From: Logan, Harold (loganh@mccfl.edu)
Date: Tue Feb 11 2003 - 18:51:38 GMT-3
Unless the requirements state that you cannot assign the port to a different VLAN, I'd say that's a workable solution. If the subnet that has the 1.1.1.1 host on it is part of the network , then you would have to create a layer 3 interface so it could talk to other hosts on the network. This is probably one of those requirements where the practice labs don't want you to read to much into it. I think putting the port in its own VLAN and applying a VLAN map is the way to go.
Hal
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Desmond
> Sent: Tuesday, February 11, 2003 2:12 PM
> To: KT Wee; FRANCISCO JAVIER COPETE AGUADO; Group Study CCIE LAB
> Cc: Cope
> Subject: Re: 3550 port security w/o L2 or L3 access-list
>
>
> I can confirm that arp is not the solution because arp has
> nothing to do
> with security. I tested all suggestions on my Cat3550. VLan
> map seems to be
> the only solution, but it will affect the whole VLAN.
> Assigning the port to
> another vlan may not meet the requirement.
>
>
> Des
>
>
> ----- Original Message -----
> From: "KT Wee" <cciekt@yahoo.com>
> To: "FRANCISCO JAVIER COPETE AGUADO"
> <F.COPETE.AGUADO@valenciamail.net>;
> "Group Study CCIE LAB" <ccielab@groupstudy.com>
> Cc: "Cope" <franciscoj_copete@ieci.es>
> Sent: Tuesday, February 11, 2003 7:50 AM
> Subject: RE: 3550 port security w/o L2 or L3 access-list
>
>
> > Hi,
> > I have tried no arp arpa on the interface fa0/1 port. It
> didn't work. It
> will only work if I apply it on the corresponding int VLAN 1.
> However, this
> will affect all ports in the same vlan. Furthermore I notice
> that this is
> not a good solution. Althought I will not be able to ping
> 1.1.1.2 from the
> switch. (example I change the 1.1.1.1 ip address to 1.1.1.2).
> I will be
> able to ping from the 1.1.1.2 the switch interface. Once
> this is done. the
> 1.1.1.2 arp entry will appear in the arp-table. You will be
> able to ping
> 1.1.1.2 from the switch now. Still didn't see any good
> solution. hm...
> >
> > FRANCISCO JAVIER COPETE AGUADO <F.COPETE.AGUADO@valenciamail.net>
> wrote:Hi group,
> >
> > If the problem is the dynamic arp entry , disabling arp on
> interfaz it
> > will solve the problem, isn't it?
> >
> > interface FastEthernet0/1
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 1
> > switchport port-security mac-address 1234.1234.1234
> > no arp arpa
> >
> > arp 1.1.1.1 1234.1234.1234 ARPA fastEthernet 0/1
> >
> > Any coments?
> >
> > Regards.
> >
> > Copete
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of
> > KT Wee
> > Sent: Thursday, February 06, 2003 2:18 PM
> > To: ccielab@groupstudy.com
> > Subject: 3550 port security w/o L2 or L3 access-list
> >
> > Hi Guys,
> >
> > Got a scenario on 3550. Only allow packet with mac-address
> > 1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1.
> Cannot use
> > L2 or L3 access list. I though of using switchport
> port-security and arp
> > static mapping as follow:
> >
> > interface FastEthernet0/1
> > switchport mode access
> > switchport port-security
> > switchport port-security mac-address 1234.1234.1234
> >
> > arp 1.1.1.1 1234.1234.1234 ARPA
> >
> > I am able to ping to 1.1.1.1. But if I change the host to
> 1.1.1.2, I am
> > still able to ping to 1.1.1.2. This would go against the
> condition only
> > the host with 1.1.1.1 is allowed. I saw some thread similar
> before but
> > can't find anything in archive. Please help thanks.
> > .
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Shopping - Send Flowers for Valentine's Day
> > .
> .
.
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:19 GMT-3