Re: 3550 port security w/o L2 or L3 access-list

From: Desmond (cciestudy@sympatico.ca)
Date: Tue Feb 18 2003 - 11:45:17 GMT-3

• Next message: Muyeenp@aol.com: "Re: Technical Tips"
• Previous message: Gore, Peter: "General Question"
• Maybe in reply to: KT Wee: "3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This solution will work for sure, but the port has to be moved to dedicated
vlan and this vlan is mentioned in the switching part. Does it still fill
the requirement ?

----- Original Message -----
From: "Khalid Siddiq" <khalid@sys.net.pk>
To: "Logan, Harold" <loganh@mccfl.edu>; "Desmond" <cciestudy@sympatico.ca>;
"KT Wee" <cciekt@yahoo.com>; "FRANCISCO JAVIER COPETE AGUADO"
<F.COPETE.AGUADO@valenciamail.net>; "Group Study CCIE LAB"
<ccielab@groupstudy.com>
Cc: "Cope" <franciscoj_copete@ieci.es>
Sent: Tuesday, February 18, 2003 6:00 AM
Subject: RE: 3550 port security w/o L2 or L3 access-list

What type of access-list will be used standard or extended?
VACL work in both direction inbound and outbound, is we have to permit
the host in both direction

Access-list 101 permits ip host 1.1.1.1 any
Access-list 101 permits ip any host 1.1.1.1

Vlan access-map vlan2 10
Action forward
Matc ip address 101

Vlan filter vlan2 vlan-list 2

Can someone clarify that?
Regards,
khalid

-----Original Message-----
From: Logan, Harold [mailto:loganh@mccfl.edu]
Sent: Wednesday, February 12, 2003 2:52 AM
To: Desmond; KT Wee; FRANCISCO JAVIER COPETE AGUADO; Group Study CCIE
LAB
Cc: Cope
Subject: RE: 3550 port security w/o L2 or L3 access-list

Unless the requirements state that you cannot assign the port to a
different VLAN, I'd say that's a workable solution. If the subnet that
has the 1.1.1.1 host on it is part of the network , then you would have
to create a layer 3 interface so it could talk to other hosts on the
network. This is probably one of those requirements where the practice
labs don't want you to read to much into it. I think putting the port in
its own VLAN and applying a VLAN map is the way to go.

Hal

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Desmond
> Sent: Tuesday, February 11, 2003 2:12 PM
> To: KT Wee; FRANCISCO JAVIER COPETE AGUADO; Group Study CCIE LAB
> Cc: Cope
> Subject: Re: 3550 port security w/o L2 or L3 access-list
>
>
> I can confirm that arp is not the solution because arp has
> nothing to do
> with security. I tested all suggestions on my Cat3550. VLan
> map seems to be
> the only solution, but it will affect the whole VLAN.
> Assigning the port to
> another vlan may not meet the requirement.
>
>
> Des
>
>
> ----- Original Message -----
> From: "KT Wee" <cciekt@yahoo.com>
> To: "FRANCISCO JAVIER COPETE AGUADO"
> <F.COPETE.AGUADO@valenciamail.net>;
> "Group Study CCIE LAB" <ccielab@groupstudy.com>
> Cc: "Cope" <franciscoj_copete@ieci.es>
> Sent: Tuesday, February 11, 2003 7:50 AM
> Subject: RE: 3550 port security w/o L2 or L3 access-list
>
>
> > Hi,
> > I have tried no arp arpa on the interface fa0/1 port. It
> didn't work. It
> will only work if I apply it on the corresponding int VLAN 1.
> However, this
> will affect all ports in the same vlan. Furthermore I notice
> that this is
> not a good solution. Althought I will not be able to ping
> 1.1.1.2 from the
> switch. (example I change the 1.1.1.1 ip address to 1.1.1.2).
> I will be
> able to ping from the 1.1.1.2 the switch interface. Once
> this is done. the
> 1.1.1.2 arp entry will appear in the arp-table. You will be
> able to ping
> 1.1.1.2 from the switch now. Still didn't see any good
> solution. hm...
> >
> > FRANCISCO JAVIER COPETE AGUADO <F.COPETE.AGUADO@valenciamail.net>
> wrote:Hi group,
> >
> > If the problem is the dynamic arp entry , disabling arp on
> interfaz it
> > will solve the problem, isn't it?
> >
> > interface FastEthernet0/1
> > switchport mode access
> > switchport port-security
> > switchport port-security maximum 1
> > switchport port-security mac-address 1234.1234.1234
> > no arp arpa
> >
> > arp 1.1.1.1 1234.1234.1234 ARPA fastEthernet 0/1
> >
> > Any coments?
> >
> > Regards.
> >
> > Copete
> >
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
> On Behalf Of
> > KT Wee
> > Sent: Thursday, February 06, 2003 2:18 PM
> > To: ccielab@groupstudy.com
> > Subject: 3550 port security w/o L2 or L3 access-list
> >
> > Hi Guys,
> >
> > Got a scenario on 3550. Only allow packet with mac-address
> > 1234.1234.1234 and ip address 1.1.1.1 to access port fa0/1.
> Cannot use
> > L2 or L3 access list. I though of using switchport
> port-security and arp
> > static mapping as follow:
> >
> > interface FastEthernet0/1
> > switchport mode access
> > switchport port-security
> > switchport port-security mac-address 1234.1234.1234
> >
> > arp 1.1.1.1 1234.1234.1234 ARPA
> >
> > I am able to ping to 1.1.1.1. But if I change the host to
> 1.1.1.2, I am
> > still able to ping to 1.1.1.2. This would go against the
> condition only
> > the host with 1.1.1.1 is allowed. I saw some thread similar
> before but
> > can't find anything in archive. Please help thanks.
> > .
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Shopping - Send Flowers for Valentine's Day
> > .
> .
.

• Next message: Muyeenp@aol.com: "Re: Technical Tips"
• Previous message: Gore, Peter: "General Question"
• Maybe in reply to: KT Wee: "3550 port security w/o L2 or L3 access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:26 GMT-3