RE: port filtering

From: Jung, Jin (jin.jung@lmco.com)
Date: Tue Mar 18 2003 - 10:08:24 GMT-3

• Next message: ccie1@hotmail.com: "Re: port filtering"
• Previous message: Robert Rech: "Re: port filtering"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: ccie1@hotmail.com: "Re: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you use it with port-security on the interface it will,,
 
Whole point of the question is to prevent other mac-address from accessing
the port,,
 
port-security alone can do this without any arp or layer 3 commands,
 
If you read the question again, it only needs to enable port-security on the
interface to make it work.
 
Let's say I have PC with ip address of 192.168.01. and mac address of
0002.0034.4567,
and question asks to allow only this PC to access the port fa0/6,
 
Only thing you have to do is enable port-security on the port to satisfy
this requirement.
You do not need layer 3 access-list or any other layer 2 access-list. or
VLAN map or ....
 
I think people are thinks too much into this question.
 
if you add static arp on top of this, you are adding little more to than
what was asked for which does not hurt.
 
And yes, Just arp alone does not provide port - security.
 
 
 
-----Original Message-----
From: Tim Fletcher [mailto:tim@fletchmail.net]
Sent: Monday, March 17, 2003 7:25 PM
To: Jung, Jin; 'ccie1@hotmail.com'
Cc: ccielab@groupstudy.com
Subject: RE: port filtering

ARP is strictly layer 3. Each layer 2 device on the vlan maintains it's own
ARP cache, so even if you could restrict the ARP entries, it would only
affect off net traffic. Any device on the same vlan would still be able to
reach any address within the network connected to that port.

But you can't even restrict the ARP entries. Configuring a static ARP entry
does not prevent other ARP entries. You can do a "no arp arpa" on the vlan
interface to disable ARP requests, but this still doesn't solve the problem.
See my previous post on this issue:
http://www.groupstudy.com/archives/ccielab/200302/msg00691.html
<http://www.groupstudy.com/archives/ccielab/200302/msg00691.html>

-Tim Fletcher

At 03:53 PM 3/17/03 -0500, Jung, Jin wrote:

Well,,

No
But is it true that, it will accept some other ip address only if you
configure it on the 3550, if you only configure single static arp for this
address, switch will only accept this ip only?

Jin jung...

-----Original Message-----
From: ccie1@hotmail.com [mailto:ccie1@hotmail.com <mailto:ccie1@hotmail.com>
]
Sent: Monday, March 17, 2003 3:44 PM
To: Jung, Jin; 'Syv Ritch'
Cc: ccielab@groupstudy.com
Subject: Re: port filtering

Hi Jin:
        Actually i thought of specifying a static arp, but after talking
with others, that is not the correct solution. You can have multiple ip
addresses to the same mac-address, just not the other way around, so a
static arp may not be the answer. Any other ideas?

----- Original Message -----
From: "Jung, Jin" <jin.jung@lmco.com>
To: "'Syv Ritch'" <syv@911networks.com>; <ccie1@hotmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Monday, March 17, 2003 12:37 PM
Subject: RE: port filtering

>
>
> If I recall, and this has been talked about before,
>
> For L2, make sure you have
> Swithcport mode access
> Switchport port-security
> Switchport port-security <mac-address>
>
> And
> Do static ARP entry on the 3550
>
> Arp 150.50.120.3 0000.00001.00ab
>
> This should work,, it worked for me,
>
> Jin jung...
>
> -----Original Message-----
> From: Syv Ritch [mailto:syv@911networks.com <mailto:syv@911networks.com> ]
> Sent: Monday, March 17, 2003 1:53 PM
> To: ccie1@hotmail.com
> Cc: ccielab@groupstudy.com
> Subject: Re: port filtering
>
>
> On Monday, March 17, 2003, ccie1@hotmail.com wrote:
>
> -----Original Message-----
>
> chc> I want to only allow mac-address 0800.E4D3.A2D1 with ip address
> chc> 12.3.1.1 on port fast-etjhernet 0/16 on my 3550. The requirement
> chc> is to not use layer 3 or layer 2 access-lists. I tried using
> chc> port-security with the mac-address but that doesnt seem to work.
> chc> Does anyone have any ideas on how to do this?
>
> What about:
>
> !vmps domain <domain-name>
> ! The VMPS domain must be defined.
> !vmps mode {open | secure}
> ! The default mode is open.
> !vmps fallback <vlan-name>
> !vmps no-domain-req { allow | deny }
> !
> ! The default value is allow.
> vmps domain DSBU
> vmps mode open
> vmps fallback default
> vmps no-domain-req deny
> !
> !
> !MAC Addresses
> !
> vmps-mac-addrs
> !
> ! address <addr> vlan-name <vlan_name>
> !
> address 0012.2233.4455 vlan-name hardware
> address 0000.6509.a080 vlan-name hardware
> address aabb.ccdd.eeff vlan-name Green
> address 1223.5678.9abc vlan-name ExecStaff
> address fedc.ba98.7654 vlan-name --NONE--
> address fedc.ba23.1245 vlan-name Purple
> !
> !Port Groups
> !
> !vmps-port-group <group-name>
> ! device <device-id> { port <port-name> | all-ports }
> !
> vmps-port-group WiringCloset1
> device 198.92.30.32 port 0/2
> device 172.20.26.141 port 0/8
> vmps-port-group "Executive Row"
> device 198.4.254.222 port 0/2
> device 198.4.254.222 port 0/3
> device 198.4.254.223 all-ports
>
> --
> Thanks
> syv@911networks.com

• Next message: ccie1@hotmail.com: "Re: port filtering"
• Previous message: Robert Rech: "Re: port filtering"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: ccie1@hotmail.com: "Re: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3