Re: port filtering

From: Robert Rech (brech@kc.rr.com)
Date: Tue Mar 18 2003 - 14:11:52 GMT-3

• Next message: boby2kusa: "Re: EIGRP mystery"
• Previous message: ccie1@hotmail.com: "Re: port filtering"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Yinka Daramola: "Re: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm not sure what everyone is looking for.
With port-security you are locking down the port to this mac address, this
does not prevent this mac from moving to a different port,
If you want to make sure that this mac address can only use this switchport
then you could add a static mac entry to the mac-address-table.
If this mac is moved to a different port on the switch it will not be able
to talk on the switch, I have tried this on a 3550.
Now if you add a static arp on the local gateway(s) then that mac/IP
combination has to use the configured switch port and the IP has to use the
mac if it wants to talk to anything off the local subnet.

Some people have talked about vlan-maps, I'm not sure how that could do
this, but if someone wants
to explain it to me I would appreciate it.

ex
3550
// static mac entry this will tie the mac to port fa0/3
mac-address-table static 0800.E4D3.A2D1 vlan 100 interface fa0/3

//port-security this will only allow this mac to connect to port fa0/3
port fa0/3
switchport port-security mac-address 0800.E4D3.A2D1

//
local gateway(s)
arp 0800.E4D3.A2D1 12.3.1.2 < this will force the gateways to direct this ip
to the

----- Original Message -----
From: "Tim Fletcher" <tim@fletchmail.net>
To: <ccie1@hotmail.com>; <ccielab@groupstudy.com>
Sent: Monday, March 17, 2003 2:51 PM
Subject: Re: port filtering

> Here's a simple solution. I don't know if there are any other requirements
> that might make this solution invalid.
>
> interface FastEthernet 0/16
> switchport port-security maximum 1
> switchport port-security mac-address 0800.E4D3.A2D1
> switchport access vlan 100
> !
> interface Vlan100
> ip address 12.3.1.2 255.255.255.252
>
> Any thoughts?
>
> -Tim Fletcher
>
> At 08:10 AM 3/17/2003 -0800, ccie1@hotmail.com wrote:
> >I know this has been discussed before, but i have tried some of the
solutions
> >people have posted and they dont seem to work:
> >
> >I want to only allow mac-address 0800.E4D3.A2D1 with ip address 12.3.1.1
on
> >port fast-etjhernet 0/16 on my 3550. The requirement is to not use layer
3 or
> >layer 2 access-lists. I tried using port-security with the mac-address
but
> >that doesnt seem to work. Does anyone have any ideas on how to do this?
> >
> >thanks in advance

• Next message: boby2kusa: "Re: EIGRP mystery"
• Previous message: ccie1@hotmail.com: "Re: port filtering"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Yinka Daramola: "Re: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3