Re: [cisco-ttl] cisco 4006 switch- IP - MAC esleme

From: Serhat Uslay <serhat.uslay_at_....>
Date: Thu Nov 09 2006 - 05:42:06 EET

Firewall da mac addresi ile ne yapmak istediginizi anlayamadim, iyi bir pratik olmayabilir. Biraz acarmisniz ?
4006 daki IOS versiyonuna gore DHCP server kullanabilirsiniz. Burada daha cok bilgi var.
http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75c.html#wp1001108 Daha sonra 29XX serisinde DHCP snooping aktif hale getirebilirsiniz. 4006 DHCP server asagidakileri destekler.

• DHCP snooping
• DHCP Option 82
• DHCP Option 82 insertion
• DHCP Option 82 Pass Through

yada 29xx serisinde port bazinda mac adresi guvenligi saglayabilirsiniz.Asagidaki bir ornek yolluyorum.

interface FastEthernet0/2
description Connects to PCIDxxxx
port security max-mac-count 1
port security action shutdown
port security aging time 2
spanning-tree portfast

mac-address-table secure xxxx.xxxx.xxxx FastEthernet0/2 vlan 1

Serhat

belgin sarper <belginsarper@yahoo.com> Sent by: cisco-ttl@yahoogroups.com
09/11/2006 05:45 AM
Please respond to
cisco-ttl@yahoogroups.com

To
cisco-ttl@yahoogroups.com
cc

Subject
[cisco-ttl] cisco 4006 switch- IP - MAC esleme

Merhaba,  

  Asagidaki gibi bir topoloji ve bununla ilgili bir problem var. Yardimci olabilirseniz sevinirim.  

  Uclarda Cisco 2950, toplam 8 adet
  Merkezde Cisco Catalyst 4006 switch with L3 module. Switch uzerinde toplam 8 adet fiber port ve 32 adet ethernet portu mevcut.   2950 ler fiber ile 4006 ya gelmektedir. 4006 da toplanip cikis firewalla ( fw ethernet portlarindan birine bagli) firewall uzerinden cisco 7206 ya ve internete
  Her fiber porta bagli olan bacaklarda VLAN lar tanýmlý. Agdaki kullanicilara sabit ip verilmistir. Herhangi bir domain yapisi yoktur. Amacimiz kullanicilarin ip lerini degistirmesini engellemek. Bunun icin firewall uzerinde IP-MAC eslemesi yapmak istiyoruz. Ancak switch L3 de calistigi icin butun kullanicilarin MAC leri switchin fiber girisine kadar geliyor, ancak firewall tarafina dogal olarak gecmiyor.   Birincisi IP-MAC esleme 2950 veya 4006 uzerinde yapilabilir mi?   Ýkincisi MAC leri nasil gecirebilirim firewalla ?   Bu konuda yardimci olursaniz sevinirim.  

  Tesekkurler.  

  Gerekli bilgiler:  

  Cisco 2950  

  Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.   cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K bytes of memory.
Processor board ID FOC0733Z20G
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s)  

  Cisco 4006  

  Cisco Internetwork Operating System Software IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(7)W5(15d) RELEASE SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc    

  Firewall Portchannel 1.8 de.  

  Config on 4006  

  version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
!

ip subnet-zero
!
!
!

interface Port-channel1
 bandwidth 1000000
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 load-interval 30
 hold-queue 300 in
!

interface Port-channel1.1
 encapsulation dot1Q 1

 ip address xxxx 255.255.255.128 secondary
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.192 secondary
 ip address xxxx 255.255.255.192 secondary
 ip address xxxx 255.255.255.192

 no ip redirects
 no ip directed-broadcast
 ip accounting output-packets
 no ip mroute-cache
!

interface Port-channel1.2
  encapsulation dot1Q 2
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0

 ip access-group 182 in
 ip access-group 182 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.3
  encapsulation dot1Q 3
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0

 ip access-group 112 in
 ip access-group 112 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.4
  encapsulation dot1Q 4
 ip address xxxx 255.255.255.0
 ip access-group 182 in
 ip access-group 182 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.5
 encapsulation dot1Q 5
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0

 ip access-group 112 in
 ip access-group 112 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.6
  encapsulation dot1Q 6
 ip address xxxx 255.255.255.0 secondary  ip address xxxx 255.255.255.0
 ip access-group 112 in
 ip access-group 112 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.7
  encapsulation dot1Q 7
 ip address xxxx 255.255.255.0
 ip access-group 112 in
 ip access-group 112 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.8
  encapsulation dot1Q 8
 ip address xxxx 255.255.255.128 secondary
 ip address xxxx 255.255.255.192 secondary
 ip address xxxx 255.255.255.0 secondary
 ip address xxxx 255.255.255.0

 ip access-group 112 in
 ip access-group 112 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.24
 encapsulation dot1Q 24
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.25
  encapsulation dot1Q 25
 ip address xxxx 255.255.255.0
 ip access-group 112 in
   ip access-group 112 out
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface Port-channel1.99
 encapsulation dot1Q 99 native
 no ip redirects
 no ip directed-broadcast
 no ip mroute-cache
!

interface FastEthernet1
 no ip address
 no ip directed-broadcast
!

interface GigabitEthernet1
 no ip address
 no ip directed-broadcast
 shutdown
!

interface GigabitEthernet2
 no ip address
 no ip directed-broadcast
 shutdown
!

interface GigabitEthernet3
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 no negotiation auto
 channel-group 1
!

interface GigabitEthernet4
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 no negotiation auto
 channel-group 1
!

ip classless
ip route 0.0.0.0 0.0.0.0 xxxx
ip route xxxx 255.255.255.248 Port-channel1.24 ip route xxxx 255.255.255.255 Port-channel1.1   ip route xxxx 255.255.255.255 Port-channel1.1 ip route xxxx 255.255.255.255 Port-channel1.3 ip route xxxx 255.255.255.128 Port-channel1.1 ip route xxxx 255.255.255.255 Port-channel1.8
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.2
ip route xxxx 255.255.255.255 Port-channel1.2
ip route xxxx 255.255.255.255 Port-channel1.2
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3
ip route xxxx 255.255.255.255 Port-channel1.3 ip route xxxx 255.255.255.255 Port-channel1.3
!
access-list 112 permit ip any any 
access-list 112 permit tcp any any
access-list 112 permit udp any any
access-list 182 deny   tcp any any eq 445
access-list 182 deny   tcp any any eq 135 
access-list 182 deny   tcp any any eq 137
access-list 182 deny   udp any any eq netbios-ns 
access-list 182 permit ip any any
access-list 199 permit ip xxxx 0.0.0.255 any
arp 127.0.0.2 0002.fc2a.2800 ARP
!

   end  



Sponsored Link

Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate new house payment

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.
Yahoo! Groups Links



This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects. To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.

[Non-text portions of this message have been removed] Received on Thu Nov 9 12:01:30 2006

This archive was generated by hypermail 2.1.8 : Thu Nov 09 2006 - 12:01:39 EET