Re: port filtering

From: Robert Rech (brech@kc.rr.com)
Date: Tue Mar 18 2003 - 12:16:44 GMT-3

• Next message: Jung, Jin: "RE: port filtering"
• Previous message: Gary Duncanson: "RE: Where can I find good docs on routing redistribution?"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Jung, Jin: "RE: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Port security will take care of only letting the specified mac address
connect to this port, it will not take care of the same mac moving to a
different port, however a static mac-address-table entry will do this. Now
this mac address can't move to another port with the same or a different IP
and no other mac address can connect to the switch port because of
port-security. So with the mac tied down to the port, the next question is
the IP address.
Depending on the specifics of the subnet and the question a static arp entry
on the router would stop any off-net traffic from going anywhere else. The
only thing that can happen now is a different MAC address on a different
switch port with the same IP could talk to other things on the local subnet
but not off the subnet because of the static arp on the router or
routers{depending on how may routers are on the subnet.}
As far as VLANMAP, I don't know much about that. It seems that a vlan map
still requires acl's, and is specific to a vlan not a port?
Maybe you could give me some more information on using the VLAN map in this
way

Thanks for your help

----- Original Message -----
From: "Pita40" <pita40@hotmail.com>
To: "Robert Rech" <brech@kc.rr.com>; <ccie1@hotmail.com>; "Scott M.
Livingston" <scottl@sprinthosting.net>; <ccielab@groupstudy.com>
Sent: Tuesday, March 18, 2003 8:26 AM
Subject: Re: port filtering

> Vlanmap will take care of this problem like a champ. Check it out on the
> DOC CD.
>
> Thanks
>
>
>
>
>
>
>
>
> Peter
> ----- Original Message -----
> From: "Robert Rech" <brech@kc.rr.com>
> To: <ccie1@hotmail.com>; "Scott M. Livingston" <scottl@sprinthosting.net>;
> <ccielab@groupstudy.com>
> Sent: Monday, March 17, 2003 2:52 PM
> Subject: Re: port filtering
>
>
> > Could you use port security to solve the mac part of it and static arp
> > entries to take care of the IP part of the question.
> >
> > ----- Original Message -----
> > From: <ccie1@hotmail.com>
> > To: "Scott M. Livingston" <scottl@sprinthosting.net>;
> > <ccielab@groupstudy.com>
> > Sent: Monday, March 17, 2003 12:30 PM
> > Subject: Re: port filtering
> >
> >
> > > Im fairly confident that any description of a ip address on a question
> in
> > > the lab is used somewhere in the solution. Otherwise, why would they
> > bother
> > > mentioning it?
> > >
> > > Im just having trouble finding out where to plug the mac-address
portion
> > of
> > > the question.
> > >
> > > Thanks for all your input Scott.
> > >
> > > ----- Original Message -----
> > > From: "Scott M. Livingston" <scottl@sprinthosting.net>
> > > To: <ccie1@hotmail.com>; <ccielab@groupstudy.com>
> > > Sent: Monday, March 17, 2003 10:19 AM
> > > Subject: RE: port filtering
> > >
> > >
> > > > I guess you could look at it another way too, but if this were a
real
> > > > task in the lab you would need to ask the proctor about the
following.
> > > >
> > > > The L3 address is just extra info and you really don't need to use
> > > > anything other than port security...??
> > > >
> > > > Thanks,
> > > > scott
> > > >
> > > > -----Original Message-----
> > > > From: ccie1@hotmail.com [mailto:ccie1@hotmail.com]
> > > > Sent: Monday, March 17, 2003 12:04 PM
> > > > To: Scott M. Livingston; ccielab@groupstudy.com
> > > > Subject: Re: port filtering
> > > >
> > > > Hi Scott:
> > > > I could use a vlan map, but vlan maps use access-lists,
> and
> > > > the
> > > > requirement is to not use any L3 or L2 access-lists. Am i missing
> > > > something
> > > > here?
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Scott M. Livingston" <scottl@sprinthosting.net>
> > > > To: <ccie1@hotmail.com>; <ccielab@groupstudy.com>
> > > > Sent: Monday, March 17, 2003 9:58 AM
> > > > Subject: RE: port filtering
> > > >
> > > >
> > > > > HMMMMM??? Port security will work for the L2 side of the task.
What
> > > > > about the port security configuration didn't work for you? As far
as
> > > > > using something for the L3 (host IP) I can only think of an L3 ip
> ACL.
> > > > > If there is more to the task than locking an IP to a port then I
> guess
> > > > > you could use a VLAN Map?
> > > > >
> > > > > Thanks,
> > > > > scott
> > > > >
> > > > > -----Original Message-----
> > > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf
> > > > Of
> > > > > ccie1@hotmail.com
> > > > > Sent: Monday, March 17, 2003 10:11 AM
> > > > > To: ccielab@groupstudy.com
> > > > > Subject: port filtering
> > > > >
> > > > > I know this has been discussed before, but i have tried some of
the
> > > > > solutions
> > > > > people have posted and they dont seem to work:
> > > > >
> > > > > I want to only allow mac-address 0800.E4D3.A2D1 with ip address
> > > > 12.3.1.1
> > > > > on
> > > > > port fast-etjhernet 0/16 on my 3550. The requirement is to not use
> > > > layer
> > > > > 3 or
> > > > > layer 2 access-lists. I tried using port-security with the
> mac-address
> > > > > but
> > > > > that doesnt seem to work. Does anyone have any ideas on how to do
> > > > this?
> > > > >
> > > > > thanks in advance

• Next message: Jung, Jin: "RE: port filtering"
• Previous message: Gary Duncanson: "RE: Where can I find good docs on routing redistribution?"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Jung, Jin: "RE: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3