From: Yinka Daramola (o_daramola@hotmail.com)
Date: Mon Mar 17 2003 - 21:32:09 GMT-3
I have tested a solution that seems to work for this. But no sure if it
meets the requirements.
- configure a static arp for the port
- change the interface to a routed port
- turn off arp on the interface
- give the interface an ip address on that subnet.
It will only allow the configured staic IP address and MAC address, since
arp is turned off. The only issue is that you need to make it a routed potr
with an ip address.
Yinka Daramola, MCSE, CCNP RHCE
Red Hat Inc.
> ----- Original Message -----
> From: "Jung, Jin" <jin.jung@lmco.com>
> To: <ccie1@hotmail.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Monday, March 17, 2003 12:53 PM
> Subject: RE: port filtering
>
>
> > Well,,
> >
> > No
> > But is it true that, it will accept some other ip address only if you
> > configure it on the 3550, if you only configure single static arp for
this
> > address, switch will only accept this ip only?
> >
> > Jin jung...
> >
> >
> > -----Original Message-----
> > From: ccie1@hotmail.com [mailto:ccie1@hotmail.com]
> > Sent: Monday, March 17, 2003 3:44 PM
> > To: Jung, Jin; 'Syv Ritch'
> > Cc: ccielab@groupstudy.com
> > Subject: Re: port filtering
> >
> >
> > Hi Jin:
> > Actually i thought of specifying a static arp, but after talking
> > with others, that is not the correct solution. You can have multiple ip
> > addresses to the same mac-address, just not the other way around, so a
> > static arp may not be the answer. Any other ideas?
> >
> >
> > ----- Original Message -----
> > From: "Jung, Jin" <jin.jung@lmco.com>
> > To: "'Syv Ritch'" <syv@911networks.com>; <ccie1@hotmail.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Monday, March 17, 2003 12:37 PM
> > Subject: RE: port filtering
> >
> >
> > >
> > >
> > > If I recall, and this has been talked about before,
> > >
> > > For L2, make sure you have
> > > Swithcport mode access
> > > Switchport port-security
> > > Switchport port-security <mac-address>
> > >
> > > And
> > > Do static ARP entry on the 3550
> > >
> > > Arp 150.50.120.3 0000.00001.00ab
> > >
> > > This should work,, it worked for me,
> > >
> > > Jin jung...
> > >
> > > -----Original Message-----
> > > From: Syv Ritch [mailto:syv@911networks.com]
> > > Sent: Monday, March 17, 2003 1:53 PM
> > > To: ccie1@hotmail.com
> > > Cc: ccielab@groupstudy.com
> > > Subject: Re: port filtering
> > >
> > >
> > > On Monday, March 17, 2003, ccie1@hotmail.com wrote:
> > >
> > > -----Original Message-----
> > >
> > > chc> I want to only allow mac-address 0800.E4D3.A2D1 with ip address
> > > chc> 12.3.1.1 on port fast-etjhernet 0/16 on my 3550. The requirement
> > > chc> is to not use layer 3 or layer 2 access-lists. I tried using
> > > chc> port-security with the mac-address but that doesnt seem to work.
> > > chc> Does anyone have any ideas on how to do this?
> > >
> > > What about:
> > >
> > > !vmps domain <domain-name>
> > > ! The VMPS domain must be defined.
> > > !vmps mode {open | secure}
> > > ! The default mode is open.
> > > !vmps fallback <vlan-name>
> > > !vmps no-domain-req { allow | deny }
> > > !
> > > ! The default value is allow.
> > > vmps domain DSBU
> > > vmps mode open
> > > vmps fallback default
> > > vmps no-domain-req deny
> > > !
> > > !
> > > !MAC Addresses
> > > !
> > > vmps-mac-addrs
> > > !
> > > ! address <addr> vlan-name <vlan_name>
> > > !
> > > address 0012.2233.4455 vlan-name hardware
> > > address 0000.6509.a080 vlan-name hardware
> > > address aabb.ccdd.eeff vlan-name Green
> > > address 1223.5678.9abc vlan-name ExecStaff
> > > address fedc.ba98.7654 vlan-name --NONE--
> > > address fedc.ba23.1245 vlan-name Purple
> > > !
> > > !Port Groups
> > > !
> > > !vmps-port-group <group-name>
> > > ! device <device-id> { port <port-name> | all-ports }
> > > !
> > > vmps-port-group WiringCloset1
> > > device 198.92.30.32 port 0/2
> > > device 172.20.26.141 port 0/8
> > > vmps-port-group "Executive Row"
> > > device 198.4.254.222 port 0/2
> > > device 198.4.254.222 port 0/3
> > > device 198.4.254.223 all-ports
> > >
> > > --
> > > Thanks
> > > syv@911networks.com
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3