RE: 3550 security

From: sam (sam@avtechusa.com)
Date: Thu Feb 13 2003 - 00:51:24 GMT-3

• Next message: Rik Guyler: "RE: Is Cisco HDLC encapsulation proprietary?"
• Previous message: Bobby: "CAR"
• Next in thread: Tim Fletcher: "RE: 3550 security"
• Maybe reply: Tim Fletcher: "RE: 3550 security"
• Maybe reply: martin vlahos: "RE: 3550 security"
• Maybe reply: martin vlahos: "RE: 3550 security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Correct me if I am wrong...
This is where the discussion stands so far

Qn: Allow only a machine with a specific IP and MAC address into a
specific port.

Soln:
MAC Address: Use port-security to allow a single MAC address in
IP Address: Either use access-group to permit the host's IP or
                Static ARP statement linking IP to MAC add? (NO ACLSs)

Int fa0/1

Switchport mode access
Switchport access vlan 10 ---> makes this port a member of the vlan
Switchport port-security max 1 ----> max number of mac add. on this port

Switchport port-security mac-address a.b.c --> the mac address you
specify
Switchport port-security violation restrict -->violation restricts data

AND

Ip access-group 101 in
Exit
Access-list 101 permit host 1.1.1.1

OR

Arp 1.1.1.1 aaa.bbb.ccc arpa

*I got my dinks from the link below (watch the wrap)
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/3550c
r/cli2.htm#xtocid111

Excerpts
- Port security can only be configured on static access ports.
- A secure port cannot be a dynamic access port or a trunk port.
- A secure port cannot be a destination port for (SPAN).
- A secure port cannot belong to a Fast EtherChannel port group.
- You cannot configure static secure MAC addresses in the voice VLAN.
  Requires
        Switchport port-security maximum 2 (minimum) {1 each for
voice/access VLAN plus additional for a PC connected to phone}
-To enable port security on an 802.1X port, you must first enable the
802.1X multiple-hosts mode on the port.

Sam Sena

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
A
Sent: Thursday, January 16, 2003 10:44 AM
To: 'Adam Crisp'; 'Mark Vann'; 'Bob Sinclair'; 'Massimiliano Tognon';
ccielab@groupstudy.com; aparadela@myacc.net
Subject: RE: 3550 security

Going back to the original question, how about:

arp 192.168.1.8 3333.4444.5555 arpa vlan42 ; or maybe even fa0/3

int fa0/3
 switchport mode access
 switchport access vlan 42
 switchport port-security mac-address 3333.4444.5555
 switchport port-security maximum 1
 switchport port-security violation restrict
end

Alex

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Adam Crisp
Sent: Monday, December 16, 2002 1:06 PM
To: Mark Vann; Bob Sinclair; Massimiliano Tognon; ccielab@groupstudy.com
Subject: RE: 3550 security

Mark, if you search back on group study you'll see me complaining about
the
"ip access-group" bug. ;-(

The workaround is to create a "permit all" access-group and apply it to
all
other interfaces.

You need to do this if you use a "mac access-group" as well, although
the
"bug/feature" only happens after you reboot the switch.

I'm not sure I'm completely happy with Bob's statement saying the IP
address
is a red herring.
As it happens the 3550 has a brilliant feature where you can deny access
to
L3 IP addresses, when the switch is in L2 mode..... you just need to
massage
the switch when using "ip access-group". If the switch was a 5500, then
I
would tend to agree that it could be a red herring.

If anybody can tell me how to not get the bug that Mark describes then
please shout!

Adam

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Mark Vann
Sent: 14 December 2002 23:48
To: Bob Sinclair; Massimiliano Tognon; ccielab@groupstudy.com
Subject: Re: 3550 security

Heh, using an ip access list on the switched caused a
bug for me, the whole switch would not pass traffic.
Just my .02
--- Bob Sinclair <bsin@cox.net> wrote:
> I think the IP information in the question is a red
> herring - it is there
> only to complicate and confuse. If your port is a
> layer 2 port, then by
> definition it has no knowledge of the IP address. I
> would do port security
> using the MAC address and leave it at that.
>
> -Bob Sinclair
> CCIE #10427
>
> ----- Original Message -----
> From: "Massimiliano Tognon" <mtognon@tecnonetspa.it>
> To: <ccielab@groupstudy.com>
> Sent: Saturday, December 14, 2002 5:57 AM
> Subject: 3550 security
>
>
> > hi folks, question for you...
> > how can i secure a 3550 port?
> > question is :
> > i can allow only 1 pc with specific mac-address
> (something like
> > 3333.4444.5555) AND specific IP ADDRESS (something
> like 192.168.1.8).
> > for mac-address i think to use port security, but
> what can i use for ip
> > address?
> > 3550 fasteth is a layer 2 port not a routed
> (layer3) port...
> > any idea ?
> >
> > thanks
> > .
> .
>

• Next message: Rik Guyler: "RE: Is Cisco HDLC encapsulation proprietary?"
• Previous message: Bobby: "CAR"
• Next in thread: Tim Fletcher: "RE: 3550 security"
• Maybe reply: Tim Fletcher: "RE: 3550 security"
• Maybe reply: martin vlahos: "RE: 3550 security"
• Maybe reply: martin vlahos: "RE: 3550 security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:20 GMT-3