Interesting. In the case that it's an OR match only, this solution wouldn't actually work. The reason that I grouped the mac and IP match statments in the same access-map sequence is because I assumed that it would default to 'AND', OR being if you dropped them in different sequences.
Bummer. -Buck On Thu, Apr 15, 2010 at 2:30 AM, Kingsley Charles < [email protected]> wrote: > Hi Brandon > > I just checked and it seems the vlan access-map is making "OR" logic > between the matching criterias. With following config, either it matches > mac acl "king" or IP acl "123". > > vlan access-map king 10 > action drop > match mac address king > match ip address 123 > > While the route-maps uses "AND" logic between the criteria. > > > With regards > Kings > > On Thu, Apr 15, 2010 at 12:27 PM, Brandon Carroll > <[email protected]>wrote: > >> Kings, >> >> It's a logical and like a route-map. >> >> Regards, >> >> Brandon Carroll - CCIE #23837 >> Senior Technical Instructor - IPexpert >> Mailto: <[email protected]>[email protected] >> Telephone: +1.810.326.1444 >> Live Assistance, Please visit: <http://www.ipexpert.com/chat> >> www.ipexpert.com/chat >> eFax: +1.810.454.0130 >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at >> <http://www.ipexpert.com/>www.ipexpert.com >> >> On Apr 14, 2010, at 11:42 PM, Kingsley Charles < >> [email protected]> wrote: >> >> That should work. But the question was in general to prevent spoofing >> without using DAI. We don't know the IP address and >> MAC addresses that will flow across. >> >> One question, with vlan-access maps, if there are more than two match >> criterias is it match-any or match-all? >> >> With regards >> Kings >> >> On Thu, Apr 15, 2010 at 5:43 AM, bwalla < <[email protected]> >> [email protected]> wrote: >> >>> This is actually a great question which I've seen come up as well. >>> Depending on the requirements, step 2 seems like it may be a little extreme. >>> >>> >>> >>> PLEASE correct me if you see something wrong with this, but wouldn't the >>> following be a working solution as well? >>> >>> Assuming we only want host 192.168.123.1 with a MAC of 001f.ca08.105c to >>> communicate on vlan 123... >>> >>> access-list 123 permit ip host 192.168.123.1 any >>> >>> mac access-list extended no_spoof >>> permit host 001f.ca08.105c any >>> >>> >>> >>> >>> vlan access-map anti-spoof 10 >>> action forward >>> match mac address no_spoof >>> match ip address 123 >>> vlan access-map anti-spoof 20 >>> action drop >>> >>> vlan filter anti-spoof vlan-list 123 >>> >>> >>> On Mar 17, 2010, at 12:09 AM, Kingsley Charles wrote: >>> >>> >>> >>> >>> >* Hi all >>> *>* >>> *>* I just came across this question. >>> *>* >>> *>* How do we prevent arp spoofing on switches without using DAI. >>> *>* >>> *>* My solution is as following: >>> >>> >>> >>> *>* >>> *>* Solution 1 >>> *>* ======== >>> *>* >>> *>* Configure "ip source" guard with port security. With this only arp >>> packets with valid source IP and MAC address will be forward across the >>> >>> >>> >>> *>* switch and hence, no one can spoof the IP address with another MAC >>> address. >>> *>* >>> *>* >>> *>* Solution 2 >>> *>* ======== >>> *>* >>> *>* Here I am dropping all the ARP traffic across vlan 3 where I am >>> suspecting spoofing attack. >>> >>> >>> >>> *>* >>> *>* mac access-list extended arp >>> *>* permit any any 0x806 0x0 >>> *>* >>> *>* vlan access-map arp 10 >>> *>* action drop >>> *>* match mac address arp >>> >>> >>> >>> *>* >>> *>* vlan access-map arp 10 >>> *>* action forward >>> *>* >>> *>* vlan filter arp vlan-list 3 >>> *>* >>> *>* >>> *>* Since the ARP is being dropped. The MAC addresses of the remote hosts >>> should be statically configured each hosts. >>> >>> >>> >>> *>* On the router, we can add the arp statically with the following command >>> *>* >>> *>* router(config)#arp 10.20.30.42 3.3.3 arpa >>> *>* >>> *>* >>> *>* >>> *>* Also the switch needs to know, where to forward the mac address. >>> >>> >>> >>> *>* >>> *>* sw(config)#mac-address-table static 3.3.3 vlan 3 interface f1/0/2 >>> *>* >>> *>* >>> *>* >>> *>* >>> *>* If you have any other solutions, please do share it. >>> >>> >>> >>> *>* >>> *>* >>> *>* >>> *>* With regards >>> *>* Kings >>> *>* _______________________________________________ >>> *>* For more information regarding industry leading CCIE Lab training, >>> please visit <http://www.ipexpert.com/>www.ipexpert.com >>> >>> >>> >>> * >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit <http://www.ipexpert.com/>www.ipexpert.com >>> >>> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit <http://www.ipexpert.com/>www.ipexpert.com >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
