From: Kleberg, Jason (JKleberg@glhec.org)
Date: Tue Feb 11 2003 - 16:19:37 GMT-3
I thought it was decided this question related to the cat5k only? Is it
fair game yet?
jason
-----Original Message-----
From: Desmond [mailto:cciestudy@sympatico.ca]
Sent: Tuesday, February 11, 2003 1:12 PM
To: KT Wee; FRANCISCO JAVIER COPETE AGUADO; Group Study CCIE LAB
Cc: Cope
Subject: Re: 3550 port security w/o L2 or L3 access-list
I can confirm that arp is not the solution because arp has nothing to do
with security. I tested all suggestions on my Cat3550. VLan map seems to be
the only solution, but it will affect the whole VLAN. Assigning the port to
another vlan may not meet the requirement.
Des
----- Original Message -----
From: "KT Wee" <cciekt@yahoo.com>
To: "FRANCISCO JAVIER COPETE AGUADO" <F.COPETE.AGUADO@valenciamail.net>;
"Group Study CCIE LAB" <ccielab@groupstudy.com>
Cc: "Cope" <franciscoj_copete@ieci.es>
Sent: Tuesday, February 11, 2003 7:50 AM
Subject: RE: 3550 port security w/o L2 or L3 access-list
> Hi,
> I have tried no arp arpa on the interface fa0/1 port. It didn't work. It
will only work if I apply it on the corresponding int VLAN 1. However, this
will affect all ports in the same vlan. Furthermore I notice that this is
not a good solution. Althought I will not be able to ping 1.1.1.2 from the
switch. (example I change the 1.1.1.1 ip address to 1.1.1.2). I will be
able to ping from the 1.1.1.2 the switch interface. Once this is done. the
1.1.1.2 arp entry will appear in the arp-table. You will be able to ping
1.1.1.2 from the switch now. Still didn't see any good solution. hm...
>
> FRANCISCO JAVIER COPETE AGUADO <F.COPETE.AGUADO@valenciamail.net>
wrote:Hi group,
>
> If the problem is the dynamic arp entry , disabling arp on interfaz it
> will solve the problem, isn't it?
>
> interface FastEthernet0/1
> switchport mode access
> switchport port-security
> switchport port-security maximum 1
> switchport port-security mac-address 1234.1234.1234
> no arp arpa
>
> arp 1.1.1.1 1234.1234.1234 ARPA fastEthernet 0/1
>
> Any coments?
>
> Regards.
>
> Copete
>
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> KT Wee
> Sent: Thursday, February 06, 2003 2:18 PM
> To: ccielab@groupstudy.com
> Subject: 3550 port security w/o L2 or L3 access-list
>
> Hi Guys,
>
> Got a scenario on 3550. Only allow packet with mac-address
> 1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1. Cannot use
> L2 or L3 access list. I though of using switchport port-security and arp
> static mapping as follow:
>
> interface FastEthernet0/1
> switchport mode access
> switchport port-security
> switchport port-security mac-address 1234.1234.1234
>
> arp 1.1.1.1 1234.1234.1234 ARPA
>
> I am able to ping to 1.1.1.1. But if I change the host to 1.1.1.2, I am
> still able to ping to 1.1.1.2. This would go against the condition only
> the host with 1.1.1.1 is allowed. I saw some thread similar before but
> can't find anything in archive. Please help thanks.
> .
> ---------------------------------
> Do you Yahoo!?
> Yahoo! Shopping - Send Flowers for Valentine's Day
> .
.
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:18 GMT-3