Re: port filtering

From: ccie1@hotmail.com
Date: Mon Mar 17 2003 - 17:43:49 GMT-3

• Next message: stefan vogt: "Re: RE: ISIS and designated IS (DIS)"
• Previous message: Daniel Cisco Group Study: "HSRP Authentication"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Yinka Daramola: "Re: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Jin:
        Actually i thought of specifying a static arp, but after talking
with others, that is not the correct solution. You can have multiple ip
addresses to the same mac-address, just not the other way around, so a
static arp may not be the answer. Any other ideas?

----- Original Message -----
From: "Jung, Jin" <jin.jung@lmco.com>
To: "'Syv Ritch'" <syv@911networks.com>; <ccie1@hotmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Monday, March 17, 2003 12:37 PM
Subject: RE: port filtering

>
>
> If I recall, and this has been talked about before,
>
> For L2, make sure you have
> Swithcport mode access
> Switchport port-security
> Switchport port-security <mac-address>
>
> And
> Do static ARP entry on the 3550
>
> Arp 150.50.120.3 0000.00001.00ab
>
> This should work,, it worked for me,
>
> Jin jung...
>
> -----Original Message-----
> From: Syv Ritch [mailto:syv@911networks.com]
> Sent: Monday, March 17, 2003 1:53 PM
> To: ccie1@hotmail.com
> Cc: ccielab@groupstudy.com
> Subject: Re: port filtering
>
>
> On Monday, March 17, 2003, ccie1@hotmail.com wrote:
>
> -----Original Message-----
>
> chc> I want to only allow mac-address 0800.E4D3.A2D1 with ip address
> chc> 12.3.1.1 on port fast-etjhernet 0/16 on my 3550. The requirement is
> chc> to not use layer 3 or layer 2 access-lists. I tried using
> chc> port-security with the mac-address but that doesnt seem to work.
> chc> Does anyone have any ideas on how to do this?
>
> What about:
>
> !vmps domain <domain-name>
> ! The VMPS domain must be defined.
> !vmps mode {open | secure}
> ! The default mode is open.
> !vmps fallback <vlan-name>
> !vmps no-domain-req { allow | deny }
> !
> ! The default value is allow.
> vmps domain DSBU
> vmps mode open
> vmps fallback default
> vmps no-domain-req deny
> !
> !
> !MAC Addresses
> !
> vmps-mac-addrs
> !
> ! address <addr> vlan-name <vlan_name>
> !
> address 0012.2233.4455 vlan-name hardware
> address 0000.6509.a080 vlan-name hardware
> address aabb.ccdd.eeff vlan-name Green
> address 1223.5678.9abc vlan-name ExecStaff
> address fedc.ba98.7654 vlan-name --NONE--
> address fedc.ba23.1245 vlan-name Purple
> !
> !Port Groups
> !
> !vmps-port-group <group-name>
> ! device <device-id> { port <port-name> | all-ports }
> !
> vmps-port-group WiringCloset1
> device 198.92.30.32 port 0/2
> device 172.20.26.141 port 0/8
> vmps-port-group "Executive Row"
> device 198.4.254.222 port 0/2
> device 198.4.254.222 port 0/3
> device 198.4.254.223 all-ports
>
> --
> Thanks
> syv@911networks.com

• Next message: stefan vogt: "Re: RE: ISIS and designated IS (DIS)"
• Previous message: Daniel Cisco Group Study: "HSRP Authentication"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Yinka Daramola: "Re: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3