From: MMoniz (ccie2002@tampabay.rr.com)
Date: Fri Aug 01 2003 - 17:23:02 GMT-3
Well my view for what it worth is:
If the host is on a VLAN that does have a layer 3 interface I would do both.
The downside
to this is that you will need a static arp for all other host since arp is
disabled.
An acl would work in this case but again, do you only allow this 1 host? If
not then
again the host can change it's address and work.
If only layer 2 is used I think a mac acl would provide the same end result,
but is this
what they are looking for. I would think they would be looking for port
security.
So if it was only layer 2 I think I would do port security with restrict as
a violation.
Just my thoughts
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Glenn Johnson
Sent: Friday, August 01, 2003 3:24 PM
To: ccie2002@tampabay.rr.com; 'Oliver Ziltener'
Cc: 'Amer Mdanat (amdanat)'; 'g.duncanson'; ccielab@groupstudy.com
Subject: RE: AW: ARP Question?
So given the various issues, is the end result here roughly where we
started -- with just using port-security and a mac address and not worrying
about the IP address? [if the requirement is to limit host X with mac x.y.z
to port X]
If the scenario involved a purely L2 environment -- wouldn't a mac
access-group statement on the interface (with a linked mac list blocking all
input but from the one mac address in question) provide functionally similar
results?
-----Original Message-----
From: ccie2002@tampabay.rr.com [mailto:ccie2002@tampabay.rr.com]
Sent: Friday, August 01, 2003 3:00 PM
To: Oliver Ziltener
Cc: Amer Mdanat (amdanat); g.duncanson; Glenn Johnson;
ccielab@groupstudy.com
Subject: Re: AW: ARP Question?
Well this would work in the following.
IF there was a layer 3 VLAN configured on the switch
AND the host you were trying to block was also on this VLAN
AND you did no arp arpa on the VLAN interface
AND had a static arp entry for this address.
But if the host is on VLAN x and it was trying to go to another
host on VLANx and VLAN x was only a layer 2 VLAN then arp would
not come into play. The mac address would be learned at layer 2
and forwarded to other host on the same VLAN regardless of IP Address.
And if this was the case then an ACL would do no good either.
----- Original Message -----
From: Oliver Ziltener <ziltener@netcloud.ch>
Date: Friday, August 1, 2003 1:58 pm
Subject: AW: ARP Question?
> Did you try "no arp arpa" on the unterface?
>
> Oliver
>
> -----Urspr|ngliche Nachricht-----
> Von: Amer Mdanat (amdanat) [amdanat@cisco.com]
> Gesendet: Donnerstag, 31. Juli 2003 18:03
> An: g.duncanson; Glenn Johnson; ccielab@groupstudy.com
> Betreff: RE: ARP Question?
>
>
> So guys what if you only want to allow the host with MAC
> [1111.2222.3333] which must also have IP address [1.1.1.1]
> I guess the only way would be to use port security based on MAC
> addressto make sure that the port is only up when this MAC is
> connected and
> also apply an ACL to only forward packets to and from 1.1.1.1?
> What do
> you think? Any better way of doing this?
>
> Amer
>
>
> -----Original Message-----
> From: g.duncanson [g.duncanson@pindar.com]
> Sent: 30 July 2003 13:57
> To: Glenn Johnson; ccielab@groupstudy.com
> Subject: Re: ARP Question?
>
>
> Just to agree with Glenn, I found this on the web..
>
> http://www.cisco.com/en/US/products/hw/switches/ps646/products_configura
> tion_guide_chapter09186a008007f37c.html#xtocid14
>
> This example shows how to configure a secure MAC address on Fast
> Ethernet port 12 and verify the configuration. Switch# configure
> terminal
>
> Enter configuration commands, one per line. End with CNTL/Z.
> Switch(config)# interface fastethernet0/12 Switch(config-if)#
> switchportmode access Switch(config-if)# switchport port-security
> Switch(config-if)# switchport port-security mac-address 1000.2000.3000
> Switch(config-if)# end
>
> Switch# show port-security address
>
> Secure Mac Address Table
> ------------------------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- ---- -----
> 1 1000.2000.3000 SecureConfigured Fa0/12
>
> On 7/30/03 6:50 AM, Glenn Johnson <gjcomcast@comcast.net> wrote:
> >From what I can understand of your question, you want to:
> >
> > 1) Have one (and only one) host use FA0/10.
> > 2) That host's MAC is 0000.2222.3333.
> > 3) [I assume that you meant] No one else can use FA0/10.
> >
> > I would set this up with a MAC address as you did below and not
> worry
> >about the IP address issue. I think it's a distractor if your only
> >goal is to limit access to one physical port to one physical MAC
> >address/host.
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [nobody@groupstudy.com] On Behalf
> >Of Poor
> >Ghost
> >Sent: Wednesday, July 30, 2003 1:25 AM
> >To: ccielab@groupstudy.com
> >Subject: ARP Question?
> >
> >
> >Hi,all.
> >
> >A host is connected to the port Fa 0/10 of catalyst 3550,the ip
> address>of
> >the host is 192.168.20.5. Only permit one host can use this port
> >with MAC
> >address 0000.2222.3333. Anyone else can use this port(Fa 0/10).
> >
> >I configured the 3550 switch as flowing:
> >
> >int f 0/10
> > switchport mode access
> > switchport port-security
> > switchport port-security mac-address 0000.2222.3333
> > switchport violation shutdown
> >!
> >arp 192.168.20.5 0000.2222.3333 arpa fa0/10
> >
> >But,it did not work.
> >I changed the ip add to 192.168.20.11,but I still can use the port
> >Fa0/10.
> >Pleas help me!
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:51 GMT-3