Re: Port-security

From: Mihai Petcu (mpetcu2004@yahoo.com)
Date: Sun Apr 17 2005 - 12:31:55 GMT-3

• Next message: ccie: "RE: VPN problems"
• Previous message: Daniel Paes: "Re: IOS Images for Home Lab"
• Maybe in reply to: Lanny Ballard: "Port-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mani,
 
       Yes, you can apply an access-list (with access-group command) on a Layer 2 access port on 3550.
 
       According to 3550 documentation, you can apply the IOS ACL to Layer 2 interfaces on the switch only if an IOS ACL is not also applied to the input of a Layer 3 interface (an error message is generated upon attempts to do so).
 
       For Layer 2 interfaces the IOS ACL is supported on the physical interfaces only and not on EtherChannel interfaces. It can be applied on the inbound direction only.
 
HTH,
 
Mihai

mani poopal <mani_ccie@yahoo.com> wrote:
So guys,

If the question asks to allow only ip 200.100.100.13 with a mac address 0001.1313.1313. what is the right solution.

1. port securtity + static arp in the switch or

2. port security + access-list/access-group on port fa 0/13 of switch

PS: Can we apply a access-group(ip based) for an access port of a switch

thanks

MANI

Mihai Petcu wrote: Lanny,

Try using these commands in order to block other IP addresses on port fa0/13 :

interface fa0/13
ip access-group BLOCK in

ip access-list extended BLOCK
permit ip host 200.100.100.13 any

Don't forget about the implicit "deny any any" at the end of access-list BLOCK.

HTH,

Mihai

Lanny Ballard wrote:
Hey guys,
I'm doing Lab 20 in the ccbootcamp lab workbook, and I have a question
I have the statement "Configure Port Security on Cat1 so that R13 using the
IP address of 200.100.100.13 and the Mac Address of 0001.1313.1313 is the
only device allowed on the switchport

so I have on the catalyst:

int fa0/13
switchport mode access
swtchiport access vlan 100
switchport port-security
switchport port-security mac-addres 0001.1313.1313
!
arp 200.100.100.13 0001.1313.1313 fa0/13

and on R13

int fa0/0
ip add 200.100.100.13
mac-address 0001.1313.1313

Ok, so here's the deal. When I change the mac-address, the port shuts down
like it should; however, when I change the ip address on the router, the
port does not shut down. Can someone tell me what I'm missing here?

The sad part is I even checked the answers, and it looks like I have it
right, but I can't figure out what's missing.

TIA
Lanny

• Next message: ccie: "RE: VPN problems"
• Previous message: Daniel Paes: "Re: IOS Images for Home Lab"
• Maybe in reply to: Lanny Ballard: "Port-security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:59 GMT-3