Re: ARP Question?

From: Adam Asay (aasay@cerberian.com)
Date: Thu Jul 31 2003 - 13:07:41 GMT-3

• Next message: polarccie@yahoo.co.uk: "Re: Re: Distributing multicast groups to different RPs with"
• Previous message: Amer Mdanat (amdanat): "RE: Atm setup on a 5500"
• Maybe in reply to: Poor Ghost: "ARP Question?"
• Next in thread: Larson, Chris: "RE: ARP Question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Amer,

You can use a static arp entry. This will bind the MAC address and IP
address together, therefore only allowing the 1.1.1.1 ip address on the
port with port security enabled.

-Adam

Amer Mdanat (amdanat) wrote:

>So guys what if you only want to allow the host with MAC
>[1111.2222.3333] which must also have IP address [1.1.1.1]
>I guess the only way would be to use port security based on MAC address
>to make sure that the port is only up when this MAC is connected and
>also apply an ACL to only forward packets to and from 1.1.1.1? What do
>you think? Any better way of doing this?
>
>Amer
>
>
>-----Original Message-----
>From: g.duncanson [mailto:g.duncanson@pindar.com]
>Sent: 30 July 2003 13:57
>To: Glenn Johnson; ccielab@groupstudy.com
>Subject: Re: ARP Question?
>
>
>Just to agree with Glenn, I found this on the web..
>
>http://www.cisco.com/en/US/products/hw/switches/ps646/products_configura
>tion_guide_chapter09186a008007f37c.html#xtocid14
>
>This example shows how to configure a secure MAC address on Fast
>Ethernet port 12 and verify the configuration. Switch# configure
>terminal
>
>Enter configuration commands, one per line. End with CNTL/Z.
>Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport
>mode access Switch(config-if)# switchport port-security
>Switch(config-if)# switchport port-security mac-address 1000.2000.3000
>Switch(config-if)# end
>
>Switch# show port-security address
>
> Secure Mac Address Table
>------------------------------------------------------------
>
>Vlan Mac Address Type Ports
>---- ----------- ---- -----
> 1 1000.2000.3000 SecureConfigured Fa0/12
>
>On 7/30/03 6:50 AM, Glenn Johnson <gjcomcast@comcast.net> wrote:
>>From what I can understand of your question, you want to:
>
>
>> 1) Have one (and only one) host use FA0/10.
>> 2) That host's MAC is 0000.2222.3333.
>> 3) [I assume that you meant] No one else can use FA0/10.
>>
>> I would set this up with a MAC address as you did below and not
>>
>>
>worry
>
>
>>about the IP address issue. I think it's a distractor if your only
>>goal is to limit access to one physical port to one physical MAC
>>address/host.
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>>Of Poor
>>Ghost
>>Sent: Wednesday, July 30, 2003 1:25 AM
>>To: ccielab@groupstudy.com
>>Subject: ARP Question?
>>
>>
>>Hi,all.
>>
>>A host is connected to the port Fa 0/10 of catalyst 3550,the ip address
>>of
>>the host is 192.168.20.5. Only permit one host can use this port
>>with MAC
>>address 0000.2222.3333. Anyone else can use this port(Fa 0/10).
>>
>>I configured the 3550 switch as flowing:
>>
>>int f 0/10
>> switchport mode access
>> switchport port-security
>> switchport port-security mac-address 0000.2222.3333
>> switchport violation shutdown
>>!
>>arp 192.168.20.5 0000.2222.3333 arpa fa0/10
>>
>>But,it did not work.
>>I changed the ip add to 192.168.20.11,but I still can use the port
>>Fa0/10.
>>Pleas help me!
>>
>>
>>_______________________________________________________________________
>>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>_______________________________________________________________________
>>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>
>
>
>**********************************************************************
>This email and its attachments are intended for the above
>named only and may be confidential. If they have come to
>you in error, you must take no action based on them, nor
>must you copy or show them to anyone; please reply to this
>email and highlight the error.
>Security Warning: Please note that this email has been
>created in the knowledge that the internet email is not a
>100% secure communications medium. We advise that you
>understand and observe this lack of security when emailing us.
>Viruses: Although we have taken steps to ensure that this
>email and attachments are free from any virus, we advise
>that in keeping with good computing practice the recipient
>should ensure they are actually virus free.
>If you have received this email in error please notify:
>postmaster@pindar.com
>**********************************************************************
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>_______________________________________________________________________
>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: polarccie@yahoo.co.uk: "Re: Re: Distributing multicast groups to different RPs with"
• Previous message: Amer Mdanat (amdanat): "RE: Atm setup on a 5500"
• Maybe in reply to: Poor Ghost: "ARP Question?"
• Next in thread: Larson, Chris: "RE: ARP Question?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:53:00 GMT-3