From: Amer Mdanat (amdanat) (amdanat@cisco.com)
Date: Sat Aug 02 2003 - 14:24:21 GMT-3
Guys this is very cool input.. However, please remember that you want to
limit host X that has MAC 1111.1111.1111 and IP address 1.1.1.1 to
access.. If the same host (with the same MAC changes the IP address it
should not be able to communicate..
I have tried many things are gave it a serious thought.. The only thing
that worked for me is port security AND and ACL..
just my 2 cents..
Amer
-----Original Message-----
From: ccie2002@tampabay.rr.com [mailto:ccie2002@tampabay.rr.com]
Sent: 01 August 2003 23:00
To: Oliver Ziltener
Cc: Amer Mdanat (amdanat); g.duncanson; Glenn Johnson;
ccielab@groupstudy.com
Subject: Re: AW: ARP Question?
Well this would work in the following.
IF there was a layer 3 VLAN configured on the switch
AND the host you were trying to block was also on this VLAN
AND you did no arp arpa on the VLAN interface
AND had a static arp entry for this address.
But if the host is on VLAN x and it was trying to go to another
host on VLANx and VLAN x was only a layer 2 VLAN then arp would
not come into play. The mac address would be learned at layer 2
and forwarded to other host on the same VLAN regardless of IP Address.
And if this was the case then an ACL would do no good either.
----- Original Message -----
From: Oliver Ziltener <ziltener@netcloud.ch>
Date: Friday, August 1, 2003 1:58 pm
Subject: AW: ARP Question?
> Did you try "no arp arpa" on the unterface?
>
> Oliver
>
> -----Urspr|ngliche Nachricht-----
> Von: Amer Mdanat (amdanat) [amdanat@cisco.com]
> Gesendet: Donnerstag, 31. Juli 2003 18:03
> An: g.duncanson; Glenn Johnson; ccielab@groupstudy.com
> Betreff: RE: ARP Question?
>
>
> So guys what if you only want to allow the host with MAC
> [1111.2222.3333] which must also have IP address [1.1.1.1]
> I guess the only way would be to use port security based on MAC
> addressto make sure that the port is only up when this MAC is
> connected and
> also apply an ACL to only forward packets to and from 1.1.1.1?
> What do
> you think? Any better way of doing this?
>
> Amer
>
>
> -----Original Message-----
> From: g.duncanson [g.duncanson@pindar.com]
> Sent: 30 July 2003 13:57
> To: Glenn Johnson; ccielab@groupstudy.com
> Subject: Re: ARP Question?
>
>
> Just to agree with Glenn, I found this on the web..
>
>
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configura
> tion_guide_chapter09186a008007f37c.html#xtocid14
>
> This example shows how to configure a secure MAC address on Fast
> Ethernet port 12 and verify the configuration. Switch# configure
> terminal
>
> Enter configuration commands, one per line. End with CNTL/Z.
> Switch(config)# interface fastethernet0/12 Switch(config-if)#
> switchportmode access Switch(config-if)# switchport port-security
> Switch(config-if)# switchport port-security mac-address 1000.2000.3000
> Switch(config-if)# end
>
> Switch# show port-security address
>
> Secure Mac Address Table
> ------------------------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- ---- -----
> 1 1000.2000.3000 SecureConfigured Fa0/12
>
> On 7/30/03 6:50 AM, Glenn Johnson <gjcomcast@comcast.net> wrote:
> >From what I can understand of your question, you want to:
> >
> > 1) Have one (and only one) host use FA0/10.
> > 2) That host's MAC is 0000.2222.3333.
> > 3) [I assume that you meant] No one else can use FA0/10.
> >
> > I would set this up with a MAC address as you did below and not
> worry
> >about the IP address issue. I think it's a distractor if your only
> >goal is to limit access to one physical port to one physical MAC
> >address/host.
> >
> >-----Original Message-----
> >From: nobody@groupstudy.com [nobody@groupstudy.com] On Behalf
> >Of Poor
> >Ghost
> >Sent: Wednesday, July 30, 2003 1:25 AM
> >To: ccielab@groupstudy.com
> >Subject: ARP Question?
> >
> >
> >Hi,all.
> >
> >A host is connected to the port Fa 0/10 of catalyst 3550,the ip
> address>of
> >the host is 192.168.20.5. Only permit one host can use this port
> >with MAC
> >address 0000.2222.3333. Anyone else can use this port(Fa 0/10).
> >
> >I configured the 3550 switch as flowing:
> >
> >int f 0/10
> > switchport mode access
> > switchport port-security
> > switchport port-security mac-address 0000.2222.3333
> > switchport violation shutdown
> >!
> >arp 192.168.20.5 0000.2222.3333 arpa fa0/10
> >
> >But,it did not work.
> >I changed the ip add to 192.168.20.11,but I still can use the port
> >Fa0/10.
> >Pleas help me!
> >
> >
>
>_______________________________________________________________________
> >You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
>_______________________________________________________________________
> >You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
> >
> >
>
>
>
> **********************************************************************
> This email and its attachments are intended for the above
> named only and may be confidential. If they have come to
> you in error, you must take no action based on them, nor
> must you copy or show them to anyone; please reply to this
> email and highlight the error.
> Security Warning: Please note that this email has been
> created in the knowledge that the internet email is not a
> 100% secure communications medium. We advise that you
> understand and observe this lack of security when emailing us.
> Viruses: Although we have taken steps to ensure that this
> email and attachments are free from any virus, we advise
> that in keeping with good computing practice the recipient
> should ensure they are actually virus free.
> If you have received this email in error please notify:
> postmaster@pindar.com
> **********************************************************************
>
>
>
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:53:51 GMT-3