Hi Brandon I just checked and it seems the vlan access-map is making "OR" logic between the matching criterias. With following config, either it matches mac acl "king" or IP acl "123".
vlan access-map king 10 action drop match mac address king match ip address 123 While the route-maps uses "AND" logic between the criteria. With regards Kings On Thu, Apr 15, 2010 at 12:27 PM, Brandon Carroll <[email protected]>wrote: > Kings, > > It's a logical and like a route-map. > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > On Apr 14, 2010, at 11:42 PM, Kingsley Charles <[email protected]> > wrote: > > That should work. But the question was in general to prevent spoofing > without using DAI. We don't know the IP address and > MAC addresses that will flow across. > > One question, with vlan-access maps, if there are more than two match > criterias is it match-any or match-all? > > With regards > Kings > > On Thu, Apr 15, 2010 at 5:43 AM, bwalla <[email protected]> wrote: > >> This is actually a great question which I've seen come up as well. Depending >> on the requirements, step 2 seems like it may be a little extreme. >> >> >> PLEASE correct me if you see something wrong with this, but wouldn't the >> following be a working solution as well? >> >> Assuming we only want host 192.168.123.1 with a MAC of 001f.ca08.105c to >> communicate on vlan 123... >> >> access-list 123 permit ip host 192.168.123.1 any >> >> mac access-list extended no_spoof >> permit host 001f.ca08.105c any >> >> >> >> vlan access-map anti-spoof 10 >> action forward >> match mac address no_spoof >> match ip address 123 >> vlan access-map anti-spoof 20 >> action drop >> >> vlan filter anti-spoof vlan-list 123 >> >> >> On Mar 17, 2010, at 12:09 AM, Kingsley Charles wrote: >> >> >> >> >* Hi all >> *>* >> *>* I just came across this question. >> *>* >> *>* How do we prevent arp spoofing on switches without using DAI. >> *>* >> *>* My solution is as following: >> >> >> *>* >> *>* Solution 1 >> *>* ======== >> *>* >> *>* Configure "ip source" guard with port security. With this only arp >> packets with valid source IP and MAC address will be forward across the >> >> >> *>* switch and hence, no one can spoof the IP address with another MAC >> address. >> *>* >> *>* >> *>* Solution 2 >> *>* ======== >> *>* >> *>* Here I am dropping all the ARP traffic across vlan 3 where I am >> suspecting spoofing attack. >> >> >> *>* >> *>* mac access-list extended arp >> *>* permit any any 0x806 0x0 >> *>* >> *>* vlan access-map arp 10 >> *>* action drop >> *>* match mac address arp >> >> >> *>* >> *>* vlan access-map arp 10 >> *>* action forward >> *>* >> *>* vlan filter arp vlan-list 3 >> *>* >> *>* >> *>* Since the ARP is being dropped. The MAC addresses of the remote hosts >> should be statically configured each hosts. >> >> >> *>* On the router, we can add the arp statically with the following command >> *>* >> *>* router(config)#arp 10.20.30.42 3.3.3 arpa >> *>* >> *>* >> *>* >> *>* Also the switch needs to know, where to forward the mac address. >> >> >> *>* >> *>* sw(config)#mac-address-table static 3.3.3 vlan 3 interface f1/0/2 >> *>* >> *>* >> *>* >> *>* >> *>* If you have any other solutions, please do share it. >> >> >> *>* >> *>* >> *>* >> *>* With regards >> *>* Kings >> *>* _______________________________________________ >> *>* For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> >> >> * >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
