From: folivore (folivore@hotmail.com)
Date: Fri May 09 2003 - 22:51:46 GMT-3
Key point here: this arp entry is only used by 3550 itself.
SO ARP is not a solution.
----- Original Message -----
From: "OhioHondo" <ohiohondo@columbus.rr.com>
To: "Daniel Cisco Group Study" <danielcgs@imc.net.au>; "Paul Lalonde"
<plalonde2@cogeco.ca>; "FATHALLAH" <sfathallah@mail.cbi.net.ma>; "Ccielab"
<ccielab@groupstudy.com>
Cc: <huntl@webcentral.com.au>
Sent: Friday, May 09, 2003 7:11 PM
Subject: RE: catalyst 3550 filtre
> Dan
>
> Can you disable ARP so the static entries are the only way to get l2 to L3
> mappings??
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Daniel Cisco Group Study
> Sent: Friday, May 09, 2003 6:13 PM
> To: Paul Lalonde; FATHALLAH; Ccielab
> Cc: huntl@webcentral.com.au
> Subject: RE: catalyst 3550 filtre
>
>
> This question has come up several times in group study, and like FRTS,
there
> is no definite consensus (yet).
>
> Here's some results from my lab.
>
> 3550 Switch. SVI VLAN 14 with IP address 10.0.0.10/24
> R1 connected to FA0/1 (VLAN 14), IP address 10.0.0.1 /24
> R2 connected to FA0/2 (VLAN 14), IP address 10.0.0.2 /24
>
> 3550 config:
>
>
> interface FastEthernet0/1
> switchport access vlan 14
> switchport mode access
> switchport port-security
> switchport port-security mac-address 0060.7035.a3e5 <--- MAC address of
E0
> on R1
> no ip address
> !
> interface FastEthernet0/2
> switchport access vlan 14
> switchport mode access
> no ip address
> !
> interface Vlan14
> ip address 10.0.0.10 255.255.255.0
> !
> arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1
>
>
> Tests:
> (1) R1 pings R2 - OK. R1 & R2 ping 3550 OK.
>
> (2) Change IP address on R1 to 10.0.0.3. R1 pings R2 OK. R1 & R2 pings
3550
> OK.
>
> (3) Change IP address on R2 to 10.0.0.1, while R1 is 10.0.0.3. R1 pings R2
> OK. R1 pings 3550. R2 DOES NOT PING 3550.
>
> Conclusions:
> If you rely on "arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1" to tie
> down the L3 address, all this does is adds an arp entry to the arp cache
of
> the 3550.
>
> When would this be used? Answer: Only when the 3550 has something to send
to
> that IP... ie when it needs to route traffic to that IP, or wants to talk
> directly to that IP.... not when it is switching packets between two ports
> on the same VLAN.
>
> So, my conclusion is that if you don't use an ACL of some sort, you can
NOT
> meet the requirements to stop R1 talking to R2.
>
> Now, we could talk about interpretation of the question....... Are we
> reading it wrong? Does the question really say that the device on a
> particular port must only ever have a particular address? Or is the
question
> just saying that the device on that port happens to have a particular
> address, (and is therefore there to throw you off)?
>
> I would guess that the IP address is only there to throw you off.
>
> Any comments? Can we achieve a consensus on this one?
>
> Daniel
>
>
>
> -----Original Message-----
> From: Paul Lalonde [mailto:plalonde2@cogeco.ca]
> Sent: Wednesday, 7 May 2003 23:44
> To: FATHALLAH; Ccielab
> Subject: Re: catalyst 3550 filtre
>
>
> Configure port security on the switch for this MAC address and assign a
> static IP ARP assignment for the IP address on that interface.
>
> Eg.
>
> arp 100.100.100.1 3333.3333.3333 arpa fa0/12
>
> int fa0/12
> switchport port-security
> switchport port-security mac-address 3333.3333.3333
> switchport port-security violation restrict <- you don't want to shut
> down the port, do you?->
>
> This is an acceptable solution. Been there, done that!
>
> Paul
>
> ----- Original Message -----
> From: "FATHALLAH" <sfathallah@mail.cbi.net.ma>
> To: "Ccielab" <ccielab@groupstudy.com>
> Sent: Wednesday, May 07, 2003 8:07 AM
> Subject: catalyst 3550 filtre
>
>
> > can someone help me in this please.
> >
> > in catalyst 3550, how can I filre to permit a MAC 3333.3333.3333 with IP
> > adress 100.100.100.1 without using layer 2 and layer 3 access-list. sure
> the
> > vlan map is not the solution because it relay in mac aand ip
access-list.
> >
> > any help will be appreciieted.
> >
> > Said
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
> www.mimesweeper.com
> **********************************************************************
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3