RE: Repost: cat 3550 L3 Port security

From: Michael Snyder (msnyder@revolutioncomputer.com)
Date: Sat Feb 14 2004 - 16:55:20 GMT-3

I was assuming layer 3 functionally, but I agree that static arp doesn't
apply to a pure layer 2 switching path or even a layer three 3 with a
common vlan.

-----Original Message-----
From: Rik Guyler [mailto:rik@guyler.net]
Sent: Saturday, February 14, 2004 1:45 PM
To: ccielab@groupstudy.com
Subject: RE: Repost: cat 3550 L3 Port security

Hmmm...while I have the same practice lab requirement with the same
solution, I disagree with the author. In the scenario I have (assuming
it's the same), the switch is only acting as a layer-2 device. It has a
management interface but in another VLAN than the port in question.

Let's take this out a little further.

For the sake of argument, let us assume the port for Host A on switch 1
is the port being discussed. Port-security for a single pre-defined MAC
address and a static ARP entry exist for Host A. The switch is a
layer-2 device only. Host B on switch 2 initiates a conversation for
Host A. Host B ARPs for the MAC address of A (assuming it's not in
cache) so switch B floods the ARP (again, asssuming it's not in the MAC
table), which also floods through to switch 1, which most likely has an
entry in it mac-address table and forwards the ARP to the correct port.
A then responds back with the needed information. Nowhere in this
scenario does the static ARP entry on switch 1 ever get referenced.

Now let's assume that the Host A changes IP address. The MAC address
stays the same so port-security is still in effect. However, now the
static ARP entry doesn't match up with the actual set of addresses. In
this case, Host B will still talk to Host A without problems because as
far as switch 1 is concerned, the layer 2 information never changed.

ARP entries would only be useful if this particular switch was acting as
a layer 3 gateway and Host B was on another network. Then switch 1
would indded have to interact with Host via the ARP entry and in that
case, changing the IP address would break connectivity for Host A.

Rik

-----Original Message-----
From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
Sent: Saturday, February 14, 2004 12:11 PM
To: ccielab@groupstudy.com
Cc: 'Mike Williams'; marko.berend@storm.hr
Subject: RE: Repost: cat 3550 L3 Port security

I remember that one.

I say a switchport port-security mac-address and a static arp entry.

The reason why static arp is that if you had a different mac spoofing
the ip address, it would break the layer two return path therefore
securing the ip to mac mapping.

I seem to remember a lot of people disagreeing. I still point out that
layer two has return paths, just like layer three.

-----Original Message-----
From: Mike Williams [mailto:ccie2be@swbell.net]
Sent: Saturday, February 14, 2004 9:59 AM
To: 'Marko Berend'; 'john addison'
Cc: ccielab@groupstudy.com
Subject: RE: Repost: cat 3550 L3 Port security

Check the archives for this list............. The last time this was
brought up, it caused a very lengthy and in-depth discussion with many
different ideas.

Mike W.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Marko Berend
Sent: Friday, February 13, 2004 3:18 AM
To: john addison
Cc: ccielab@groupstudy.com
Subject: RE: Repost: cat 3550 L3 Port security

Thanks John,

But what makes this complicated is that a specified ip address
(10.1.2.4) and mac (aaaa.bbbb.cccc) has to be permitted only.

-----Original Message-----
From: john addison [mailto:john_r_addison@hotmail.com]
Sent: 13. veljaha 2004 10:11
To: Marko Berend
Subject: Re: Repost: cat 3550 L3 Port security

Use port security as follows...

int f0/x
switchport port-security mac-address <mac-address>
switchport port-security maximum 1

----- Original Message -----
From: "Marko Berend" <marko.berend@storm.hr>
To: <ccielab@groupstudy.com>
Sent: Friday, February 13, 2004 7:11 AM
Subject: Repost: cat 3550 L3 Port security

> Help please,
>
> Am I missing something so simple? Come on people, cat 3550, one Mac
> and
one IP switchport restriction without using any ACLs (!?)
> I'm guessing this rules out vlan access-maps for L3 also...
>
> It's driving me mad :)
>
> Thanks
>
> -----Original Message-----
> From: Marko Berend
> Sent: 6. veljaha 2004 11:47
> To: ccielab@groupstudy.com
> Subject: cat 3550 L3 Port security
>
>
> Hi group,
>
> The task is to restrict access on a port to a single specified mac
> address
and a single spec IP address without using L2/L3 acls. I understand the
L2 part with port security, but is it possible for L3?
>
> I tried specifying a static arp mapping on the cat3550 but this
> doesn't
prevent this port talking to others in the L2 domain. Only when talking
directly with the cat, this comes into play because the arp entry is
static (when IP is different than in arp cache).
>
> Any ideas?
>
> Thanks,
> Marko
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
> from:
http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
> from: http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:49 GMT-3