From: Swink, Dave (DSwink@protrader.com)
Date: Mon Feb 17 2003 - 21:47:14 GMT-3
Joy,
I think you would want "switchport port-security violation protect" in the
config. The default behavior of a port security violation would be to
disable the port (error-disabled state). Otherwise the layer 2 looks good
to me.
Didn't the requirements ban access-lists?
Dave Swink
-----Original Message-----
From: Joy Sarkar [mailto:ciscocalifornia@yahoo.com]
Sent: Monday, February 17, 2003 2:41 PM
To: Desmond; KT Wee; FRANCISCO JAVIER COPETE AGUADO; Group Study CCIE
LAB
Cc: Cope
Subject: Re: 3550 port security w/o L2 or L3 access-list
I just wanted to check if somebody was able to check
and confirm the solution. I think this issue is still
open for discussion......
To me the solution should be is as folows:
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 1234.1234.1234
ip acccess-group 1 in
!
access-list 1 permit 1.1.1.1
!
I have not tested it out but I think it should work
because router ACLs on an 3550 work only inwards on an
layer 2 interface( though can be applied both inwards
and outwards on a layer 3 interface).
can anybody bless this for me ???
Thanks
--- Desmond <cciestudy@sympatico.ca> wrote:
> I can confirm that arp is not the solution because
> arp has nothing to do
> with security. I tested all suggestions on my
> Cat3550. VLan map seems to be
> the only solution, but it will affect the whole
> VLAN. Assigning the port to
> another vlan may not meet the requirement.
>
>
> Des
>
>
> ----- Original Message -----
> From: "KT Wee" <cciekt@yahoo.com>
> To: "FRANCISCO JAVIER COPETE AGUADO"
> <F.COPETE.AGUADO@valenciamail.net>;
> "Group Study CCIE LAB" <ccielab@groupstudy.com>
> Cc: "Cope" <franciscoj_copete@ieci.es>
> Sent: Tuesday, February 11, 2003 7:50 AM
> Subject: RE: 3550 port security w/o L2 or L3
> access-list
>
>
> > Hi,
> > I have tried no arp arpa on the interface fa0/1
> port. It didn't work. It
> will only work if I apply it on the corresponding
> int VLAN 1. However, this
> will affect all ports in the same vlan. Furthermore
> I notice that this is
> not a good solution. Althought I will not be able
> to ping 1.1.1.2 from the
> switch. (example I change the 1.1.1.1 ip address to
> 1.1.1.2). I will be
> able to ping from the 1.1.1.2 the switch interface.
> Once this is done. the
> 1.1.1.2 arp entry will appear in the arp-table. You
> will be able to ping
> 1.1.1.2 from the switch now. Still didn't see any
> good solution. hm...
> >
> > FRANCISCO JAVIER COPETE AGUADO
> <F.COPETE.AGUADO@valenciamail.net>
> wrote:Hi group,
> >
> > If the problem is the dynamic arp entry ,
> disabling arp on interfaz it
> > will solve the problem, isn't it?
> >
> > interface FastEthernet0/1
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 1
> > switchport port-security mac-address
> 1234.1234.1234
> > no arp arpa
> >
> > arp 1.1.1.1 1234.1234.1234 ARPA fastEthernet 0/1
> >
> > Any coments?
> >
> > Regards.
> >
> > Copete
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> > KT Wee
> > Sent: Thursday, February 06, 2003 2:18 PM
> > To: ccielab@groupstudy.com
> > Subject: 3550 port security w/o L2 or L3
> access-list
> >
> > Hi Guys,
> >
> > Got a scenario on 3550. Only allow packet with
> mac-address
> > 1234.1234.1234 and ip address 1.1.1.1 to access
> port fa0/1. Cannot use
> > L2 or L3 access list. I though of using switchport
> port-security and arp
> > static mapping as follow:
> >
> > interface FastEthernet0/1
> > switchport mode access
> > switchport port-security
> > switchport port-security mac-address
> 1234.1234.1234
> >
> > arp 1.1.1.1 1234.1234.1234 ARPA
> >
> > I am able to ping to 1.1.1.1. But if I change the
> host to 1.1.1.2, I am
> > still able to ping to 1.1.1.2. This would go
> against the condition only
> > the host with 1.1.1.1 is allowed. I saw some
> thread similar before but
> > can't find anything in archive. Please help
> thanks.
> > .
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Shopping - Send Flowers for Valentine's Day
> > .
> .
>
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:26 GMT-3