From: OhioHondo (ohiohondo@columbus.rr.com)
Date: Sat May 10 2003 - 09:49:02 GMT-3
Everyone
What I meant was, find a function that disables the creation of ARP entries
when a host pings the 3550. Then only statically defined ARP entries would
ever be in the ARP table. Maybe such a function does not exist.
-----Original Message-----
From: Tim Fletcher [mailto:tim@fletchmail.net]
Sent: Saturday, May 10, 2003 12:09 AM
To: OhioHondo; Daniel Cisco Group Study; Paul Lalonde; FATHALLAH; Ccielab
Cc: huntl@webcentral.com.au
Subject: RE: catalyst 3550 filtre
ARP entries are also created when a packet arrives on an interface. So
even if you disable ARP, you can still create an ARP entry by pinging the
switch from the host.
It also does not answer the issue of other hosts on the same vlan still
being able to talk to it because they all maintain their own ARP tables.
-Tim Fletcher #11406
At 08:11 PM 5/9/03 -0400, OhioHondo wrote:
Dan
Can you disable ARP so the static entries are the only way to get l2 to
L3
mappings??
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Daniel Cisco Group Study
Sent: Friday, May 09, 2003 6:13 PM
To: Paul Lalonde; FATHALLAH; Ccielab
Cc: huntl@webcentral.com.au
Subject: RE: catalyst 3550 filtre
This question has come up several times in group study, and like FRTS,
there
is no definite consensus (yet).
Here's some results from my lab.
3550 Switch. SVI VLAN 14 with IP address 10.0.0.10/24
R1 connected to FA0/1 (VLAN 14), IP address 10.0.0.1 /24
R2 connected to FA0/2 (VLAN 14), IP address 10.0.0.2 /24
3550 config:
interface FastEthernet0/1
switchport access vlan 14
switchport mode access
switchport port-security
switchport port-security mac-address 0060.7035.a3e5 <--- MAC address
of E0
on R1
no ip address
!
interface FastEthernet0/2
switchport access vlan 14
switchport mode access
no ip address
!
interface Vlan14
ip address 10.0.0.10 255.255.255.0
!
arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1
Tests:
(1) R1 pings R2 - OK. R1 & R2 ping 3550 OK.
(2) Change IP address on R1 to 10.0.0.3. R1 pings R2 OK. R1 & R2 pings
3550
OK.
(3) Change IP address on R2 to 10.0.0.1, while R1 is 10.0.0.3. R1 pings
R2
OK. R1 pings 3550. R2 DOES NOT PING 3550.
Conclusions:
If you rely on "arp 10.0.0.1 0060.7035.a3e5 ARPA FastEthernet0/1" to tie
down the L3 address, all this does is adds an arp entry to the arp cache
of
the 3550.
When would this be used? Answer: Only when the 3550 has something to
send to
that IP... ie when it needs to route traffic to that IP, or wants to
talk
directly to that IP.... not when it is switching packets between two
ports
on the same VLAN.
So, my conclusion is that if you don't use an ACL of some sort, you can
NOT
meet the requirements to stop R1 talking to R2.
Now, we could talk about interpretation of the question....... Are we
reading it wrong? Does the question really say that the device on a
particular port must only ever have a particular address? Or is the
question
just saying that the device on that port happens to have a particular
address, (and is therefore there to throw you off)?
I would guess that the IP address is only there to throw you off.
Any comments? Can we achieve a consensus on this one?
Daniel
-----Original Message-----
From: Paul Lalonde [mailto:plalonde2@cogeco.ca]
Sent: Wednesday, 7 May 2003 23:44
To: FATHALLAH; Ccielab
Subject: Re: catalyst 3550 filtre
Configure port security on the switch for this MAC address and assign a
static IP ARP assignment for the IP address on that interface.
Eg.
arp 100.100.100.1 3333.3333.3333 arpa fa0/12
int fa0/12
switchport port-security
switchport port-security mac-address 3333.3333.3333
switchport port-security violation restrict <- you don't want to
shut
down the port, do you?->
This is an acceptable solution. Been there, done that!
Paul
----- Original Message -----
From: "FATHALLAH" <sfathallah@mail.cbi.net.ma>
To: "Ccielab" <ccielab@groupstudy.com>
Sent: Wednesday, May 07, 2003 8:07 AM
Subject: catalyst 3550 filtre
> can someone help me in this please.
>
> in catalyst 3550, how can I filre to permit a MAC 3333.3333.3333 with
IP
> adress 100.100.100.1 without using layer 2 and layer 3 access-list.
sure
the
> vlan map is not the solution because it relay in mac aand ip
access-list.
>
> any help will be appreciieted.
>
> Said
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
This archive was generated by hypermail 2.1.4 : Mon Jun 02 2003 - 15:13:40 GMT-3