From: Tim Fletcher (tim@fletchmail.net)
Date: Mon Feb 10 2003 - 14:05:08 GMT-3
ARP is not a solution to this problem (although I don't what the solution
is). The reason is that ARP entries can be learned in several ways.
1. If a device needs to send a packet and does not have an ARP entry, it
will send an ARP request, and the destination will send an ARP reply.
2. Many devices when they come on line will send a gratuitous ARP reply.
You can also generate gratuitous ARP replies on a router is by doing "clear
arp".
3. Any received packets get entered into the ARP table.
"no arp arpa" only turns off method 1, so it will not prevent entries in
the ARP table. Even if you could block all ARP replies, it still leaves
method 3.
-Tim Fletcher
At 11:45 PM 2/10/2003 +0800, Donny MATEO wrote:
>just give it a shot....seems like the command "no arp arpa" didn't do
>anything.
>Anybody can confirmed or suggest another way to disable arp resolution on
>an interface ?
>
>Donny
>
>
>
>
> FRANCISCO JAVIER
> COPETE
>
> AGUADO To: Group
> Study CCIE LAB <ccielab@groupstudy.com>
> <F.COPETE.AGUADO@valenc cc: Cope
> <franciscoj_copete@ieci.es>
> iamail.net> Subject: RE: 3550
> port security w/o L2 or L3 access-list
> Sent
> by:
>
> nobody@groupstudy.com
>
>
>
>
>
> 10-02-2003
> 18:21
>
> Please respond
> to
>
> FRANCISCO JAVIER
> COPETE
>
> AGUADO
>
>
>
>
>
>
>
>
>
>Hi group,
>
>If the problem is the dynamic arp entry , disabling arp on interfaz it
>will solve the problem, isn't it?
>
>interface FastEthernet0/1
> switchport mode access
> switchport port-security
> switchport port-security maximum 1
> switchport port-security mac-address 1234.1234.1234
> no arp arpa
>
>arp 1.1.1.1 1234.1234.1234 ARPA fastEthernet 0/1
>
>Any coments?
>
>Regards.
>
>Copete
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>KT Wee
>Sent: Thursday, February 06, 2003 2:18 PM
>To: ccielab@groupstudy.com
>Subject: 3550 port security w/o L2 or L3 access-list
>
>Hi Guys,
>
>Got a scenario on 3550. Only allow packet with mac-address
>1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1. Cannot use
>L2 or L3 access list. I though of using switchport port-security and arp
>static mapping as follow:
>
>interface FastEthernet0/1
> switchport mode access
> switchport port-security
> switchport port-security mac-address 1234.1234.1234
>
>arp 1.1.1.1 1234.1234.1234 ARPA
>
>I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I am
>still able to ping to 1.1.1.2. This would go against the condition only
>the host with 1.1.1.1 is allowed. I saw some thread similar before but
>can't find anything in archive. Please help thanks.
>.
>This message is for information purposes only and its content
>should not be construed as an offer, or solicitation of an offer,
>to buy or sell any banking or financial instruments or services
>and no representation or warranty is given in respect of its
>accuracy, completeness or fairness. The material is subject
>to change without notice. You should take your own independent
>tax, legal and other professional advice in respect of the content
>of this message. This message may contain confidential or
>legally privileged material and may not be copied, redistributed
>or published (in whole or in part) without our prior written consent.
>This email may have been intercepted, partially destroyed,
>arrive late, incomplete or contain viruses and no liability is
>accepted by any member of the Credit Agricole Indosuez group
>as a result. If you are not the intended recipient of this message,
>please immediately notify the sender and delete this message
>from your computer.
>.
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:17 GMT-3