RE: 3550 port security w/o L2 or L3 access-list

From: KT Wee (cciekt@yahoo.com)
Date: Tue Feb 11 2003 - 09:50:38 GMT-3

• Next message: Herve Bruyere: "Re: Monitoring Memory Utilization(%) on a router."
• Previous message: tlarus@cox.net: "Re: Re: IP Precedence value - name conversion"
• Maybe in reply to: KT Wee: "3550 port security w/o L2 or L3 access-list"
• Next in thread: Desmond: "Re: 3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,
I have tried no arp arpa on the interface fa0/1 port. It didn't work. It will only work if I apply it on the corresponding int VLAN 1. However, this will affect all ports in the same vlan. Furthermore I notice that this is not a good solution. Althought I will not be able to ping 1.1.1.2 from the switch. (example I change the 1.1.1.1 ip address to 1.1.1.2). I will be able to ping from the 1.1.1.2 the switch interface. Once this is done. the 1.1.1.2 arp entry will appear in the arp-table. You will be able to ping 1.1.1.2 from the switch now. Still didn't see any good solution. hm...
 
 FRANCISCO JAVIER COPETE AGUADO <F.COPETE.AGUADO@valenciamail.net> wrote:Hi group,

If the problem is the dynamic arp entry , disabling arp on interfaz it
will solve the problem, isn't it?

interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 1234.1234.1234
no arp arpa

arp 1.1.1.1 1234.1234.1234 ARPA fastEthernet 0/1

Any coments?

Regards.

Copete

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
KT Wee
Sent: Thursday, February 06, 2003 2:18 PM
To: ccielab@groupstudy.com
Subject: 3550 port security w/o L2 or L3 access-list

Hi Guys,

Got a scenario on 3550. Only allow packet with mac-address
1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1. Cannot use
L2 or L3 access list. I though of using switchport port-security and arp
static mapping as follow:

interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address 1234.1234.1234

arp 1.1.1.1 1234.1234.1234 ARPA

I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I am
still able to ping to 1.1.1.2. This would go against the condition only
the host with 1.1.1.1 is allowed. I saw some thread similar before but
can't find anything in archive. Please help thanks.
.
---------------------------------
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
.

• Next message: Herve Bruyere: "Re: Monitoring Memory Utilization(%) on a router."
• Previous message: tlarus@cox.net: "Re: Re: IP Precedence value - name conversion"
• Maybe in reply to: KT Wee: "3550 port security w/o L2 or L3 access-list"
• Next in thread: Desmond: "Re: 3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:18 GMT-3