:10 PM
> > To: 'Evgeny Tantsura'; Cezar Fistik
> > Cc: ccielab@groupstudy.com
> > Subject: RE: RE: 3550 port security w/o L2 or L3
> > access-list
> >
> >
> > Peoples idea should always be valued, even
> > theoretical.
> > That's how most things start, in theory.!!
> >
> > I Don't think this can be achieved using just port
> > security, since it's the
> > same mac-address address each time on the interface
> > , and you are just
> > changing the IP address of the host,
> >
> > This is an interesting requirement.
> > It sounds like to need to do some layer 3 filtering
> > somehow,
> >
> > You Lab requirement could be miss phrased,., or your
> > interpreting it wrong.
> >
> > Can't think how this can be achieved, though,
> >
> > Kind regards.
> >
> >
> >
> >
> > -----Original Message-----
> > From: Evgeny Tantsura [mailto:ivgen@castel.nl]
> > Sent: 06 February 2003 23:30
> > To: Cezar Fistik
> > Cc: ccielab@groupstudy.com
> > Subject: Re: RE: 3550 port security w/o L2 or L3
> > access-list
> >
> >
> > But it doesn't work..
> >
> > With arp timeout=0, with clear arp-cache and all the
> > staff
> > Does anybody know a practical (not theoretical)
> > solution to this ? Not what
> > you think but what you've test.
> >
> > > I think, accorgding to scenario conditions, that
> > the original solution
> > > is the only good one. It will work perfectly if we
> > ony add the
> > > following line udner catalyst interface
> > configuration
> > >
> > > switchport port-security maximum 1
> > >
> > > This is from cisco cofig guide:
> > >
> > > switchport port-security maximum {value}
> > > - (Optional) Set the maximum number of secure MAC
> > addresses for the
> > > interface. The range is 1 to 128; the default is
> > 128.
> > >
> > >
> > > switchport port-security mac-address {mac-address}
> > > - (Optional) Enter a secure MAC address for the
> > interface. You can use
> > > this command to enter the maximum number of secure
> > MAC addresses. If
> > > you configure fewer secure MAC addresses than the
> > maximum, the
> > > remaining MAC addresses are dynamically learned.
> > >
> > >
> > > In combination with a static arp entry this should
> > work.
> > >
> > > Any coments?
> > >
> > > Regards.
> > >
> > > Cezar Fistik
> > >
> > >
> > > ---------enyi abajue wrote:
> > > >Hi,
> > > >I am not too sure I can agree, there are three
> > types of ACLs for the
> > > >3550
> > > viz Router (L3) ACLs, Port (L2) ACLs and Vlan
> > access-maps and the
> > > requirement was not to use L3 nor L2 ACLs, where I
> > really worry is
> > > whether putting the port in a separate Vlan is an
> > issue as only flows
> > > with that ip address or mac address as source will
> > be allowed in any
> > > direction within the vlan.
> > > > Sam.MicroGate@usa.telekom.de wrote:Forgot this
> > one. The requirement
> > > > for
> > > this question is not to use an access
> > > >list. Vlan map needs either name mac extended
> > access list or an
> > > >access
> > > list.
> > > >Therefore the vlan map solution does not meet the
> > requirements.
> > > >
> > > >Sam
> > > >
> > > >
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: Casey, Paul (6822)
> > [mailto:Paul.Casey@o2.com]
> > > >Sent: Thursday, February 06, 2003 9:29 AM
> > > >To: 'Sam.MicroGate@usa.telekom.de';
> > 'cciekt@yahoo.com';
> > > >'ccielab@groupstudy.com'
> > > >Subject: RE: 3550 port security w/o L2 or L3
> > access-list
> > > >
> > > >
> > > >
> > > >I wonder could you use a vlan-access-map in
> > conjunction with port
> > > >security
> > > >
> > > >Put port in vlax x
> > > >Add port security for the mac-address you want,
> > > >And the add a vlan-access-map for this vlan
> > stating traffic only from
> > > >the particular ip address you want, This might
> > achieve the desired
> > > >solution.
> > > >
> > > >Just throwing up ideas..
> > > >
> > > >-----Original Message-----
> > > >From: Sam.MicroGate@usa.telekom.de
> > > >[mailto:Sam.MicroGate@usa.telekom.de]
> > > >Sent: 06 February 2003 13:31
> > > >To: cciekt@yahoo.com;
> > Sam.MicroGate@usa.telekom.de;
> > ccielab@groupstudy.com
> > > >Subject: RE: 3550 port security w/o L2 or L3
> > access-list
> > > >
> > > >
> > > >Any input/help from the 3550 experts out there?
> > > >
> > > >Sam
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: KT Wee [mailto:cciekt@yahoo.com]
> > > >Sent: Thursday, February 06, 2003 8:29 AM
> > > >To: Sam.MicroGate@usa.telekom.de;
> > ccielab@groupstudy.com
> > > >Subject: RE: 3550 port security w/o L2 or L3
> > access-list
> > > >
> > > >
> > > >
> > > >I clear the arp cache before changeing the ip
> > address. Didn't help.
> > > >
> > > >
> > > >Sam.MicroGate@usa.telekom.de wrote:
> > > >
> > > >
> > > >Did you clear the arp cache before changing the
> > IP address?
> > > >
> > > >Sam
> > > >
> > > >
> > > >-----Original Message-----
> > > >From: KT Wee [mailto:cciekt@yahoo.com]
> > > >Sent: Thursday, February 06, 2003 7:18 AM
> > > >To: ccielab@groupstudy.com
> > > >Subject: 3550 port security w/o L2 or L3
> > access-list
> >
> === message truncated ===
>
> ______________________________________________________________________
> Post your free ad now! http://personals.yahoo.ca
> .
With kind regards/ met vriendelijke groeten,
------------------------------------------------
E. Tantsura
Network Developer
Essent Kabelcom N.V.
Dr.van Deenweg 84
8025BN Zwolle, The Netherlands
Tel: +31-(0)38-850-7642
Fax: +31-(0)38-850-7410
Mob: +31-(0)6-290-80458
------------------------------------------------
.

• Next message: Jeff Ryan: "OT: FW: NCE Position for NMCI"
• Previous message: Corbin, Kevin: "RE: asymmetric routing?"
• Maybe in reply to: Khalid Siddiq: "RE: 3550 port security w/o L2 or L3 access-list"
• Next in thread: Sam.MicroGate@usa.telekom.de: "RE: RE: 3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:15 GMT-3