From: Mike Williams (ccie2be@swbell.net)
Date: Sun Aug 24 2003 - 23:14:00 GMT-3
Of course, you would have to assume that this switchport is configured
as "no switchport mode access" with an IP address AND that the IP
address on that port is the gateway for the PC (it it wasn't the PC
wouldn't be able to get outside of it's subnet) if you want to apply an
access-list to it. (that is unless you're doing some IRB on that
interface which opens a can of worms there).
Jim, what is the configuration for the rest of that switchport? Is it
layer 2 or Layer 3? (This next question shows my lack of concrete
knowledge, but...) Can you even apply switchport security on a port
that's been converted to L3 (via the 'no switchport mode access'
command) or would you need to use a MAC access-list? (i.e. if this port
is configured as a L3 port with an IP address, wouldn't you need to use
both a MAC access-list that permits only 0000.000d.1234.5678 AS WELL AS
an IP access-list that permits only 192.168.1.10!??!) I can't say 100%
for sure, but it seems to me you can choose to make the port L2 or L3.
So, if it's L3, you'd need to use a MAC access-list to restrict
access.....
I agree with Jon that since the task asks you to restrict the port
access to a single PC with <blah> MAC address, that MAC security should
suffice.
Mike W.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jon Campbell
Sent: Sunday, August 24, 2003 9:04 AM
To: 'Jon Campbell'; 'James Stewart'; ccielab@groupstudy.com
Subject: RE: 3550 restict access
Of course, if the task is to "restict access to port f0/1 to only a
single PC with a mac address
0000.000d.1234.5678 and an IP address of 192.168.1.10/24", you would
need the access-list. I'll stop obsessing now :-).
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Jon Campbell
Sent: Saturday, August 23, 2003 3:34 PM
To: 'James Stewart'; ccielab@groupstudy.com
Subject: RE: 3550 restict access
Why the need for the access-list?? The port-security will restrict the
port to the mac-address no matter what the IP address is.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
James Stewart
Sent: Wednesday, August 20, 2003 2:17 PM
To: ccielab@groupstudy.com
Subject: 3550 restict access
Hi all
I need to restict access to port f0/1 to only a single PC with a mac
address
0000.000d.1234.5678 which has an IP address of 192.168.1.10/24. Is the
way forward to use interface fastethernet0/1 switchport port-security
switchport port-security maximum 1 switchport port-security mac-address
0000.000d.1234.5678.
Then use an access list on the port
access-list 1 permit host 192.168.1.10
interface fastethernet0/1
access-group 1 in
Or is there a better way?
Over to you
Thanks Jim
This archive was generated by hypermail 2.1.4 : Tue Sep 02 2003 - 18:54:06 GMT-3