Re: [cisco-ttl] cisco 4006 switch- IP - MAC esleme

From: Serhat Erkan <serhaterkan_at_....>
Date: Fri Nov 10 2006 - 18:24:17 EET


firewall routing switch'in arkas覺nda ise bu m羹mk羹n deil. Ayr覺ca 1500 kullan覺c覺n覺n IP adresini statik ARP girmek 癟ok mant覺kl覺 g繹r羹nm羹yor. DHCP'den statik tan覺mlama yap覺labilir.

On 11/9/06, belgin sarper <belginsarper@yahoo.com> wrote:
>
> Merhaba Serhat Bey,
>
> Agda yaklasik 1500 kullanici var. Bu kullanicilara statik ip veriliyor,
> herkesin kendi IP si var. Ancak bazi kisiler IP lerini degistiriyorlar. IP
> degistirmeyi engellemek icin IP-MAC eslemesi yapmak istiyoruz. Ornegin
> firewalla herkesin MAC adresi gelirse, bir seferligine fw uzerinde her MAC e
> sadece bir IP eslenecek, dolayisiyla o kisi IP sini degistirirse internet
> baglantisi kesilecek. Bunu 2950 uzerinde yapabiliyorsak bu bizim icin cok
> daha iyi olacak. Bu soyledigimi yapabilirmiyiz?
> Tesekkurler...
>
> belgin
>
>
> Serhat Uslay <serhat.uslay@zurich.com.au <serhat.uslay%40zurich.com.au>>
> wrote:
>
> Firewall da mac addresi ile ne yapmak istediginizi anlayamadim, iyi bir
> pratik olmayabilir. Biraz acarmisniz ?
> 4006 daki IOS versiyonuna gore DHCP server kullanabilirsiniz.
> Burada daha cok bilgi var.
>
> http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75c.html#wp1001108
> Daha sonra 29XX serisinde DHCP snooping aktif hale getirebilirsiniz.
> 4006 DHCP server asagidakileri destekler.
>
> DHCP snooping
> DHCP Option 82
> DHCP Option 82 insertion
> DHCP Option 82 Pass Through
>
> yada 29xx serisinde port bazinda mac adresi guvenligi
> saglayabilirsiniz.Asagidaki bir ornek yolluyorum.
>
> interface FastEthernet0/2
> description Connects to PCIDxxxx
> port security max-mac-count 1
> port security action shutdown
> port security aging time 2
> spanning-tree portfast
>
> mac-address-table secure xxxx.xxxx.xxxx FastEthernet0/2 vlan 1
>
> Serhat
>
> belgin sarper <belginsarper@yahoo.com <belginsarper%40yahoo.com>>
> Sent by: cisco-ttl@yahoogroups.com <cisco-ttl%40yahoogroups.com>
> 09/11/2006 05:45 AM
> Please respond to
> cisco-ttl@yahoogroups.com <cisco-ttl%40yahoogroups.com>
>
> To
> cisco-ttl@yahoogroups.com <cisco-ttl%40yahoogroups.com>
> cc
>
> Subject
> [cisco-ttl] cisco 4006 switch- IP - MAC esleme
>
> Merhaba,
>
> Asagidaki gibi bir topoloji ve bununla ilgili bir problem var. Yardimci
> olabilirseniz sevinirim.
>
> Uclarda Cisco 2950, toplam 8 adet
> Merkezde Cisco Catalyst 4006 switch with L3 module. Switch uzerinde
> toplam 8 adet fiber port ve 32 adet ethernet portu mevcut.
> 2950 ler fiber ile 4006 ya gelmektedir. 4006 da toplanip cikis firewalla
> ( fw ethernet portlarindan birine bagli) firewall uzerinden cisco 7206 ya
> ve internete
> Her fiber porta bagli olan bacaklarda VLAN lar tan羸ml羸. Agdaki
> kullanicilara sabit ip verilmistir. Herhangi bir domain yapisi yoktur.
> Amacimiz kullanicilarin ip lerini degistirmesini engellemek. Bunun icin
> firewall uzerinde IP-MAC eslemesi yapmak istiyoruz. Ancak switch L3 de
> calistigi icin butun kullanicilarin MAC leri switchin fiber girisine kadar
>
> geliyor, ancak firewall tarafina dogal olarak gecmiyor.
> Birincisi IP-MAC esleme 2950 veya 4006 uzerinde yapilabilir mi?
> kincisi MAC leri nasil gecirebilirim firewalla ?
> Bu konuda yardimci olursaniz sevinirim.
>
> Tesekkurler.
>
> Gerekli bilgiler:
>
> Cisco 2950
>
> Cisco Internetwork Operating System Software
> IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE
> SOFTWARE (fc1)
> Copyright (c) 1986-2003 by cisco Systems, Inc.
> cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K
> bytes of memory.
> Processor board ID FOC0733Z20G
> Last reset from system-reset
> Running Enhanced Image
> 24 FastEthernet/IEEE 802.3 interface(s)
> 2 Gigabit Ethernet/IEEE 802.3 interface(s)
>
> Cisco 4006
>
> Cisco Internetwork Operating System Software
> IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(7)W5(15d)
> RELEASE SOFTWARE
> Copyright (c) 1986-2000 by cisco Systems, Inc
>
> Firewall Portchannel 1.8 de.
>
> Config on 4006
>
> version 12.0
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> !
> ip subnet-zero
> !
> !
> !
> interface Port-channel1
> bandwidth 1000000
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> load-interval 30
> hold-queue 300 in
> !
> interface Port-channel1.1
> encapsulation dot1Q 1
> ip address xxxx 255.255.255.128 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.192 secondary
> ip address xxxx 255.255.255.192 secondary
> ip address xxxx 255.255.255.192
> no ip redirects
> no ip directed-broadcast
> ip accounting output-packets
> no ip mroute-cache
> !
> interface Port-channel1.2
> encapsulation dot1Q 2
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 182 in
> ip access-group 182 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.3
> encapsulation dot1Q 3
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.4
> encapsulation dot1Q 4
> ip address xxxx 255.255.255.0
> ip access-group 182 in
> ip access-group 182 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.5
> encapsulation dot1Q 5
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.6
> encapsulation dot1Q 6
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.7
> encapsulation dot1Q 7
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.8
> encapsulation dot1Q 8
> ip address xxxx 255.255.255.128 secondary
> ip address xxxx 255.255.255.192 secondary
> ip address xxxx 255.255.255.0 secondary
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.24
> encapsulation dot1Q 24
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.25
> encapsulation dot1Q 25
> ip address xxxx 255.255.255.0
> ip access-group 112 in
> ip access-group 112 out
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface Port-channel1.99
> encapsulation dot1Q 99 native
> no ip redirects
> no ip directed-broadcast
> no ip mroute-cache
> !
> interface FastEthernet1
> no ip address
> no ip directed-broadcast
> !
> interface GigabitEthernet1
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface GigabitEthernet2
> no ip address
> no ip directed-broadcast
> shutdown
> !
> interface GigabitEthernet3
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> no negotiation auto
> channel-group 1
> !
> interface GigabitEthernet4
> no ip address
> no ip directed-broadcast
> no ip mroute-cache
> no negotiation auto
> channel-group 1
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 xxxx
> ip route xxxx 255.255.255.248 Port-channel1.24
> ip route xxxx 255.255.255.255 Port-channel1.1
> ip route xxxx 255.255.255.255 Port-channel1.1
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.128 Port-channel1.1
> ip route xxxx 255.255.255.255 Port-channel1.8
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.2
> ip route xxxx 255.255.255.255 Port-channel1.2
> ip route xxxx 255.255.255.255 Port-channel1.2
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> ip route xxxx 255.255.255.255 Port-channel1.3
> !
> access-list 112 permit ip any any
> access-list 112 permit tcp any any
> access-list 112 permit udp any any
> access-list 182 deny tcp any any eq 445
> access-list 182 deny tcp any any eq 135
> access-list 182 deny tcp any any eq 137
> access-list 182 deny udp any any eq netbios-ns
> access-list 182 permit ip any any
> access-list 199 permit ip xxxx 0.0.0.255 any
> arp 127.0.0.2 0002.fc2a.2800 ARP
> !
> end
>
> ---------------------------------
> Sponsored Link
>
> Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate
>
> new house payment
>
> [Non-text portions of this message have been removed]
>
> --
> Cisco Teknik Tartisma Listesi (Cisco-ttl)
>
> Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk
> kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya
> da
> bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu
> tutulamazlar.
> Yahoo! Groups Links
>
> ----
> This email is intended for the named recipient only. It may contain
> information which is confidential, commercially sensitive, or copyright. If
> you are not the intended recipient you must not reproduce or distribute any
> part of the email, disclose its contents, or take any action in reliance. If
> you have received this email in error, please contact the sender and delete
> the message. It is your responsibility to scan this email and any
> attachments for viruses and other defects.
> To the extent permitted by law, Zurich and its associates will not be
> liable for any loss or damage arising in any way from this communication
> including any file attachments. We may monitor email you send to us, either
> as a reply to this email or any email you send to us, to confirm our systems
> are protected and for compliance with company policies. Although we take
> reasonable precautions to protect the confidentiality of our email systems,
> we do not warrant the confidentiality or security of email or attachments we
> receive.
>
> [Non-text portions of this message have been removed]
>
> ---------------------------------
> Access over 1 million songs - Yahoo! Music Unlimited.
>
> [Non-text portions of this message have been removed]
>
>
>

[Non-text portions of this message have been removed] Received on Sat Nov 11 15:53:23 2006

This archive was generated by hypermail 2.1.8 : Sat Nov 11 2006 - 15:53:33 EET