RE: 3550 security

From: Tim Fletcher (tim@fletchmail.net)
Date: Thu Feb 13 2003 - 11:53:10 GMT-3

 From a post I made last week...

> ARP is not a solution to this problem (although I don't what the
> solution is). The reason is that ARP entries can be learned in
> several ways.
>
> 1. If a device needs to send a packet and does not have an ARP
> entry, it will send an ARP request, and the destination will send an
> ARP reply.
> 2. Many devices when they come on line will send a gratuitous ARP
> reply. You can also generate gratuitous ARP replies on a router is
> by doing "clear arp".
> 3. Any received packets get entered into the ARP table.
>
> "no arp arpa" only turns off method 1, so it will not prevent
> entries in the ARP table. Even if you could block all ARP replies, it
> still leaves method 3.

I forgot to add that each node on the VLAN maintains it's own ARP cache. So
even if disabling ARP worked, the machine would still be able to
communicate with any other device on the same VLAN regardless of what the
IP address is.

-Tim Fletcher

At 10:51 PM 2/12/2003 -0500, sam wrote:
>Correct me if I am wrong...
>This is where the discussion stands so far
>
>Qn: Allow only a machine with a specific IP and MAC address into a
>specific port.
>
>Soln:
>MAC Address: Use port-security to allow a single MAC address in
>IP Address: Either use access-group to permit the host's IP or
> Static ARP statement linking IP to MAC add? (NO ACLSs)
>
>Int fa0/1
>
>Switchport mode access
>Switchport access vlan 10 ---> makes this port a member of the vlan
>Switchport port-security max 1 ----> max number of mac add. on this port
>
>Switchport port-security mac-address a.b.c --> the mac address you
>specify
>Switchport port-security violation restrict -->violation restricts data
>
>AND
>
>Ip access-group 101 in
>Exit
>Access-list 101 permit host 1.1.1.1
>
>OR
>
>Arp 1.1.1.1 aaa.bbb.ccc arpa
>
>*I got my dinks from the link below (watch the wrap)
>http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12112cea/3550c
>r/cli2.htm#xtocid111
>
>Excerpts
>- Port security can only be configured on static access ports.
>- A secure port cannot be a dynamic access port or a trunk port.
>- A secure port cannot be a destination port for (SPAN).
>- A secure port cannot belong to a Fast EtherChannel port group.
>- You cannot configure static secure MAC addresses in the voice VLAN.
> Requires
> Switchport port-security maximum 2 (minimum) {1 each for
>voice/access VLAN plus additional for a PC connected to phone}
>-To enable port security on an 802.1X port, you must first enable the
>802.1X multiple-hosts mode on the port.
>
>Sam Sena
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>A
>Sent: Thursday, January 16, 2003 10:44 AM
>To: 'Adam Crisp'; 'Mark Vann'; 'Bob Sinclair'; 'Massimiliano Tognon';
>ccielab@groupstudy.com; aparadela@myacc.net
>Subject: RE: 3550 security
>
>Going back to the original question, how about:
>
>arp 192.168.1.8 3333.4444.5555 arpa vlan42 ; or maybe even fa0/3
>
>int fa0/3
> switchport mode access
> switchport access vlan 42
> switchport port-security mac-address 3333.4444.5555
> switchport port-security maximum 1
> switchport port-security violation restrict
>end
>
>
>Alex
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Adam Crisp
>Sent: Monday, December 16, 2002 1:06 PM
>To: Mark Vann; Bob Sinclair; Massimiliano Tognon; ccielab@groupstudy.com
>Subject: RE: 3550 security
>
>
>Mark, if you search back on group study you'll see me complaining about
>the
>"ip access-group" bug. ;-(
>
>The workaround is to create a "permit all" access-group and apply it to
>all
>other interfaces.
>
>You need to do this if you use a "mac access-group" as well, although
>the
>"bug/feature" only happens after you reboot the switch.
>
>I'm not sure I'm completely happy with Bob's statement saying the IP
>address
>is a red herring.
>As it happens the 3550 has a brilliant feature where you can deny access
>to
>L3 IP addresses, when the switch is in L2 mode..... you just need to
>massage
>the switch when using "ip access-group". If the switch was a 5500, then
>I
>would tend to agree that it could be a red herring.
>
>If anybody can tell me how to not get the bug that Mark describes then
>please shout!
>
>Adam
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Mark Vann
>Sent: 14 December 2002 23:48
>To: Bob Sinclair; Massimiliano Tognon; ccielab@groupstudy.com
>Subject: Re: 3550 security
>
>
>Heh, using an ip access list on the switched caused a
>bug for me, the whole switch would not pass traffic.
>Just my .02
>--- Bob Sinclair <bsin@cox.net> wrote:
> > I think the IP information in the question is a red
> > herring - it is there
> > only to complicate and confuse. If your port is a
> > layer 2 port, then by
> > definition it has no knowledge of the IP address. I
> > would do port security
> > using the MAC address and leave it at that.
> >
> > -Bob Sinclair
> > CCIE #10427
> >
> > ----- Original Message -----
> > From: "Massimiliano Tognon" <mtognon@tecnonetspa.it>
> > To: <ccielab@groupstudy.com>
> > Sent: Saturday, December 14, 2002 5:57 AM
> > Subject: 3550 security
> >
> >
> > > hi folks, question for you...
> > > how can i secure a 3550 port?
> > > question is :
> > > i can allow only 1 pc with specific mac-address
> > (something like
> > > 3333.4444.5555) AND specific IP ADDRESS (something
> > like 192.168.1.8).
> > > for mac-address i think to use port security, but
> > what can i use for ip
> > > address?
> > > 3550 fasteth is a layer 2 port not a routed
> > (layer3) port...
> > > any idea ?
> > >
> > > thanks
> > > .
> > .
> >
>__________________________________________________________________
> > To unsubscribe from the CCIELAB list, send a message
> > to
> > majordomo@groupstudy.com with the body containing:
> > unsubscribe ccielab
>
>
>=====
>Mark Vann
>CCNP, CCNA, CCDA, Network+
>Network Engineer
>
>__________________________________________________
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>http://mailplus.yahoo.com
>.
>.
>.
>.
.

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:21 GMT-3