From: Yinka Daramola (o_daramola@hotmail.com)
Date: Tue Mar 18 2003 - 14:51:58 GMT-3
Here's the config I used on my 3550. I used one windows host (10.0.0.1) and
one Linux host (10.0.0.2) to test. The windows host with the new MAC address
did not respod to pings because arp was turn off and the routed port could
not learn its IP/MAC address.
The same results if you change the IP address of the linux host, its MAC
address is only known to map to one IP address and nothing else could be
learned.
int fas0/10
no switchport
ip address 10.0.0.5 255.255.255.0
no arp arpa
arp 100.1.1.2 00a0.cc78.7c80 ARPA
Then clear the arp cache.
This problem is misleading because everyone is trying to solve it with a
layer 2 solution (port security) the problem with that is it doesnot solve
the layer 3 issue. Arp is a layer 3 protocol that maps IP addresses to MAC
addresses, it does not run on switchports, so turning off arp on a
swicthport really does nothing. If you look beyond the layer 2 solution, and
test out the layer 3 solution it meets the requirements, but like I said you
need to add an ip address to the routed port.
Yinka Daramola, MCSE, CCNP RHCE
Red Hat Inc.
----- Original Message -----
From: <ccie1@hotmail.com>
To: "Yinka Daramola" <o_daramola@hotmail.com>
Sent: Tuesday, March 18, 2003 7:46 AM
Subject: Re: port filtering
> yinka:
> Could you provide a sample config? Thanks
> ----- Original Message -----
> From: "Yinka Daramola" <o_daramola@hotmail.com>
> To: <ccielab@groupstudy.com>
> Sent: Monday, March 17, 2003 4:32 PM
> Subject: Re: port filtering
>
>
> > I have tested a solution that seems to work for this. But no sure if it
> > meets the requirements.
> > - configure a static arp for the port
> > - change the interface to a routed port
> > - turn off arp on the interface
> > - give the interface an ip address on that subnet.
> >
> > It will only allow the configured staic IP address and MAC address,
since
> > arp is turned off. The only issue is that you need to make it a routed
> potr
> > with an ip address.
> >
> > Yinka Daramola, MCSE, CCNP RHCE
> > Red Hat Inc.
> > > ----- Original Message -----
> > > From: "Jung, Jin" <jin.jung@lmco.com>
> > > To: <ccie1@hotmail.com>
> > > Cc: <ccielab@groupstudy.com>
> > > Sent: Monday, March 17, 2003 12:53 PM
> > > Subject: RE: port filtering
> > >
> > >
> > > > Well,,
> > > >
> > > > No
> > > > But is it true that, it will accept some other ip address only if
you
> > > > configure it on the 3550, if you only configure single static arp
for
> > this
> > > > address, switch will only accept this ip only?
> > > >
> > > > Jin jung...
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: ccie1@hotmail.com [mailto:ccie1@hotmail.com]
> > > > Sent: Monday, March 17, 2003 3:44 PM
> > > > To: Jung, Jin; 'Syv Ritch'
> > > > Cc: ccielab@groupstudy.com
> > > > Subject: Re: port filtering
> > > >
> > > >
> > > > Hi Jin:
> > > > Actually i thought of specifying a static arp, but after
> talking
> > > > with others, that is not the correct solution. You can have multiple
> ip
> > > > addresses to the same mac-address, just not the other way around, so
a
> > > > static arp may not be the answer. Any other ideas?
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Jung, Jin" <jin.jung@lmco.com>
> > > > To: "'Syv Ritch'" <syv@911networks.com>; <ccie1@hotmail.com>
> > > > Cc: <ccielab@groupstudy.com>
> > > > Sent: Monday, March 17, 2003 12:37 PM
> > > > Subject: RE: port filtering
> > > >
> > > >
> > > > >
> > > > >
> > > > > If I recall, and this has been talked about before,
> > > > >
> > > > > For L2, make sure you have
> > > > > Swithcport mode access
> > > > > Switchport port-security
> > > > > Switchport port-security <mac-address>
> > > > >
> > > > > And
> > > > > Do static ARP entry on the 3550
> > > > >
> > > > > Arp 150.50.120.3 0000.00001.00ab
> > > > >
> > > > > This should work,, it worked for me,
> > > > >
> > > > > Jin jung...
> > > > >
> > > > > -----Original Message-----
> > > > > From: Syv Ritch [mailto:syv@911networks.com]
> > > > > Sent: Monday, March 17, 2003 1:53 PM
> > > > > To: ccie1@hotmail.com
> > > > > Cc: ccielab@groupstudy.com
> > > > > Subject: Re: port filtering
> > > > >
> > > > >
> > > > > On Monday, March 17, 2003, ccie1@hotmail.com wrote:
> > > > >
> > > > > -----Original Message-----
> > > > >
> > > > > chc> I want to only allow mac-address 0800.E4D3.A2D1 with ip
address
> > > > > chc> 12.3.1.1 on port fast-etjhernet 0/16 on my 3550. The
> requirement
> > > > > chc> is to not use layer 3 or layer 2 access-lists. I tried using
> > > > > chc> port-security with the mac-address but that doesnt seem to
> work.
> > > > > chc> Does anyone have any ideas on how to do this?
> > > > >
> > > > > What about:
> > > > >
> > > > > !vmps domain <domain-name>
> > > > > ! The VMPS domain must be defined.
> > > > > !vmps mode {open | secure}
> > > > > ! The default mode is open.
> > > > > !vmps fallback <vlan-name>
> > > > > !vmps no-domain-req { allow | deny }
> > > > > !
> > > > > ! The default value is allow.
> > > > > vmps domain DSBU
> > > > > vmps mode open
> > > > > vmps fallback default
> > > > > vmps no-domain-req deny
> > > > > !
> > > > > !
> > > > > !MAC Addresses
> > > > > !
> > > > > vmps-mac-addrs
> > > > > !
> > > > > ! address <addr> vlan-name <vlan_name>
> > > > > !
> > > > > address 0012.2233.4455 vlan-name hardware
> > > > > address 0000.6509.a080 vlan-name hardware
> > > > > address aabb.ccdd.eeff vlan-name Green
> > > > > address 1223.5678.9abc vlan-name ExecStaff
> > > > > address fedc.ba98.7654 vlan-name --NONE--
> > > > > address fedc.ba23.1245 vlan-name Purple
> > > > > !
> > > > > !Port Groups
> > > > > !
> > > > > !vmps-port-group <group-name>
> > > > > ! device <device-id> { port <port-name> | all-ports }
> > > > > !
> > > > > vmps-port-group WiringCloset1
> > > > > device 198.92.30.32 port 0/2
> > > > > device 172.20.26.141 port 0/8
> > > > > vmps-port-group "Executive Row"
> > > > > device 198.4.254.222 port 0/2
> > > > > device 198.4.254.222 port 0/3
> > > > > device 198.4.254.223 all-ports
> > > > >
> > > > > --
> > > > > Thanks
> > > > > syv@911networks.com
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3