If you block ARP on the switch, then you would need to add static mac address maps on the switch using the following command:
"mac address-table" The switch learns the hosts attached to it's port mostly with ARP only right? With regards Kings On Mon, Apr 19, 2010 at 2:19 PM, Peter Debye <[email protected]> wrote: > Buck, > you cannot match on both IP AND non-IP traffic within a single map entry. > E.g., ARP packet will match the "match mac" statement, but to produce > a match on the whole entry number 10 in your example the packet must > also (AND!) match the "match ip address 123", which it will not of > course... > > Also, to make the Ethernet LAN work without ARP the only two > things/pieces you need to accomplish are: > - configure static mappings "arp -s <IP> <MAC>" on ALL > hosts connected to this LAN, and > - block all ARP packets on the LAN. > > You don't need to configure any mappings on the switch itself (apart > from the only one you probably need for telnetting to its CLI) because > it acts as a pure L2 device in this method. > ======================================== > > On 16 April 2010 20:49, Buck Wallander <[email protected]> wrote: > > Peter, > > > > The access-map sequence has two match statements; one for layer-2 (mac > > access-list) and another for layer-3 (ip access-list) addresses. Can you > > explain why you believe that the 'AND' condition never be met in this > > example? To me it seems like this SHOULD validate ARP for this statically > > defined host in vlan 123: > > > > access-list 123 permit ip host 192.168.123.1 any > > mac access-list extended no_spoof > > permit host 001f.ca08.105c any 0x806 0x0 > > vlan access-map anti-spoof 10 > > action forward > > match mac address no_spoof > > match ip address 123 > > vlan access-map anti-spoof 20 > > action drop > > vlan filter anti-spoof vlan-list 123 > > > > After thinking about this for a while, I'm beginning to think that the > best > > solution would be using a VACL to drop all ARP traffic in vlan 123 and > > statically define our host mac-mapping, the only caveat being you'd need > to > > be presented with four pieces of info: mac, ip, port, and vlan. > > > > vlan access-map anti-spoof 10 > > action drop > > match mac address anto_spoof > > ip source binding 001F.CA08.105C vlan 123 192.168.123.1 interface Fa0/15 > > vlan filter anti-spoof vlan-list 123 > > > > > > Buck > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
