From: Sam.MicroGate@usa.telekom.de
Date: Fri Feb 07 2003 - 17:02:53 GMT-3
John,
Port security with shutdown does not meet the requirement. You still can use
the port with different ip address. Please follow the thread.
Sam
-----Original Message-----
From: John Underhill [mailto:steppenwolfe_2000@yahoo.com]
Sent: Friday, February 07, 2003 10:29 AM
To: Sam.MicroGate@usa.telekom.de; Paul.Casey@o2.com; ivgen@castel.nl;
cfistik@moldovacc.md
Cc: ccielab@groupstudy.com
Subject: RE: RE: 3550 port security w/o L2 or L3 access-list
If you add the
'switchport port-security violation shutdown' to this,
it works for me..
> >interface FastEthernet0/1
> >switchport mode access
> >switchport port-security
> >switchport port-security mac-address 1234.1234.1234 switchport
> >port-security maximum 1
switchport port-security violation shutdown
> >arp 1.1.1.1 1234.1234.1234 ARPA
--- Sam.MicroGate@usa.telekom.de wrote: > This is
amazing. The groupstudy is not able to reach
> a consensus for this
> question. I tried all the combination, it did not
> work. You must use a
> router access list or a port access list to
> accomplish this task.
>
> Sam
>
>
>
>
> -----Original Message-----
> From: Casey, Paul (6822) [mailto:Paul.Casey@o2.com]
> Sent: Thursday, February 06, 2003 7:10 PM
> To: 'Evgeny Tantsura'; Cezar Fistik
> Cc: ccielab@groupstudy.com
> Subject: RE: RE: 3550 port security w/o L2 or L3
> access-list
>
>
> Peoples idea should always be valued, even
> theoretical.
> That's how most things start, in theory.!!
>
> I Don't think this can be achieved using just port
> security, since it's the
> same mac-address address each time on the interface
> , and you are just
> changing the IP address of the host,
>
> This is an interesting requirement.
> It sounds like to need to do some layer 3 filtering
> somehow,
>
> You Lab requirement could be miss phrased,., or your interpreting it
> wrong.
>
> Can't think how this can be achieved, though,
>
> Kind regards.
>
>
>
>
> -----Original Message-----
> From: Evgeny Tantsura [mailto:ivgen@castel.nl]
> Sent: 06 February 2003 23:30
> To: Cezar Fistik
> Cc: ccielab@groupstudy.com
> Subject: Re: RE: 3550 port security w/o L2 or L3
> access-list
>
>
> But it doesn't work..
>
> With arp timeout=0, with clear arp-cache and all the
> staff
> Does anybody know a practical (not theoretical)
> solution to this ? Not what
> you think but what you've test.
>
> > I think, accorgding to scenario conditions, that
> the original solution
> > is the only good one. It will work perfectly if we
> ony add the
> > following line udner catalyst interface
> configuration
> >
> > switchport port-security maximum 1
> >
> > This is from cisco cofig guide:
> >
> > switchport port-security maximum {value}
> > - (Optional) Set the maximum number of secure MAC
> addresses for the
> > interface. The range is 1 to 128; the default is
> 128.
> >
> >
> > switchport port-security mac-address {mac-address}
> > - (Optional) Enter a secure MAC address for the
> interface. You can use
> > this command to enter the maximum number of secure
> MAC addresses. If
> > you configure fewer secure MAC addresses than the
> maximum, the
> > remaining MAC addresses are dynamically learned.
> >
> >
> > In combination with a static arp entry this should
> work.
> >
> > Any coments?
> >
> > Regards.
> >
> > Cezar Fistik
> >
> >
> > ---------enyi abajue wrote:
> > >Hi,
> > >I am not too sure I can agree, there are three
> types of ACLs for the
> > >3550
> > viz Router (L3) ACLs, Port (L2) ACLs and Vlan
> access-maps and the
> > requirement was not to use L3 nor L2 ACLs, where I
> really worry is
> > whether putting the port in a separate Vlan is an
> issue as only flows
> > with that ip address or mac address as source will
> be allowed in any
> > direction within the vlan.
> > > Sam.MicroGate@usa.telekom.de wrote:Forgot this
> one. The requirement
> > > for
> > this question is not to use an access
> > >list. Vlan map needs either name mac extended
> access list or an
> > >access
> > list.
> > >Therefore the vlan map solution does not meet the
> requirements.
> > >
> > >Sam
> > >
> > >
> > >
> > >
> > >-----Original Message-----
> > >From: Casey, Paul (6822)
> [mailto:Paul.Casey@o2.com]
> > >Sent: Thursday, February 06, 2003 9:29 AM
> > >To: 'Sam.MicroGate@usa.telekom.de';
> 'cciekt@yahoo.com';
> > >'ccielab@groupstudy.com'
> > >Subject: RE: 3550 port security w/o L2 or L3
> access-list
> > >
> > >
> > >
> > >I wonder could you use a vlan-access-map in
> conjunction with port
> > >security
> > >
> > >Put port in vlax x
> > >Add port security for the mac-address you want,
> > >And the add a vlan-access-map for this vlan
> stating traffic only from
> > >the particular ip address you want, This might
> achieve the desired
> > >solution.
> > >
> > >Just throwing up ideas..
> > >
> > >-----Original Message-----
> > >From: Sam.MicroGate@usa.telekom.de
> > >[mailto:Sam.MicroGate@usa.telekom.de]
> > >Sent: 06 February 2003 13:31
> > >To: cciekt@yahoo.com;
> Sam.MicroGate@usa.telekom.de;
> ccielab@groupstudy.com
> > >Subject: RE: 3550 port security w/o L2 or L3
> access-list
> > >
> > >
> > >Any input/help from the 3550 experts out there?
> > >
> > >Sam
> > >
> > >
> > >-----Original Message-----
> > >From: KT Wee [mailto:cciekt@yahoo.com]
> > >Sent: Thursday, February 06, 2003 8:29 AM
> > >To: Sam.MicroGate@usa.telekom.de;
> ccielab@groupstudy.com
> > >Subject: RE: 3550 port security w/o L2 or L3
> access-list
> > >
> > >
> > >
> > >I clear the arp cache before changeing the ip
> address. Didn't help.
> > >
> > >
> > >Sam.MicroGate@usa.telekom.de wrote:
> > >
> > >
> > >Did you clear the arp cache before changing the
> IP address?
> > >
> > >Sam
> > >
> > >
> > >-----Original Message-----
> > >From: KT Wee [mailto:cciekt@yahoo.com]
> > >Sent: Thursday, February 06, 2003 7:18 AM
> > >To: ccielab@groupstudy.com
> > >Subject: 3550 port security w/o L2 or L3
> access-list
>
=== message truncated ===
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:15 GMT-3