RE: Port Secure w/ IP Address.

From: Alex De Gruiter \(AU\) (Alex.deGruiter@didata.com.au)
Date: Thu Aug 03 2006 - 19:22:21 ART

• Next message: chris: "Lab Preparedness"
• Previous message: Christopher M. Heffner: "RE: Allowing ISAKMP Traffic through PIX"
• Maybe in reply to: Patricia Loreal: "Port Secure w/ IP Address."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Ok, I see what you mean about the static ARP. I lab'd it up and you are
indeed correct - creating a static ARP entry does nothing in terms of
preventing another user from mis-representing themselves on the network.
Therefore I think we are back at the beginning of the carousel.

Patri asked whether we can do this without an ACL - the explanation you
have provided filters our IP ARP, however I would suggest this is done
through the application of a MAC ACL or a VLAN access map. Granted the
ACL is at Layer 2, however I still think that it defies the
requirements.

Does anyone have a solution to this problem that would not use an access
list?

Brian, I don't understand the reference about routed ports and switched
port. I guess I am assuming that the switch is performing layer 3
functions for the SVI. If that was the case then surely this scenario
would be appropriate (including your suggestion to filter 0x806
Ethertype packets). However I still can't see how Patri's original
requirements can be met without applying an access list.

-----Original Message-----
From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
Sent: Thursday, 3 August 2006 11:16 PM
To: Alex De Gruiter (AU); Patricia Loreal
Cc: ccielab@groupstudy.com; Ivan
Subject: RE: Port Secure w/ IP Address.

        Static ARP entries do not provide security, they simply provide
an optimization of the ARP table. Test this out and you'll see that you
can still have duplicate ARP entries on that single link. To get this
to work you would also have to filter out IP ARP (Ethertype 0x806) so
that only static ARP entries could be used for resolution. This also
assumes the link connecting to the device is a routed port and not a
switchport, however port-security is a function of a "switchport". This
means that if the interface is running in native layer 3 mode you cannot
run port-security.

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
24/7 Support: http://forum.internetworkexpert.com
Live Chat: http://www.internetworkexpert.com/chat/

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Alex De Gruiter (AU)
> Sent: Thursday, August 03, 2006 4:01 AM
> To: Patricia Loreal
> Cc: ccielab@groupstudy.com; Ivan
> Subject: RE: Port Secure w/ IP Address.
>
> Patri,
>
> You'd still need to setup port security to prevent other people from
> connecting to the port. Configuring a static ARP entry completes 1
part
> of the question, to create a 1-to-1 correlation with the IP and MAC
> address, but it is only really relevant if the switch is performing L3
> functions, as Ivan mentions - and even then, it doesn't really stop
> anyone else connected to that switch from gaining network connectivity
> (if you have a shared medium, such as a hub)
>
> I think the full configuration would be:
>
> arp 1.2.3.4 1111.1111.1111 arpa Fa0/23
> interface fa0/23
> switchport port-security
> switchport port-security maximum 1
> switchport port-security violation restrict
> switchport port-security mac-address 1111.1111.1111
>
> Note I'm assuming that the port is setup in static access mode and not
> as a routed port, mind you... If it's a routed port then I don't think
> there's any way except for applying an ACL.
>
> Regards,
>
> Alex
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Ivan
> Sent: Thursday, 3 August 2006 5:52 PM
> To: ccielab@groupstudy.com; Patricia Loreal
> Subject: Re: Port Secure w/ IP Address.
>
> arp 1.2.3.4 1111.1111.1111 arpa Fa0/23
>
> This switch must execute L3 functions for network 1.2.3.4/XX otherwise
> it is
> useless.
>
> > Hello Dears,
> >
> > The Task indicates that Mac-address 1111.1111.1111 and IP address
> > 1.2.3.4should allowed on the switch Fa0/23 and that no one else can
> > make use this
> > port & also access list are not allowed
> >
> > Please how can I configure this?
> >
> > Thanks & Kindest Regards
> > Patri.
> >
> >
>

• Next message: chris: "Lab Preparedness"
• Previous message: Christopher M. Heffner: "RE: Allowing ISAKMP Traffic through PIX"
• Maybe in reply to: Patricia Loreal: "Port Secure w/ IP Address."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 01 2006 - 15:41:56 ART