Re: port filtering

From: ccie1@hotmail.com
Date: Tue Mar 18 2003 - 15:30:30 GMT-3

The problem with this config that i see is you added additional information
that was not specified in the question.

You specified an ip address under fast 0/10 then disabled arp. then added a
static arp entry. The arp entry 100.1.1.2, is that the ip of the pc you want
to lock down on that port?

In my opinion i think the port-security is needed because of the mac-address
option. In the config you provided whats preventing another host on the
10.0.0.0 network from accessing the port? Disabling arp on the port doesnt
solve that problem, so i believe port-security is needed.

----- Original Message -----
From: "Yinka Daramola" <o_daramola@hotmail.com>
To: <ccie1@hotmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, March 18, 2003 9:51 AM
Subject: Re: port filtering

> Here's the config I used on my 3550. I used one windows host (10.0.0.1)
and
> one Linux host (10.0.0.2) to test. The windows host with the new MAC
address
> did not respod to pings because arp was turn off and the routed port could
> not learn its IP/MAC address.
> The same results if you change the IP address of the linux host, its MAC
> address is only known to map to one IP address and nothing else could be
> learned.
>
> int fas0/10
> no switchport
> ip address 10.0.0.5 255.255.255.0
> no arp arpa
>
> arp 100.1.1.2 00a0.cc78.7c80 ARPA
>
> Then clear the arp cache.
>
> This problem is misleading because everyone is trying to solve it with a
> layer 2 solution (port security) the problem with that is it doesnot solve
> the layer 3 issue. Arp is a layer 3 protocol that maps IP addresses to MAC
> addresses, it does not run on switchports, so turning off arp on a
> swicthport really does nothing. If you look beyond the layer 2 solution,
and
> test out the layer 3 solution it meets the requirements, but like I said
you
> need to add an ip address to the routed port.
>
> Yinka Daramola, MCSE, CCNP RHCE
> Red Hat Inc.
> ----- Original Message -----
> From: <ccie1@hotmail.com>
> To: "Yinka Daramola" <o_daramola@hotmail.com>
> Sent: Tuesday, March 18, 2003 7:46 AM
> Subject: Re: port filtering
>
>
> > yinka:
> > Could you provide a sample config? Thanks
> > ----- Original Message -----
> > From: "Yinka Daramola" <o_daramola@hotmail.com>
> > To: <ccielab@groupstudy.com>
> > Sent: Monday, March 17, 2003 4:32 PM
> > Subject: Re: port filtering
> >
> >
> > > I have tested a solution that seems to work for this. But no sure if
it
> > > meets the requirements.
> > > - configure a static arp for the port
> > > - change the interface to a routed port
> > > - turn off arp on the interface
> > > - give the interface an ip address on that subnet.
> > >
> > > It will only allow the configured staic IP address and MAC address,
> since
> > > arp is turned off. The only issue is that you need to make it a
routed
> > potr
> > > with an ip address.
> > >
> > > Yinka Daramola, MCSE, CCNP RHCE
> > > Red Hat Inc.
> > > > ----- Original Message -----
> > > > From: "Jung, Jin" <jin.jung@lmco.com>
> > > > To: <ccie1@hotmail.com>
> > > > Cc: <ccielab@groupstudy.com>
> > > > Sent: Monday, March 17, 2003 12:53 PM
> > > > Subject: RE: port filtering
> > > >
> > > >
> > > > > Well,,
> > > > >
> > > > > No
> > > > > But is it true that, it will accept some other ip address only if
> you
> > > > > configure it on the 3550, if you only configure single static arp
> for
> > > this
> > > > > address, switch will only accept this ip only?
> > > > >
> > > > > Jin jung...
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: ccie1@hotmail.com [mailto:ccie1@hotmail.com]
> > > > > Sent: Monday, March 17, 2003 3:44 PM
> > > > > To: Jung, Jin; 'Syv Ritch'
> > > > > Cc: ccielab@groupstudy.com
> > > > > Subject: Re: port filtering
> > > > >
> > > > >
> > > > > Hi Jin:
> > > > > Actually i thought of specifying a static arp, but after
> > talking
> > > > > with others, that is not the correct solution. You can have
multiple
> > ip
> > > > > addresses to the same mac-address, just not the other way around,
so
> a
> > > > > static arp may not be the answer. Any other ideas?
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Jung, Jin" <jin.jung@lmco.com>
> > > > > To: "'Syv Ritch'" <syv@911networks.com>; <ccie1@hotmail.com>
> > > > > Cc: <ccielab@groupstudy.com>
> > > > > Sent: Monday, March 17, 2003 12:37 PM
> > > > > Subject: RE: port filtering
> > > > >
> > > > >
> > > > > >
> > > > > >
> > > > > > If I recall, and this has been talked about before,
> > > > > >
> > > > > > For L2, make sure you have
> > > > > > Swithcport mode access
> > > > > > Switchport port-security
> > > > > > Switchport port-security <mac-address>
> > > > > >
> > > > > > And
> > > > > > Do static ARP entry on the 3550
> > > > > >
> > > > > > Arp 150.50.120.3 0000.00001.00ab
> > > > > >
> > > > > > This should work,, it worked for me,
> > > > > >
> > > > > > Jin jung...
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Syv Ritch [mailto:syv@911networks.com]
> > > > > > Sent: Monday, March 17, 2003 1:53 PM
> > > > > > To: ccie1@hotmail.com
> > > > > > Cc: ccielab@groupstudy.com
> > > > > > Subject: Re: port filtering
> > > > > >
> > > > > >
> > > > > > On Monday, March 17, 2003, ccie1@hotmail.com wrote:
> > > > > >
> > > > > > -----Original Message-----
> > > > > >
> > > > > > chc> I want to only allow mac-address 0800.E4D3.A2D1 with ip
> address
> > > > > > chc> 12.3.1.1 on port fast-etjhernet 0/16 on my 3550. The
> > requirement
> > > > > > chc> is to not use layer 3 or layer 2 access-lists. I tried
using
> > > > > > chc> port-security with the mac-address but that doesnt seem to
> > work.
> > > > > > chc> Does anyone have any ideas on how to do this?
> > > > > >
> > > > > > What about:
> > > > > >
> > > > > > !vmps domain <domain-name>
> > > > > > ! The VMPS domain must be defined.
> > > > > > !vmps mode {open | secure}
> > > > > > ! The default mode is open.
> > > > > > !vmps fallback <vlan-name>
> > > > > > !vmps no-domain-req { allow | deny }
> > > > > > !
> > > > > > ! The default value is allow.
> > > > > > vmps domain DSBU
> > > > > > vmps mode open
> > > > > > vmps fallback default
> > > > > > vmps no-domain-req deny
> > > > > > !
> > > > > > !
> > > > > > !MAC Addresses
> > > > > > !
> > > > > > vmps-mac-addrs
> > > > > > !
> > > > > > ! address <addr> vlan-name <vlan_name>
> > > > > > !
> > > > > > address 0012.2233.4455 vlan-name hardware
> > > > > > address 0000.6509.a080 vlan-name hardware
> > > > > > address aabb.ccdd.eeff vlan-name Green
> > > > > > address 1223.5678.9abc vlan-name ExecStaff
> > > > > > address fedc.ba98.7654 vlan-name --NONE--
> > > > > > address fedc.ba23.1245 vlan-name Purple
> > > > > > !
> > > > > > !Port Groups
> > > > > > !
> > > > > > !vmps-port-group <group-name>
> > > > > > ! device <device-id> { port <port-name> | all-ports }
> > > > > > !
> > > > > > vmps-port-group WiringCloset1
> > > > > > device 198.92.30.32 port 0/2
> > > > > > device 172.20.26.141 port 0/8
> > > > > > vmps-port-group "Executive Row"
> > > > > > device 198.4.254.222 port 0/2
> > > > > > device 198.4.254.222 port 0/3
> > > > > > device 198.4.254.223 all-ports
> > > > > >
> > > > > > --
> > > > > > Thanks
> > > > > > syv@911networks.com

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3