Solved: Port Security on 3550 based on given MAC-Address and IP-Address

mknorz · ‎11-29-2002

How can I configure PortSecurity based on MAc-Address and IP-Address..... I only know about "switchport port-security mac-address" but there must be a way to manage this in conjunction with an IP.... Static ARp entry ????

t.baranski · ‎12-01-2002

A static ARP entry will only come into play when routing is taking place. So, for traffic that is switched instead of routed (traffic destined to the source's subnet), the source IP doesn't come into play, and is hence irrelevant to the switch. But, even with layer-3 traffic, a static ARP entry doesn't do the trick because it doesn't stop the host with the secure MAC address from using a different IP address -- it only stops another host (with a different MAC address) from using the secure host's IP.

Therefore, the only way that I can see to allow traffic only from "secure" IP addresses is to configure an IP access list for each switch port, and use it in conjuction with port security.

View solution in original post

t.baranski · ‎12-01-2002

A static ARP entry will only come into play when routing is taking place. So, for traffic that is switched instead of routed (traffic destined to the source's subnet), the source IP doesn't come into play, and is hence irrelevant to the switch. But, even with layer-3 traffic, a static ARP entry doesn't do the trick because it doesn't stop the host with the secure MAC address from using a different IP address -- it only stops another host (with a different MAC address) from using the secure host's IP.

Therefore, the only way that I can see to allow traffic only from "secure" IP addresses is to configure an IP access list for each switch port, and use it in conjuction with port security.

mknorz · ‎12-02-2002

Thanx for the reply, I think that will solve the problem !!!!!

regards