RE: Repost: cat 3550 L3 Port security

From: Scott Morris (swm@emanon.com)
Date: Sat Feb 14 2004 - 16:32:49 GMT-3

• Next message: Bayraktar, Ersoy: "netbios access-list"
• Previous message: Adel Abushaev: "Re: Port security"
• Maybe in reply to: Marko Berend: "Repost: cat 3550 L3 Port security"
• Next in thread: Rik Guyler: "RE: Repost: cat 3550 L3 Port security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Part of your difficulty with that is when does your switch use the ARP
table? It certainly isn't going to use it for normal switching (that's the
cam table, or mac-address table). So, the static ARP only works if
communication must go through an SVI port on the 3550 (where it is actually
looking at L3 stuff).

I think that was the entertaining part of the discussions when this came
about the last time.

In and of itself, I think there would be some context issues that we are
missing here. Port security does well for keeping a MAC address to a port,
but again doesn't touch IP.

I think we would need to see how the rest of the scenario was really laid
out to make the best decision about that. Perhaps a VACL is what we are
looking for here. That can use L3 and L2 information even during "switched"
transactions instead of just on routed packets.

But yes, watch your paths 'n' such. :) Look at the whole picture!

 
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, CISSP,
JNCIS, et al.
IPExpert CCIE Program Manager
IPExpert Sr. Technical Instructor
swm@emanon.com/smorris@ipexpert.net
http://www.ipexpert.net
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Michael Snyder
Sent: Saturday, February 14, 2004 12:11 PM
To: ccielab@groupstudy.com
Cc: 'Mike Williams'; marko.berend@storm.hr
Subject: RE: Repost: cat 3550 L3 Port security

I remember that one.

I say a switchport port-security mac-address and a static arp entry.

The reason why static arp is that if you had a different mac spoofing the ip
address, it would break the layer two return path therefore securing the ip
to mac mapping.

I seem to remember a lot of people disagreeing. I still point out that
layer two has return paths, just like layer three.

-----Original Message-----
From: Mike Williams [mailto:ccie2be@swbell.net]
Sent: Saturday, February 14, 2004 9:59 AM
To: 'Marko Berend'; 'john addison'
Cc: ccielab@groupstudy.com
Subject: RE: Repost: cat 3550 L3 Port security

Check the archives for this list............. The last time this was
brought up, it caused a very lengthy and in-depth discussion with many
different ideas.

Mike W.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Marko Berend
Sent: Friday, February 13, 2004 3:18 AM
To: john addison
Cc: ccielab@groupstudy.com
Subject: RE: Repost: cat 3550 L3 Port security

Thanks John,

But what makes this complicated is that a specified ip address
(10.1.2.4) and mac (aaaa.bbbb.cccc) has to be permitted only.

-----Original Message-----
From: john addison [mailto:john_r_addison@hotmail.com]
Sent: 13. veljaha 2004 10:11
To: Marko Berend
Subject: Re: Repost: cat 3550 L3 Port security

Use port security as follows...

int f0/x
switchport port-security mac-address <mac-address>
switchport port-security maximum 1

----- Original Message -----
From: "Marko Berend" <marko.berend@storm.hr>
To: <ccielab@groupstudy.com>
Sent: Friday, February 13, 2004 7:11 AM
Subject: Repost: cat 3550 L3 Port security

> Help please,
>
> Am I missing something so simple? Come on people, cat 3550, one Mac
> and
one IP switchport restriction without using any ACLs (!?)
> I'm guessing this rules out vlan access-maps for L3 also...
>
> It's driving me mad :)
>
> Thanks
>
> -----Original Message-----
> From: Marko Berend
> Sent: 6. veljaha 2004 11:47
> To: ccielab@groupstudy.com
> Subject: cat 3550 L3 Port security
>
>
> Hi group,
>
> The task is to restrict access on a port to a single specified mac
> address
and a single spec IP address without using L2/L3 acls. I understand the
L2 part with port security, but is it possible for L3?
>
> I tried specifying a static arp mapping on the cat3550 but this
> doesn't
prevent this port talking to others in the L2 domain. Only when talking
directly with the cat, this comes into play because the arp entry is
static (when IP is different than in arp cache).
>
> Any ideas?
>
> Thanks,
> Marko
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
> from:
http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
> from: http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Bayraktar, Ersoy: "netbios access-list"
• Previous message: Adel Abushaev: "Re: Port security"
• Maybe in reply to: Marko Berend: "Repost: cat 3550 L3 Port security"
• Next in thread: Rik Guyler: "RE: Repost: cat 3550 L3 Port security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:49 GMT-3