RE: Port Secure w/ IP Address.

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Thu Aug 03 2006 - 10:15:43 ART

• Next message: Brian McGahan: "RE: reflexive acl's and bgp orf"
• Previous message: Guyler, Rik: "RE: Articulating the need for a router"
• Maybe in reply to: Patricia Loreal: "Port Secure w/ IP Address."
• Next in thread: Alex De Gruiter \(AU\): "RE: Port Secure w/ IP Address."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

        Static ARP entries do not provide security, they simply provide
an optimization of the ARP table. Test this out and you'll see that you
can still have duplicate ARP entries on that single link. To get this
to work you would also have to filter out IP ARP (Ethertype 0x806) so
that only static ARP entries could be used for resolution. This also
assumes the link connecting to the device is a routed port and not a
switchport, however port-security is a function of a "switchport". This
means that if the interface is running in native layer 3 mode you cannot
run port-security.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Alex De Gruiter (AU)
> Sent: Thursday, August 03, 2006 4:01 AM
> To: Patricia Loreal
> Cc: ccielab@groupstudy.com; Ivan
> Subject: RE: Port Secure w/ IP Address.
>
> Patri,
>
> You'd still need to setup port security to prevent other people from
> connecting to the port. Configuring a static ARP entry completes 1
part
> of the question, to create a 1-to-1 correlation with the IP and MAC
> address, but it is only really relevant if the switch is performing L3
> functions, as Ivan mentions - and even then, it doesn't really stop
> anyone else connected to that switch from gaining network connectivity
> (if you have a shared medium, such as a hub)
>
> I think the full configuration would be:
>
> arp 1.2.3.4 1111.1111.1111 arpa Fa0/23
> interface fa0/23
> switchport port-security
> switchport port-security maximum 1
> switchport port-security violation restrict
> switchport port-security mac-address 1111.1111.1111
>
> Note I'm assuming that the port is setup in static access mode and not
> as a routed port, mind you... If it's a routed port then I don't think
> there's any way except for applying an ACL.
>
> Regards,
>
> Alex
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Ivan
> Sent: Thursday, 3 August 2006 5:52 PM
> To: ccielab@groupstudy.com; Patricia Loreal
> Subject: Re: Port Secure w/ IP Address.
>
> arp 1.2.3.4 1111.1111.1111 arpa Fa0/23
>
> This switch must execute L3 functions for network 1.2.3.4/XX otherwise
> it is
> useless.
>
> > Hello Dears,
> >
> > The Task indicates that Mac-address 1111.1111.1111 and IP address
> > 1.2.3.4should allowed on the switch Fa0/23 and that no one else can
> > make use this
> > port & also access list are not allowed
> >
> > Please how can I configure this?
> >
> > Thanks & Kindest Regards
> > Patri.
> >
> >
>

• Next message: Brian McGahan: "RE: reflexive acl's and bgp orf"
• Previous message: Guyler, Rik: "RE: Articulating the need for a router"
• Maybe in reply to: Patricia Loreal: "Port Secure w/ IP Address."
• Next in thread: Alex De Gruiter \(AU\): "RE: Port Secure w/ IP Address."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:55 ART