From: Mike Williams (ccie2be@swbell.net)
Date: Sun Feb 15 2004 - 00:01:45 GMT-3
Yeah........ I remember too......... I remember that port security was
the solution to L2, but even a static ARP entry on the Cat3550 would
only make it where that switch itself would only use the given MAC to
reach the specified IP. That wouldn't prevent that same MAC from using
another IP with other devices......
Mike W.
-----Original Message-----
From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
Sent: Saturday, February 14, 2004 11:11 AM
To: ccielab@groupstudy.com
Cc: 'Mike Williams'; marko.berend@storm.hr
Subject: RE: Repost: cat 3550 L3 Port security
I remember that one.
I say a switchport port-security mac-address and a static arp entry.
The reason why static arp is that if you had a different mac spoofing
the ip address, it would break the layer two return path therefore
securing the ip to mac mapping.
I seem to remember a lot of people disagreeing. I still point out that
layer two has return paths, just like layer three.
-----Original Message-----
From: Mike Williams [mailto:ccie2be@swbell.net]
Sent: Saturday, February 14, 2004 9:59 AM
To: 'Marko Berend'; 'john addison'
Cc: ccielab@groupstudy.com
Subject: RE: Repost: cat 3550 L3 Port security
Check the archives for this list............. The last time this was
brought up, it caused a very lengthy and in-depth discussion with many
different ideas.
Mike W.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Marko Berend
Sent: Friday, February 13, 2004 3:18 AM
To: john addison
Cc: ccielab@groupstudy.com
Subject: RE: Repost: cat 3550 L3 Port security
Thanks John,
But what makes this complicated is that a specified ip address
(10.1.2.4) and mac (aaaa.bbbb.cccc) has to be permitted only.
-----Original Message-----
From: john addison [mailto:john_r_addison@hotmail.com]
Sent: 13. veljaha 2004 10:11
To: Marko Berend
Subject: Re: Repost: cat 3550 L3 Port security
Use port security as follows...
int f0/x
switchport port-security mac-address <mac-address>
switchport port-security maximum 1
----- Original Message -----
From: "Marko Berend" <marko.berend@storm.hr>
To: <ccielab@groupstudy.com>
Sent: Friday, February 13, 2004 7:11 AM
Subject: Repost: cat 3550 L3 Port security
> Help please,
>
> Am I missing something so simple? Come on people, cat 3550, one Mac
> and
one IP switchport restriction without using any ACLs (!?)
> I'm guessing this rules out vlan access-maps for L3 also...
>
> It's driving me mad :)
>
> Thanks
>
> -----Original Message-----
> From: Marko Berend
> Sent: 6. veljaha 2004 11:47
> To: ccielab@groupstudy.com
> Subject: cat 3550 L3 Port security
>
>
> Hi group,
>
> The task is to restrict access on a port to a single specified mac
> address
and a single spec IP address without using L2/L3 acls. I understand the
L2 part with port security, but is it possible for L3?
>
> I tried specifying a static arp mapping on the cat3550 but this
> doesn't
prevent this port talking to others in the L2 domain. Only when talking
directly with the cat, this comes into play because the arp entry is
static (when IP is different than in arp cache).
>
> Any ideas?
>
> Thanks,
> Marko
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
> from:
http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> ______________________________________________________________________
> _
> Please help support GroupStudy by purchasing your study materials
> from: http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:49 GMT-3