Re: [cisco-ttl] cisco 4006 switch- IP - MAC esleme

From: Serdar Kut <kutserdar_at_....>
Date: Sat Nov 18 2006 - 23:51:22 EET


Merhaba arkada&#351;lar,   

 Belgin han&#305;m sizin istedi&#287;iniz IP-MAC e&#351;lemesi, bildi&#287;iniz gibi arp protokolünün yapt&#305;&#287;&#305; i&#351;tir. Dolay&#305;s&#305;yla, L2 switchte yapaca&#287;&#305;n&#305;z port security konfigürasyonu ile, o portta sadece MAC de&#287;i&#351;mezli&#287;i sa&#287;layabilirsiniz, bu durumda kullan&#305;c&#305; IP yi de&#287;i&#351;tirse de MAC'i sabit kalaca&#287;&#305;ndan port security sizin için çözüm olamaz.   Sizin durumunuz için &#351;u an akl&#305;ma gelen iki seçenek var,   

  1. kullan&#305;c&#305; makinalar&#305;ndan ç&#305;kan paketlerin kar&#351;&#305;laca&#287;&#305; ilk L3 cihazda, tüm hostlar&#305;n statik arplar&#305;n&#305;n girilmesi
  2. tüm hostlar&#305;n bir dhcp serverdan ip almas&#305;, ve dhcp serverda ip-mac binding yap&#305;lmas&#305;.

  iyi çal&#305;&#351;malar   

  Serdar

belgin sarper <belginsarper@yahoo.com> wrote:                                                  Merhaba Serhat Bey,
     

  Agda yaklasik 1500 kullanici var. Bu kullanicilara statik ip veriliyor, herkesin kendi IP si var. Ancak bazi kisiler IP lerini degistiriyorlar. IP degistirmeyi engellemek icin IP-MAC eslemesi yapmak istiyoruz. Ornegin firewalla herkesin MAC adresi gelirse, bir seferligine fw uzerinde her MAC e sadece bir IP eslenecek, dolayisiyla o kisi IP sini degistirirse internet baglantisi kesilecek. Bunu 2950 uzerinde yapabiliyorsak bu bizim icin cok daha iyi olacak. Bu soyledigimi yapabilirmiyiz?     Tesekkurler...      

    belgin   

  Serhat Uslay <serhat.uslay@zurich.com.au> wrote:             

  Firewall da mac addresi ile ne yapmak istediginizi anlayamadim, iyi bir   pratik olmayabilir. Biraz acarmisniz ?   4006 daki IOS versiyonuna gore DHCP server kullanabilirsiniz.   Burada daha cok bilgi var.
  http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca75c.html#wp1001108   Daha sonra 29XX serisinde DHCP snooping aktif hale getirebilirsiniz.   4006 DHCP server asagidakileri destekler.   

  • DHCP snooping 
  • DHCP Option 82 
  • DHCP Option 82 insertion 
  • DHCP Option 82 Pass Through 
  

  yada 29xx serisinde port bazinda mac adresi guvenligi   saglayabilirsiniz.Asagidaki bir ornek yolluyorum.   

  interface FastEthernet0/2
  description Connects to PCIDxxxx
  port security max-mac-count 1
  port security action shutdown
  port security aging time 2
  spanning-tree portfast   

  mac-address-table secure xxxx.xxxx.xxxx FastEthernet0/2 vlan 1   

  Serhat   

  belgin sarper <belginsarper@yahoo.com>   Sent by: cisco-ttl@yahoogroups.com
  09/11/2006 05:45 AM
  Please respond to
  cisco-ttl@yahoogroups.com   

  To
  cisco-ttl@yahoogroups.com
  cc   

  Subject
  [cisco-ttl] cisco 4006 switch- IP - MAC esleme   

  Merhaba,   

  Asagidaki gibi bir topoloji ve bununla ilgili bir problem var. Yardimci   olabilirseniz sevinirim.   

  Uclarda Cisco 2950, toplam 8 adet
  Merkezde Cisco Catalyst 4006 switch with L3 module. Switch uzerinde   toplam 8 adet fiber port ve 32 adet ethernet portu mevcut.   2950 ler fiber ile 4006 ya gelmektedir. 4006 da toplanip cikis firewalla   ( fw ethernet portlarindan birine bagli) firewall uzerinden cisco 7206 ya   ve internete
  Her fiber porta bagli olan bacaklarda VLAN lar tanýmlý. Agdaki   kullanicilara sabit ip verilmistir. Herhangi bir domain yapisi yoktur.   Amacimiz kullanicilarin ip lerini degistirmesini engellemek. Bunun icin   firewall uzerinde IP-MAC eslemesi yapmak istiyoruz. Ancak switch L3 de   calistigi icin butun kullanicilarin MAC leri switchin fiber girisine kadar   geliyor, ancak firewall tarafina dogal olarak gecmiyor.   Birincisi IP-MAC esleme 2950 veya 4006 uzerinde yapilabilir mi?   Ãkincisi MAC leri nasil gecirebilirim firewalla ?   Bu konuda yardimci olursaniz sevinirim.   

  Tesekkurler.   

  Gerekli bilgiler:   

  Cisco 2950   

  Cisco Internetwork Operating System Software   IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE   SOFTWARE (fc1)
  Copyright (c) 1986-2003 by cisco Systems, Inc.   cisco WS-C2950G-24-EI (RC32300) processor (revision G0) with 20839K   bytes of memory.
  Processor board ID FOC0733Z20G
  Last reset from system-reset
  Running Enhanced Image
  24 FastEthernet/IEEE 802.3 interface(s)   2 Gigabit Ethernet/IEEE 802.3 interface(s)   

  Cisco 4006   

  Cisco Internetwork Operating System Software   IOS (tm) L3 Switch/Router Software (CAT4232-IN-M), Version 12.0(7)W5(15d)   RELEASE SOFTWARE
  Copyright (c) 1986-2000 by cisco Systems, Inc   

  Firewall Portchannel 1.8 de.   

  Config on 4006   

  version 12.0
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
!

  ip subnet-zero
!
!
!

  interface Port-channel1
  bandwidth 1000000
  no ip address
  no ip directed-broadcast
  no ip mroute-cache
  load-interval 30
  hold-queue 300 in
!

  interface Port-channel1.1
  encapsulation dot1Q 1

  ip address xxxx 255.255.255.128 secondary 
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.192 secondary 
  ip address xxxx 255.255.255.192 secondary 
  ip address xxxx 255.255.255.192 

  no ip redirects
  no ip directed-broadcast
  ip accounting output-packets
  no ip mroute-cache
!

  interface Port-channel1.2
  encapsulation dot1Q 2
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 

  ip access-group 182 in
  ip access-group 182 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.3
  encapsulation dot1Q 3
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 

  ip access-group 112 in
  ip access-group 112 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.4
  encapsulation dot1Q 4
  ip address xxxx 255.255.255.0
  ip access-group 182 in
  ip access-group 182 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.5
  encapsulation dot1Q 5
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 

  ip access-group 112 in
  ip access-group 112 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.6
  encapsulation dot1Q 6
  ip address xxxx 255.255.255.0 secondary   ip address xxxx 255.255.255.0
  ip access-group 112 in
  ip access-group 112 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.7
  encapsulation dot1Q 7
  ip address xxxx 255.255.255.0
  ip access-group 112 in
  ip access-group 112 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.8
  encapsulation dot1Q 8
  ip address xxxx 255.255.255.128 secondary 
  ip address xxxx 255.255.255.192 secondary 
  ip address xxxx 255.255.255.0 secondary 
  ip address xxxx 255.255.255.0 

  ip access-group 112 in
  ip access-group 112 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.24
  encapsulation dot1Q 24
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.25
  encapsulation dot1Q 25
  ip address xxxx 255.255.255.0
  ip access-group 112 in
  ip access-group 112 out
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface Port-channel1.99
  encapsulation dot1Q 99 native
  no ip redirects
  no ip directed-broadcast
  no ip mroute-cache
!

  interface FastEthernet1
  no ip address
  no ip directed-broadcast
!

  interface GigabitEthernet1
  no ip address
  no ip directed-broadcast
  shutdown
!

  interface GigabitEthernet2
  no ip address
  no ip directed-broadcast
  shutdown
!

  interface GigabitEthernet3
  no ip address
  no ip directed-broadcast
  no ip mroute-cache
  no negotiation auto
  channel-group 1
!

  interface GigabitEthernet4
  no ip address
  no ip directed-broadcast
  no ip mroute-cache
  no negotiation auto
  channel-group 1
!

  ip classless
  ip route 0.0.0.0 0.0.0.0 xxxx
  ip route xxxx 255.255.255.248 Port-channel1.24 
  ip route xxxx 255.255.255.255 Port-channel1.1 
  ip route xxxx 255.255.255.255 Port-channel1.1 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.128 Port-channel1.1 
  ip route xxxx 255.255.255.255 Port-channel1.8 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.2 
  ip route xxxx 255.255.255.255 Port-channel1.2 
  ip route xxxx 255.255.255.255 Port-channel1.2 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 
  ip route xxxx 255.255.255.255 Port-channel1.3 

!
  access-list 112 permit ip any any 
  access-list 112 permit tcp any any 
  access-list 112 permit udp any any 
  access-list 182 deny tcp any any eq 445 
  access-list 182 deny tcp any any eq 135 
  access-list 182 deny tcp any any eq 137 
  access-list 182 deny udp any any eq netbios-ns 
  access-list 182 permit ip any any 
  access-list 199 permit ip xxxx 0.0.0.255 any 
  arp 127.0.0.2 0002.fc2a.2800 ARP
!

  end   

  Sponsored Link   

  Mortgage rates near 39yr lows. $420,000 Mortgage for $1,399/mo - Calculate   new house payment   

  [Non-text portions of this message have been removed]   

  --
  Cisco Teknik Tartisma Listesi (Cisco-ttl)   

  Bu listede onerilen degisikliklerin uygulanmasindaki tum sorumluluk   kullaniciya aittir. Liste yoneticileri, oneride bulunan liste uyeleri ya   da
  bu uyelerin calistigi kuruluslar herhangi bir sekilde sorumlu   tutulamazlar.
  Yahoo! Groups Links   



  This email is intended for the named recipient only. It may contain information which is confidential, commercially sensitive, or copyright. If you are not the intended recipient you must not reproduce or distribute any part of the email, disclose its contents, or take any action in reliance. If you have received this email in error, please contact the sender and delete the message. It is your responsibility to scan this email and any attachments for viruses and other defects.   To the extent permitted by law, Zurich and its associates will not be liable for any loss or damage arising in any way from this communication including any file attachments. We may monitor email you send to us, either as a reply to this email or any email you send to us, to confirm our systems are protected and for compliance with company policies. Although we take reasonable precautions to protect the confidentiality of our email systems, we do not warrant the confidentiality or security of email or attachments we receive.   

  [Non-text portions of this message have been removed]   



  Access over 1 million songs - Yahoo! Music Unlimited.   

  [Non-text portions of this message have been removed]      

      
                                    


Serdar KUT
Network Engineer
CompTIA Sec+,SCTA,CCNP
~CCIE R&S (just after lab)
o şimdi asteğmen... :P



Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

[Non-text portions of this message have been removed] Received on Sun Nov 19 16:27:09 2006

This archive was generated by hypermail 2.1.8 : Sun Nov 19 2006 - 16:27:22 EET