RE: Repost: cat 3550 L3 Port security

From: Tim Fletcher (groupstudy@fletchmail.net)
Date: Sat Feb 14 2004 - 19:32:47 GMT-3

• Next message: Richard Davidson: "Is ip mroute allowed?"
• Previous message: Yinglam Cheung: "RE: IPv6"
• Maybe in reply to: Marko Berend: "Repost: cat 3550 L3 Port security"
• Next in thread: Mike Williams: "RE: Repost: cat 3550 L3 Port security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

At 02:44 PM 2/14/04, Rik Guyler wrote:
<snip>

>ARP entries would only be useful if this particular switch was acting as
>a layer 3 gateway and Host B was on another network. Then switch 1
>would indded have to interact with Host via the ARP entry and in that
>case, changing the IP address would break connectivity for Host A.

But this isn't even true, and here's why. Host B sends a packet through switch 1 to host A. It will use the static ARP entry. But now lets change the IP address of host A. When switch 1 has a packet to forward to host A, it will make an ARP request, enter the IP and MAC address in the ARP table and send the packet. You will now have 2 entries with different IP address, but the same MAC address in the ARP cache (the ARP cache is a 1 to many relationship, not a 1 to 1).

Now I know some people will say you can solve this by turning off ARP. But tuning off ARP only stops ARP requests. So lets say we have a static ARP entry and we've turned off ARP. This might stop host B from contacting host A initially, but what happens if host A tries to contact host B (or any other host not on the local network). Host A will look at it's routing table and determine that to get to host B, it needs to forward the packet to switch 1. So it will send an ARP request for switch 1, which switch 1 will answer (remember turning off ARP only turns off ARP requests, not replies). Host A will then forward the packet in an Ethernet frame to switch 1, which will create an ARP entry based in the source address in the received frame. Now host B can communicate freely with host A.

-Tim Fletcher

>Rik
>
>-----Original Message-----
>From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
>Sent: Saturday, February 14, 2004 12:11 PM
>To: ccielab@groupstudy.com
>Cc: 'Mike Williams'; marko.berend@storm.hr
>Subject: RE: Repost: cat 3550 L3 Port security
>
>
>I remember that one.
>
>I say a switchport port-security mac-address and a static arp entry.
>
>The reason why static arp is that if you had a different mac spoofing
>the ip address, it would break the layer two return path therefore
>securing the ip to mac mapping.
>
>I seem to remember a lot of people disagreeing. I still point out that
>layer two has return paths, just like layer three.
>
>-----Original Message-----
>From: Mike Williams [mailto:ccie2be@swbell.net]
>Sent: Saturday, February 14, 2004 9:59 AM
>To: 'Marko Berend'; 'john addison'
>Cc: ccielab@groupstudy.com
>Subject: RE: Repost: cat 3550 L3 Port security
>
>Check the archives for this list............. The last time this was
>brought up, it caused a very lengthy and in-depth discussion with many
>different ideas.
>
>Mike W.
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Marko Berend
>Sent: Friday, February 13, 2004 3:18 AM
>To: john addison
>Cc: ccielab@groupstudy.com
>Subject: RE: Repost: cat 3550 L3 Port security
>
>
>Thanks John,
>
>But what makes this complicated is that a specified ip address
>(10.1.2.4) and mac (aaaa.bbbb.cccc) has to be permitted only.
>
>
>-----Original Message-----
>From: john addison [mailto:john_r_addison@hotmail.com]
>Sent: 13. veljaha 2004 10:11
>To: Marko Berend
>Subject: Re: Repost: cat 3550 L3 Port security
>
>
>Use port security as follows...
>
>int f0/x
>switchport port-security mac-address <mac-address>
>switchport port-security maximum 1
>
>----- Original Message -----
>From: "Marko Berend" <marko.berend@storm.hr>
>To: <ccielab@groupstudy.com>
>Sent: Friday, February 13, 2004 7:11 AM
>Subject: Repost: cat 3550 L3 Port security
>
>
>> Help please,
>>
>> Am I missing something so simple? Come on people, cat 3550, one Mac
>> and
>one IP switchport restriction without using any ACLs (!?)
>> I'm guessing this rules out vlan access-maps for L3 also...
>>
>> It's driving me mad :)
>>
>> Thanks
>>
>> -----Original Message-----
>> From: Marko Berend
>> Sent: 6. veljaha 2004 11:47
>> To: ccielab@groupstudy.com
>> Subject: cat 3550 L3 Port security
>>
>>
>> Hi group,
>>
>> The task is to restrict access on a port to a single specified mac
>> address
>and a single spec IP address without using L2/L3 acls. I understand the
>L2 part with port security, but is it possible for L3?
>>
>> I tried specifying a static arp mapping on the cat3550 but this
>> doesn't
>prevent this port talking to others in the L2 domain. Only when talking
>directly with the cat, this comes into play because the arp entry is
>static (when IP is different than in arp cache).
>>
>> Any ideas?
>>
>> Thanks,
>> Marko
>>
>> ______________________________________________________________________
>> _
>> Please help support GroupStudy by purchasing your study materials
>> from:
>http://shop.groupstudy.com
>>
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>> ______________________________________________________________________
>> _
>> Please help support GroupStudy by purchasing your study materials
>> from: http://shop.groupstudy.com
>>
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>testtetsttetsttetsts
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Richard Davidson: "Is ip mroute allowed?"
• Previous message: Yinglam Cheung: "RE: IPv6"
• Maybe in reply to: Marko Berend: "Repost: cat 3550 L3 Port security"
• Next in thread: Mike Williams: "RE: Repost: cat 3550 L3 Port security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:49 GMT-3