Re: [cisco-ttl] cisco 4006 switch- IP - MAC esleme

From: Serhat Uslay <serhat.uslay_at_....>
Date: Mon Nov 13 2006 - 00:54:06 EET

Belgin hanim,
1500 kullanici buyuk bir rakam. IP-MAC eslemesi genelde 50 den kucuk sayilar icin idare edilebilir. 1500 kullanicinin oldugu yerde kesinlikle Active Directory (eger cogunluk Microsoft) ise kullanarak kullanicilarin Control panellerine girmesini dolayisiyla IP adreslerini degistirmesini engelleyebilirsiniz. Ayrica bu kadar kullanici icin "proxy server ISA gibi ?) kullanmaniz muhakkak tavsiye edilir. Bunlar olunca kullanicilarin Internet girislerini PC yada isim uzerine sinirlayabilirsiniz. Bu islemleri 2950 uzerinde yada firewall da yapmak size cok sorun acar.

Serhat


          Serhat Uslay
          Data Networks Team Leader
          Zurich Financial Services  
          Tel; (02) 9995 4945  Cell: 0401 105 485 
          Email; serhat.uslay@zurich.com.au 
==================================



belgin sarper <belginsarper@yahoo.com> Sent by: cisco-ttl@yahoogroups.com
10/11/2006 04:59 AM
Please respond to
cisco-ttl@yahoogroups.com

To
cisco-ttl@yahoogroups.com
cc

Subject
Re: [cisco-ttl] cisco 4006 switch- IP - MAC esleme

Merhaba Serhat Bey,  

  Agda yaklasik 1500 kullanici var. Bu kullanicilara statik ip veriliyor, herkesin kendi IP si var. Ancak bazi kisiler IP lerini degistiriyorlar. IP degistirmeyi engellemek icin IP-MAC eslemesi yapmak istiyoruz. Ornegin firewalla herkesin MAC adresi gelirse, bir seferligine fw uzerinde her MAC e sadece bir IP eslenecek, dolayisiyla o kisi IP sini degistirirse internet baglantisi kesilecek. Bunu 2950 uzerinde yapabiliyorsak bu bizim icin cok daha iyi olacak. Bu soyledigimi yapabilirmiyiz?   Tesekkurler...  

  belgin

Serhat Uslay <serhat.uslay@zurich.com.au> wrote:  

Firewall da mac addresi ile ne yapmak istediginizi anlayamadim, iyi bir pratik olmayabilir. Biraz acarmisniz ? 4006 daki IOS versiyonuna gore DHCP server kullanabilirsiniz. Burada daha cok bilgi var.
http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75c.html#wp1001108

Daha sonra 29XX serisinde DHCP snooping aktif hale getirebilirsiniz. 4006 DHCP server asagidakileri destekler.

• DHCP snooping 
• DHCP Option 82 
• DHCP Option 82 insertion 
• DHCP Option 82 Pass Through 

yada 29xx serisinde port bazinda mac adresi guvenligi saglayabilirsiniz.Asagidaki bir ornek yolluyorum.

interface FastEthernet0/2
description Connects to PCIDxxxx
port security max-mac-count 1
port security action shutdown
port security aging time 2
spanning-tree portfast

mac-address-table secure xxxx.xxxx.xxxx FastEthernet0/2 vlan 1

Serhat

belgin sarper <belginsarper@yahoo.com> Sent by: cisco-ttl@yahoogroups.com
09/11/2006 05:45 AM
Please respond to
cisco-ttl@yahoogroups.com

To
cisco-ttl@yahoogroups.com
cc

Subject
[cisco-ttl] cisco 4006 switch- IP - MAC esleme

Merhaba,

Asagidaki gibi bir topoloji ve bununla ilgili bir problem var. Yardimci olabilirseniz sevinirim.

Uclarda Cisco 2950, toplam 8 adet
Merkezde Cisco Catalyst 4006 switch with L3 module. Switch uzerinde toplam 8 adet fiber port ve 32 adet ethernet portu mevcut. 2950 ler fiber ile 4006 ya gelmektedir. 4006 da toplanip cikis firewalla ( fw ethernet portlarindan birine bagli) firewall uzerinden cisco 7206 ya ve internete
Her fiber porta bagli olan bacaklarda VLAN lar tanýmlý. Agdaki kullanicilara sabit ip verilmistir. Herhangi bir domain yapisi yoktur. Amacimiz kullanicilarin ip lerini degistirmesini engellemek. Bunun icin firewall uzerinde IP-MAC eslemesi yapmak istiyoruz. Ancak switch L3 de calistigi icin butun kullanicilarin MAC leri switchin fiber girisine kadar

geliyor, ancak firewall tarafina dogal olarak gecmiyor. Birincisi IP-MAC esleme 2950 veya 4006 uzerinde yapilabilir mi? Ýkincisi MAC leri nasil gecirebilirim firewalla ? Bu konuda yardimci olursaniz sevinirim.

Tesekkurler.

Gerekli bilgiler:

Cisco 2950

Cisco Internetwork Operating System Software IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc. cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K bytes of memory.
Processor board ID FOC0733Z20G
Last reset from system-reset
Running Enhanced Image
24 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s)

Cisco 4006

Cisco Internetwork Operating System Software IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(7)W5(15d) RELEASE SOFTWARE
Copyright (c) 1986-2000 by cisco Systems, Inc

Firewall Portchannel 1.8 de.

Config on 4006

version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
!

ip subnet-zero
!
!
!

interface Port-channel1
bandwidth 1000000
no ip address
no ip directed-broadcast
no ip mroute-cache
load-interval 30
hold-queue 300 in
!

interface Port-channel1.1
encapsulation dot1Q 1

ip address xxxx 255.255.255.128 secondary 
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.192 secondary 
ip address xxxx 255.255.255.192 secondary 
ip address xxxx 255.255.255.192 

no ip redirects
no ip directed-broadcast
ip accounting output-packets
no ip mroute-cache
!

interface Port-channel1.2
encapsulation dot1Q 2
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 

ip access-group 182 in
ip access-group 182 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.3
encapsulation dot1Q 3
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 

ip access-group 112 in
ip access-group 112 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.4
encapsulation dot1Q 4
ip address xxxx 255.255.255.0
ip access-group 182 in
ip access-group 182 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.5
encapsulation dot1Q 5
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 

ip access-group 112 in
ip access-group 112 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.6
encapsulation dot1Q 6
ip address xxxx 255.255.255.0 secondary ip address xxxx 255.255.255.0
ip access-group 112 in
ip access-group 112 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.7
encapsulation dot1Q 7
ip address xxxx 255.255.255.0
ip access-group 112 in
ip access-group 112 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.8
encapsulation dot1Q 8
ip address xxxx 255.255.255.128 secondary 
ip address xxxx 255.255.255.192 secondary 
ip address xxxx 255.255.255.0 secondary 
ip address xxxx 255.255.255.0 

ip access-group 112 in
ip access-group 112 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.24
encapsulation dot1Q 24
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.25
encapsulation dot1Q 25
ip address xxxx 255.255.255.0
ip access-group 112 in
ip access-group 112 out
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface Port-channel1.99
encapsulation dot1Q 99 native
no ip redirects
no ip directed-broadcast
no ip mroute-cache
!

interface FastEthernet1
no ip address
no ip directed-broadcast
!

interface GigabitEthernet1
no ip address
no ip directed-broadcast
shutdown
!

interface GigabitEthernet2
no ip address
no ip directed-broadcast
shutdown
!

interface GigabitEthernet3
no ip address
no ip directed-broadcast
no ip mroute-cache
no negotiation auto
channel-group 1
!

interface GigabitEthernet4
no ip address
no ip directed-broadcast
no ip mroute-cache
no negotiation auto
channel-group 1
!

ip classless
ip route 0.0.0.0 0.0.0.0 xxxx
ip route xxxx 255.255.255.248 Port-channel1.24 
ip route xxxx 255.255.255.255 Port-channel1.1 
ip route xxxx 255.255.255.255 Port-channel1.1 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.128 Port-channel1.1 
ip route xxxx 255.255.255.255 Port-channel1.8 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.2 
ip route xxxx 255.255.255.255 Port-channel1.2 
ip route xxxx 255.255.255.255 Port-channel1.2 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 
ip route xxxx 255.255.255.255 Port-channel1.3 

!
access-list 112 permit ip any any 
access-list 112 permit tcp any any 
access-list 112 permit udp any any 
access-list 182 deny tcp any any eq 445 
access-list 182 deny tcp any any eq 135 
access-list 182 deny tcp any any eq 137 
access-list 182 deny udp any any eq netbios-ns 
access-list 182 permit ip any any 
access-list 199 permit ip xxxx 0.0.0.255 any 
arp 127.0.0.2 0002.fc2a.2800 ARP
!

end

Sponsored Link

Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate

new house payment

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.
Yahoo! Groups Links



This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects. To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.

[Non-text portions of this message have been removed]    



Access over 1 million songs - Yahoo! Music Unlimited.

[Non-text portions of this message have been removed]

--
Cisco Teknik Tartisma Listesi (Cisco-ttl)

Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya da
bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu tutulamazlar.
Yahoo! Groups Links



This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects. To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.

[Non-text portions of this message have been removed] Received on Mon Nov 13 21:58:30 2006

This archive was generated by hypermail 2.1.8 : Mon Nov 13 2006 - 21:58:31 EET