From: Tim Fletcher (tim@fletchmail.net)
Date: Sat May 10 2003 - 01:09:00 GMT-3
ARP entries are also created when a packet arrives on an interface. So even if you disable ARP, you can still create an ARP entry by pinging the switch from the host.
It also does not answer the issue of other hosts on the same vlan still being able to talk to it because they all maintain their own ARP tables.
-Tim Fletcher #11406
At 08:11 PM 5/9/03 -0400, OhioHondo wrote:
>Dan
>
>Can you disable ARP so the static entries are the only way to get l2 to L3
>mappings??
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>Daniel Cisco Group Study
>Sent: Friday, May 09, 2003 6:13 PM
>To: Paul Lalonde; FATHALLAH; Ccielab
>Cc: huntl@webcentral.com.au
>Subject: RE: catalyst 3550 filtre
>
>
>This question has come up several times in group study, and like FRTS, there
>is no definite consensus (yet).
>
>Here's some results from my lab.
>
>3550 Switch. SVI VLAN 14 with IP address 10.0.0.10/24
>R1 connected to FA0/1 (VLAN 14), IP address 10.0.0.1 /24
>R2 connected to FA0/2 (VLAN 14), IP address 10.0.0.2 /24
>
>3550 config:
>
>
>interface FastEthernet0/1
> switchport access vlan 14
> switchport mode access
> switchport port-security
> switchport port-security mac-address 0060.7035.a3e5 <--- MAC address of E0
>on R1
> no ip address
>!
>interface FastEthernet0/2
> switchport access vlan 14
> switchport mode access
> no ip address
>!
>interface Vlan14
> ip address 10.0.0.10 255.255.255.0
>!
>arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1
>
>
>Tests:
>(1) R1 pings R2 - OK. R1 & R2 ping 3550 OK.
>
>(2) Change IP address on R1 to 10.0.0.3. R1 pings R2 OK. R1 & R2 pings 3550
>OK.
>
>(3) Change IP address on R2 to 10.0.0.1, while R1 is 10.0.0.3. R1 pings R2
>OK. R1 pings 3550. R2 DOES NOT PING 3550.
>
>Conclusions:
>If you rely on "arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1" to tie
>down the L3 address, all this does is adds an arp entry to the arp cache of
>the 3550.
>
>When would this be used? Answer: Only when the 3550 has something to send to
>that IP... ie when it needs to route traffic to that IP, or wants to talk
>directly to that IP.... not when it is switching packets between two ports
>on the same VLAN.
>
>So, my conclusion is that if you don't use an ACL of some sort, you can NOT
>meet the requirements to stop R1 talking to R2.
>
>Now, we could talk about interpretation of the question....... Are we
>reading it wrong? Does the question really say that the device on a
>particular port must only ever have a particular address? Or is the question
>just saying that the device on that port happens to have a particular
>address, (and is therefore there to throw you off)?
>
>I would guess that the IP address is only there to throw you off.
>
>Any comments? Can we achieve a consensus on this one?
>
>Daniel
>
>
>
>-----Original Message-----
>From: Paul Lalonde [mailto:plalonde2@cogeco.ca]
>Sent: Wednesday, 7 May 2003 23:44
>To: FATHALLAH; Ccielab
>Subject: Re: catalyst 3550 filtre
>
>
>Configure port security on the switch for this MAC address and assign a
>static IP ARP assignment for the IP address on that interface.
>
>Eg.
>
>arp 100.100.100.1 3333.3333.3333 arpa fa0/12
>
>int fa0/12
> switchport port-security
> switchport port-security mac-address 3333.3333.3333
> switchport port-security violation restrict <- you don't want to shut
>down the port, do you?->
>
>This is an acceptable solution. Been there, done that!
>
>Paul
>
>----- Original Message -----
>From: "FATHALLAH" <sfathallah@mail.cbi.net.ma>
>To: "Ccielab" <ccielab@groupstudy.com>
>Sent: Wednesday, May 07, 2003 8:07 AM
>Subject: catalyst 3550 filtre
>
>
>> can someone help me in this please.
>>
>> in catalyst 3550, how can I filre to permit a MAC 3333.3333.3333 with IP
>> adress 100.100.100.1 without using layer 2 and layer 3 access-list. sure
>the
>> vlan map is not the solution because it relay in mac aand ip access-list.
>>
>> any help will be appreciieted.
>>
>> Said
>
>
>**********************************************************************
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual or entity to whom they
>are addressed. If you have received this email in error please notify
>the system manager.
>This footnote also confirms that this email message has been swept by
>MIMEsweeper for the presence of computer viruses.
>www.mimesweeper.com
>**********************************************************************
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3