From: Larson, Chris (CLarson@usaid.gov)
Date: Thu Jul 31 2003 - 13:21:44 GMT-3
Yes, but I wonder.....
If I changed the ip address of the host then won't it reply? Just because
there is a static ip to mac mapping using the arp command does not mean that
a person could not change the ip which would then use the dynamic entry
anyway right? If that is true then even though port security works, the
static arp entry does prevent someone from changing the ip and still having
connectivity?
> -----Original Message-----
> From: Adam Asay [SMTP:aasay@cerberian.com]
> Sent: Thursday, July 31, 2003 12:08 PM
> To: Amer Mdanat (amdanat)
> Cc: g.duncanson; Glenn Johnson; ccielab@groupstudy.com
> Subject: Re: ARP Question?
>
> Amer,
>
> You can use a static arp entry. This will bind the MAC address and IP
> address together, therefore only allowing the 1.1.1.1 ip address on the
> port with port security enabled.
>
> -Adam
>
> Amer Mdanat (amdanat) wrote:
>
> >So guys what if you only want to allow the host with MAC
> >[1111.2222.3333] which must also have IP address [1.1.1.1]
> >I guess the only way would be to use port security based on MAC address
> >to make sure that the port is only up when this MAC is connected and
> >also apply an ACL to only forward packets to and from 1.1.1.1? What do
> >you think? Any better way of doing this?
> >
> >Amer
> >
> >
> >-----Original Message-----
> >From: g.duncanson [mailto:g.duncanson@pindar.com]
> >Sent: 30 July 2003 13:57
> >To: Glenn Johnson; ccielab@groupstudy.com
> >Subject: Re: ARP Question?
> >
> >
> >Just to agree with Glenn, I found this on the web..
> >
> >http://www.cisco.com/en/US/products/hw/switches/ps646/products_configura
> >tion_guide_chapter09186a008007f37c.html#xtocid14
> >
> >This example shows how to configure a secure MAC address on Fast
> >Ethernet port 12 and verify the configuration. Switch# configure
> >terminal
> >
> >Enter configuration commands, one per line. End with CNTL/Z.
> >Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport
> >mode access Switch(config-if)# switchport port-security
> >Switch(config-if)# switchport port-security mac-address 1000.2000.3000
> >Switch(config-if)# end
> >
> >Switch# show port-security address
> >
> > Secure Mac Address Table
> >------------------------------------------------------------
> >
> >Vlan Mac Address Type Ports
> >---- ----------- ---- -----
> > 1 1000.2000.3000 SecureConfigured Fa0/12
> >
> >On 7/30/03 6:50 AM, Glenn Johnson <gjcomcast@comcast.net> wrote:
> >>From what I can understand of your question, you want to:
> >
> >
> >> 1) Have one (and only one) host use FA0/10.
> >> 2) That host's MAC is 0000.2222.3333.
> >> 3) [I assume that you meant] No one else can use FA0/10.
> >>
> >> I would set this up with a MAC address as you did below and not
> >>
> >>
> >worry
> >
> >
> >>about the IP address issue. I think it's a distractor if your only
> >>goal is to limit access to one physical port to one physical MAC
> >>address/host.
> >>
> >>-----Original Message-----
> >>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> >>Of Poor
> >>Ghost
> >>Sent: Wednesday, July 30, 2003 1:25 AM
> >>To: ccielab@groupstudy.com
> >>Subject: ARP Question?
> >>
> >>
> >>Hi,all.
> >>
> >>A host is connected to the port Fa 0/10 of catalyst 3550,the ip address
> >>of
> >>the host is 192.168.20.5. Only permit one host can use this port
> >>with MAC
> >>address 0000.2222.3333. Anyone else can use this port(Fa 0/10).
> >>
> >>I configured the 3550 switch as flowing:
> >>
> >>int f 0/10
> >> switchport mode access
> >> switchport port-security
> >> switchport port-security mac-address 0000.2222.3333
> >> switchport violation shutdown
> >>!
> >>arp 192.168.20.5 0000.2222.3333 arpa fa0/10
> >>
> >>But,it did not work.
> >>I changed the ip add to 192.168.20.11,but I still can use the port
> >>Fa0/10.
> >>Pleas help me!
> >>
> >>
> >>_______________________________________________________________________
> >>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >>
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>_______________________________________________________________________
> >>You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >>
> >>Subscription information may be found at:
> >>http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >
> >
> >
> >**********************************************************************
> >This email and its attachments are intended for the above
> >named only and may be confidential. If they have come to
> >you in error, you must take no action based on them, nor
> >must you copy or show them to anyone; please reply to this
> >email and highlight the error.
> >Security Warning: Please note that this email has been
> >created in the knowledge that the internet email is not a
> >100% secure communications medium. We advise that you
> >understand and observe this lack of security when emailing us.
> >Viruses: Although we have taken steps to ensure that this
> >email and attachments are free from any virus, we advise
> >that in keeping with good computing practice the recipient
> >should ensure they are actually virus free.
> >If you have received this email in error please notify:
> >postmaster@pindar.com
> >**********************************************************************
> >
> >
> >_______________________________________________________________________
> >You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >_______________________________________________________________________
> >You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:53:00 GMT-3