Re: port filtering

From: Yinka Daramola (o_daramola@hotmail.com)
Date: Tue Mar 18 2003 - 15:47:43 GMT-3

• Next message: OhioHondo: "RE: Creating access-lists with minimum lines"
• Previous message: Stewart, Dirk: "Custom Queue and Class Base Weight Fair Queue"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Larson, Chris: "RE: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry about the cut/paste problem. I think I cut/paste the wrong static arp
config. It should be
arp 10.0.0.2 00a0.cc78.7c80 ARPA

On this issue of if another host can access that port, it will not be
possible because arp is turned off. The current host cannot even
change its IP address and be able to use the port.
You cannot enable port security on a routed port, and the port security
solution does not solve the ip address issue (i have tested it)

You should test the config with a 3550 or a router, you will find that
disabling arp on the routed port actually solves the problem.

Yinka Daramola, MCSE, CCNP RHCE
Red Hat Inc.
----- Original Message -----
From: <ccie1@hotmail.com>
To: "Yinka Daramola" <o_daramola@hotmail.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, March 18, 2003 10:30 AM
Subject: Re: port filtering

> The problem with this config that i see is you added additional
information
> that was not specified in the question.
>
> You specified an ip address under fast 0/10 then disabled arp. then added
a
> static arp entry. The arp entry 100.1.1.2, is that the ip of the pc you
want
> to lock down on that port?
>
> In my opinion i think the port-security is needed because of the
mac-address
> option. In the config you provided whats preventing another host on the
> 10.0.0.0 network from accessing the port? Disabling arp on the port doesnt
> solve that problem, so i believe port-security is needed.
>
>
> ----- Original Message -----
> From: "Yinka Daramola" <o_daramola@hotmail.com>
> To: <ccie1@hotmail.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Tuesday, March 18, 2003 9:51 AM
> Subject: Re: port filtering
>
>
> > Here's the config I used on my 3550. I used one windows host (10.0.0.1)
> and
> > one Linux host (10.0.0.2) to test. The windows host with the new MAC
> address
> > did not respod to pings because arp was turn off and the routed port
could
> > not learn its IP/MAC address.
> > The same results if you change the IP address of the linux host, its MAC
> > address is only known to map to one IP address and nothing else could be
> > learned.
> >
> > int fas0/10
> > no switchport
> > ip address 10.0.0.5 255.255.255.0
> > no arp arpa
> >
> > arp 100.1.1.2 00a0.cc78.7c80 ARPA
> >
> > Then clear the arp cache.
> >
> > This problem is misleading because everyone is trying to solve it with a
> > layer 2 solution (port security) the problem with that is it doesnot
solve
> > the layer 3 issue. Arp is a layer 3 protocol that maps IP addresses to
MAC
> > addresses, it does not run on switchports, so turning off arp on a
> > swicthport really does nothing. If you look beyond the layer 2 solution,
> and
> > test out the layer 3 solution it meets the requirements, but like I said
> you
> > need to add an ip address to the routed port.
> >
> > Yinka Daramola, MCSE, CCNP RHCE
> > Red Hat Inc.
> > ----- Original Message -----
> > From: <ccie1@hotmail.com>
> > To: "Yinka Daramola" <o_daramola@hotmail.com>
> > Sent: Tuesday, March 18, 2003 7:46 AM
> > Subject: Re: port filtering
> >
> >
> > > yinka:
> > > Could you provide a sample config? Thanks
> > > ----- Original Message -----
> > > From: "Yinka Daramola" <o_daramola@hotmail.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Monday, March 17, 2003 4:32 PM
> > > Subject: Re: port filtering
> > >
> > >
> > > > I have tested a solution that seems to work for this. But no sure if
> it
> > > > meets the requirements.
> > > > - configure a static arp for the port
> > > > - change the interface to a routed port
> > > > - turn off arp on the interface
> > > > - give the interface an ip address on that subnet.
> > > >
> > > > It will only allow the configured staic IP address and MAC address,
> > since
> > > > arp is turned off. The only issue is that you need to make it a
> routed
> > > potr
> > > > with an ip address.
> > > >
> > > > Yinka Daramola, MCSE, CCNP RHCE
> > > > Red Hat Inc.
> > > > > ----- Original Message -----
> > > > > From: "Jung, Jin" <jin.jung@lmco.com>
> > > > > To: <ccie1@hotmail.com>
> > > > > Cc: <ccielab@groupstudy.com>
> > > > > Sent: Monday, March 17, 2003 12:53 PM
> > > > > Subject: RE: port filtering
> > > > >
> > > > >
> > > > > > Well,,
> > > > > >
> > > > > > No
> > > > > > But is it true that, it will accept some other ip address only
if
> > you
> > > > > > configure it on the 3550, if you only configure single static
arp
> > for
> > > > this
> > > > > > address, switch will only accept this ip only?
> > > > > >
> > > > > > Jin jung...
> > > > > >
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: ccie1@hotmail.com [mailto:ccie1@hotmail.com]
> > > > > > Sent: Monday, March 17, 2003 3:44 PM
> > > > > > To: Jung, Jin; 'Syv Ritch'
> > > > > > Cc: ccielab@groupstudy.com
> > > > > > Subject: Re: port filtering
> > > > > >
> > > > > >
> > > > > > Hi Jin:
> > > > > > Actually i thought of specifying a static arp, but after
> > > talking
> > > > > > with others, that is not the correct solution. You can have
> multiple
> > > ip
> > > > > > addresses to the same mac-address, just not the other way
around,
> so
> > a
> > > > > > static arp may not be the answer. Any other ideas?
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Jung, Jin" <jin.jung@lmco.com>
> > > > > > To: "'Syv Ritch'" <syv@911networks.com>; <ccie1@hotmail.com>
> > > > > > Cc: <ccielab@groupstudy.com>
> > > > > > Sent: Monday, March 17, 2003 12:37 PM
> > > > > > Subject: RE: port filtering
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > If I recall, and this has been talked about before,
> > > > > > >
> > > > > > > For L2, make sure you have
> > > > > > > Swithcport mode access
> > > > > > > Switchport port-security
> > > > > > > Switchport port-security <mac-address>
> > > > > > >
> > > > > > > And
> > > > > > > Do static ARP entry on the 3550
> > > > > > >
> > > > > > > Arp 150.50.120.3 0000.00001.00ab
> > > > > > >
> > > > > > > This should work,, it worked for me,
> > > > > > >
> > > > > > > Jin jung...
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Syv Ritch [mailto:syv@911networks.com]
> > > > > > > Sent: Monday, March 17, 2003 1:53 PM
> > > > > > > To: ccie1@hotmail.com
> > > > > > > Cc: ccielab@groupstudy.com
> > > > > > > Subject: Re: port filtering
> > > > > > >
> > > > > > >
> > > > > > > On Monday, March 17, 2003, ccie1@hotmail.com wrote:
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > >
> > > > > > > chc> I want to only allow mac-address 0800.E4D3.A2D1 with ip
> > address
> > > > > > > chc> 12.3.1.1 on port fast-etjhernet 0/16 on my 3550. The
> > > requirement
> > > > > > > chc> is to not use layer 3 or layer 2 access-lists. I tried
> using
> > > > > > > chc> port-security with the mac-address but that doesnt seem
to
> > > work.
> > > > > > > chc> Does anyone have any ideas on how to do this?
> > > > > > >
> > > > > > > What about:
> > > > > > >
> > > > > > > !vmps domain <domain-name>
> > > > > > > ! The VMPS domain must be defined.
> > > > > > > !vmps mode {open | secure}
> > > > > > > ! The default mode is open.
> > > > > > > !vmps fallback <vlan-name>
> > > > > > > !vmps no-domain-req { allow | deny }
> > > > > > > !
> > > > > > > ! The default value is allow.
> > > > > > > vmps domain DSBU
> > > > > > > vmps mode open
> > > > > > > vmps fallback default
> > > > > > > vmps no-domain-req deny
> > > > > > > !
> > > > > > > !
> > > > > > > !MAC Addresses
> > > > > > > !
> > > > > > > vmps-mac-addrs
> > > > > > > !
> > > > > > > ! address <addr> vlan-name <vlan_name>
> > > > > > > !
> > > > > > > address 0012.2233.4455 vlan-name hardware
> > > > > > > address 0000.6509.a080 vlan-name hardware
> > > > > > > address aabb.ccdd.eeff vlan-name Green
> > > > > > > address 1223.5678.9abc vlan-name ExecStaff
> > > > > > > address fedc.ba98.7654 vlan-name --NONE--
> > > > > > > address fedc.ba23.1245 vlan-name Purple
> > > > > > > !
> > > > > > > !Port Groups
> > > > > > > !
> > > > > > > !vmps-port-group <group-name>
> > > > > > > ! device <device-id> { port <port-name> | all-ports }
> > > > > > > !
> > > > > > > vmps-port-group WiringCloset1
> > > > > > > device 198.92.30.32 port 0/2
> > > > > > > device 172.20.26.141 port 0/8
> > > > > > > vmps-port-group "Executive Row"
> > > > > > > device 198.4.254.222 port 0/2
> > > > > > > device 198.4.254.222 port 0/3
> > > > > > > device 198.4.254.223 all-ports
> > > > > > >
> > > > > > > --
> > > > > > > Thanks
> > > > > > > syv@911networks.com

• Next message: OhioHondo: "RE: Creating access-lists with minimum lines"
• Previous message: Stewart, Dirk: "Custom Queue and Class Base Weight Fair Queue"
• Maybe in reply to: ccie1@hotmail.com: "port filtering"
• Next in thread: Larson, Chris: "RE: port filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:41 GMT-3