From: Daniel Free (danrose111@earthlink.net)
Date: Sat May 10 2003 - 03:29:32 GMT-3
I agree with your statement that the IP address is
there to throw you off. Especially when it states no
L2 or L3 access-lists allowed. Just use port-security with the mac-address
and that will suffice.
Danny
----- Original Message -----
From: "Daniel Cisco Group Study" <danielcgs@imc.net.au>
To: "Paul Lalonde" <plalonde2@cogeco.ca>; "FATHALLAH"
<sfathallah@mail.cbi.net.ma>; "Ccielab" <ccielab@groupstudy.com>
Cc: <huntl@webcentral.com.au>
Sent: Friday, May 09, 2003 6:12 PM
Subject: RE: catalyst 3550 filtre
> This question has come up several times in group study, and like FRTS,
there is no definite consensus (yet).
>
> Here's some results from my lab.
>
> 3550 Switch. SVI VLAN 14 with IP address 10.0.0.10/24
> R1 connected to FA0/1 (VLAN 14), IP address 10.0.0.1 /24
> R2 connected to FA0/2 (VLAN 14), IP address 10.0.0.2 /24
>
> 3550 config:
>
>
> interface FastEthernet0/1
> switchport access vlan 14
> switchport mode access
> switchport port-security
> switchport port-security mac-address 0060.7035.a3e5 <--- MAC address of
E0 on R1
> no ip address
> !
> interface FastEthernet0/2
> switchport access vlan 14
> switchport mode access
> no ip address
> !
> interface Vlan14
> ip address 10.0.0.10 255.255.255.0
> !
> arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1
>
>
> Tests:
> (1) R1 pings R2 - OK. R1 & R2 ping 3550 OK.
>
> (2) Change IP address on R1 to 10.0.0.3. R1 pings R2 OK. R1 & R2 pings
3550 OK.
>
> (3) Change IP address on R2 to 10.0.0.1, while R1 is 10.0.0.3. R1 pings R2
OK. R1 pings 3550. R2 DOES NOT PING 3550.
>
> Conclusions:
> If you rely on "arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1" to tie
down the L3 address, all this does is adds an arp entry to the arp cache of
the 3550.
>
> When would this be used? Answer: Only when the 3550 has something to send
to that IP... ie when it needs to route traffic to that IP, or wants to talk
directly to that IP.... not when it is switching packets between two ports
on the same VLAN.
>
> So, my conclusion is that if you don't use an ACL of some sort, you can
NOT meet the requirements to stop R1 talking to R2.
>
> Now, we could talk about interpretation of the question....... Are we
reading it wrong? Does the question really say that the device on a
particular port must only ever have a particular address? Or is the question
just saying that the device on that port happens to have a particular
address, (and is therefore there to throw you off)?
>
> I would guess that the IP address is only there to throw you off.
>
> Any comments? Can we achieve a consensus on this one?
>
> Daniel
>
>
>
> -----Original Message-----
> From: Paul Lalonde [mailto:plalonde2@cogeco.ca]
> Sent: Wednesday, 7 May 2003 23:44
> To: FATHALLAH; Ccielab
> Subject: Re: catalyst 3550 filtre
>
>
> Configure port security on the switch for this MAC address and assign a
> static IP ARP assignment for the IP address on that interface.
>
> Eg.
>
> arp 100.100.100.1 3333.3333.3333 arpa fa0/12
>
> int fa0/12
> switchport port-security
> switchport port-security mac-address 3333.3333.3333
> switchport port-security violation restrict <- you don't want to shut
> down the port, do you?->
>
> This is an acceptable solution. Been there, done that!
>
> Paul
>
> ----- Original Message -----
> From: "FATHALLAH" <sfathallah@mail.cbi.net.ma>
> To: "Ccielab" <ccielab@groupstudy.com>
> Sent: Wednesday, May 07, 2003 8:07 AM
> Subject: catalyst 3550 filtre
>
>
> > can someone help me in this please.
> >
> > in catalyst 3550, how can I filre to permit a MAC 3333.3333.3333 with IP
> > adress 100.100.100.1 without using layer 2 and layer 3 access-list. sure
> the
> > vlan map is not the solution because it relay in mac aand ip
access-list.
> >
> > any help will be appreciieted.
> >
> > Said
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
> This footnote also confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses.
> www.mimesweeper.com
> **********************************************************************
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3