From: ccie1@hotmail.com
Date: Wed Mar 19 2003 - 16:15:10 GMT-3
Allot of the explanations have been good. and regarding one of the
gentlemens comments (I forgot who) I have taken the lab before, and this is
why i am concerned about the IP address requirement in the question. The lab
is hard enough without the proctors throwing curve balls in the questions,
and i believe that any detail that is mentioned in a question needs to be
part of your solution.
One thing that i didnt do in the past was enable just the port-security
option under the 3550. I just typed port-security mac-address and specified
the mac. It was mentioned that you need to config the port-security command
first, then the port-security mac-address command next, even though the
port-security command does not appear in the config after your done.
I think the static arp entry is needed to match the mac-address to IP. I
have heard several arguements why that may not be the case, but i also
havent heard any other good solutions either, except that the IP in the
question is there to "fool" you. I dont think the ccie lab would throw an ip
address in a question to fool someone, but thats just my opinion.
.
so far the solution i have seen that will work is:
int fastethernet 0/16
switchport port-security
switchport port-security mac-address xxxx.xxxx.xxxx
switchport port-security maximum 1
then your static arp in global config
thoughts?
----- Original Message -----
From: <Wojciech.Gebka@ssk.com.pl>
To: <ccielab@groupstudy.com>
Sent: Tuesday, March 18, 2003 11:58 PM
Subject: RE: port filtering
> Hi Jin,
>
> I agree that port-secure on port is sufficent, but the second part of
> Ccie1 question is to allow only particular IP address on PC connected to
> this port :
> "I want to only allow mac-address 0800.E4D3.A2D1 with ip address 12.3.1.1
> on port fast-etjhernet 0/16 on my 3550".
> Do you think that Tim's proposal in this context is more that they
> expected?
>
> interface FastEthernet 0/16
> switchport port-security maximum 1
> switchport port-security mac-address 0800.E4D3.A2D1
> switchport access vlan 100
> !
> interface Vlan100
> ip address 12.3.1.2 255.255.255.252
>
> Wojtek
>
>
>
>
>
> "Jung, Jin" <jin.jung@lmco.com>
> Sent by: nobody@groupstudy.com
> 2003-03-18 14:08
> Please respond to "Jung, Jin"
>
>
> To: ccielab@groupstudy.com
> cc:
> Subject: RE: port filtering
>
>
> If you use it with port-security on the interface it will,,
>
> Whole point of the question is to prevent other mac-address from accessing
> the port,,
>
> port-security alone can do this without any arp or layer 3 commands,
>
> If you read the question again, it only needs to enable port-security on
> the
> interface to make it work.
>
> Let's say I have PC with ip address of 192.168.01. and mac address of
> 0002.0034.4567,
> and question asks to allow only this PC to access the port fa0/6,
>
> Only thing you have to do is enable port-security on the port to satisfy
> this requirement.
> You do not need layer 3 access-list or any other layer 2 access-list. or
> VLAN map or ....
>
> I think people are thinks too much into this question.
>
> if you add static arp on top of this, you are adding little more to than
> what was asked for which does not hurt.
>
> And yes, Just arp alone does not provide port - security.
>
>
>
> -----Original Message-----
> From: Tim Fletcher [mailto:tim@fletchmail.net]
> Sent: Monday, March 17, 2003 7:25 PM
> To: Jung, Jin; 'ccie1@hotmail.com'
> Cc: ccielab@groupstudy.com
> Subject: RE: port filtering
>
>
>
> ARP is strictly layer 3. Each layer 2 device on the vlan maintains it's
> own
> ARP cache, so even if you could restrict the ARP entries, it would only
> affect off net traffic. Any device on the same vlan would still be able to
> reach any address within the network connected to that port.
>
> But you can't even restrict the ARP entries. Configuring a static ARP
> entry
> does not prevent other ARP entries. You can do a "no arp arpa" on the vlan
> interface to disable ARP requests, but this still doesn't solve the
> problem.
> See my previous post on this issue:
> http://www.groupstudy.com/archives/ccielab/200302/msg00691.html
> <http://www.groupstudy.com/archives/ccielab/200302/msg00691.html>
>
> -Tim Fletcher
>
> At 03:53 PM 3/17/03 -0500, Jung, Jin wrote:
>
>
> Well,,
>
> No
> But is it true that, it will accept some other ip address only if you
> configure it on the 3550, if you only configure single static arp for this
> address, switch will only accept this ip only?
>
> Jin jung...
>
>
> -----Original Message-----
> From: ccie1@hotmail.com [mailto:ccie1@hotmail.com
<mailto:ccie1@hotmail.com>
> ]
> Sent: Monday, March 17, 2003 3:44 PM
> To: Jung, Jin; 'Syv Ritch'
> Cc: ccielab@groupstudy.com
> Subject: Re: port filtering
>
>
> Hi Jin:
> Actually i thought of specifying a static arp, but after talking
> with others, that is not the correct solution. You can have multiple ip
> addresses to the same mac-address, just not the other way around, so a
> static arp may not be the answer. Any other ideas?
>
>
> ----- Original Message -----
> From: "Jung, Jin" <jin.jung@lmco.com>
> To: "'Syv Ritch'" <syv@911networks.com>; <ccie1@hotmail.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Monday, March 17, 2003 12:37 PM
> Subject: RE: port filtering
>
>
> >
> >
> > If I recall, and this has been talked about before,
> >
> > For L2, make sure you have
> > Swithcport mode access
> > Switchport port-security
> > Switchport port-security <mac-address>
> >
> > And
> > Do static ARP entry on the 3550
> >
> > Arp 150.50.120.3 0000.00001.00ab
> >
> > This should work,, it worked for me,
> >
> > Jin jung...
> >
> > -----Original Message-----
> > From: Syv Ritch [mailto:syv@911networks.com
<mailto:syv@911networks.com> ]
> > Sent: Monday, March 17, 2003 1:53 PM
> > To: ccie1@hotmail.com
> > Cc: ccielab@groupstudy.com
> > Subject: Re: port filtering
> >
> >
> > On Monday, March 17, 2003, ccie1@hotmail.com wrote:
> >
> > -----Original Message-----
> >
> > chc> I want to only allow mac-address 0800.E4D3.A2D1 with ip address
> > chc> 12.3.1.1 on port fast-etjhernet 0/16 on my 3550. The requirement
> > chc> is to not use layer 3 or layer 2 access-lists. I tried using
> > chc> port-security with the mac-address but that doesnt seem to work.
> > chc> Does anyone have any ideas on how to do this?
> >
> > What about:
> >
> > !vmps domain <domain-name>
> > ! The VMPS domain must be defined.
> > !vmps mode {open | secure}
> > ! The default mode is open.
> > !vmps fallback <vlan-name>
> > !vmps no-domain-req { allow | deny }
> > !
> > ! The default value is allow.
> > vmps domain DSBU
> > vmps mode open
> > vmps fallback default
> > vmps no-domain-req deny
> > !
> > !
> > !MAC Addresses
> > !
> > vmps-mac-addrs
> > !
> > ! address <addr> vlan-name <vlan_name>
> > !
> > address 0012.2233.4455 vlan-name hardware
> > address 0000.6509.a080 vlan-name hardware
> > address aabb.ccdd.eeff vlan-name Green
> > address 1223.5678.9abc vlan-name ExecStaff
> > address fedc.ba98.7654 vlan-name --NONE--
> > address fedc.ba23.1245 vlan-name Purple
> > !
> > !Port Groups
> > !
> > !vmps-port-group <group-name>
> > ! device <device-id> { port <port-name> | all-ports }
> > !
> > vmps-port-group WiringCloset1
> > device 198.92.30.32 port 0/2
> > device 172.20.26.141 port 0/8
> > vmps-port-group "Executive Row"
> > device 198.4.254.222 port 0/2
> > device 198.4.254.222 port 0/3
> > device 198.4.254.223 all-ports
> >
> > --
> > Thanks
> > syv@911networks.com
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:42 GMT-3