Restrict PC's to use static IP address using cisco switch 3560

Unanswered Question
Jun 12th, 2007
User Badges:

Hi


I need some help.

I am a network engineer and our network is using DHCP server but we have admin users have static IP address and these IP's have full access to all network (Outside , Firewall , internet , download....etc).

Some of normal users sometimes they take these IP's and use it when the admin laptops are off they are using these ip's specially when they need to download files from the internet (the normal users are using proxy to browse the internet but the admin users have direct access to the internet ).

If i can map the IP addess to the MAC addess for the Admin users and if any one try to use these ip address he can't connect to the network.


Can any one help me to restrict these users to don't use these IP's by using (VLAN Map, access list, MAC ...) Our access switch are cisco 3560.

Our network is one VLAN.


Any other information please tell me.


Thank you


Regards



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
drolemc Tue, 06/19/2007 - 03:26
User Badges:
  • Silver, 250 points or more

I think you are trying to restrict Pc's with certain IP address to go out to another network. Since the current access list is based on source ip address of the PC's it should be applied inbound on the vlan 225. The packet coming from the PC destined for remote network will have source ip of PC and detination of remote network thecurrent ACL s will block the Inbound packet by looking at the inbound source ip address. If you put the ACL as out bound the source ip address will be different and it will always pass through with reference to the current ACL's established.

guruprasadr Tue, 06/19/2007 - 04:56
User Badges:
  • Gold, 750 points or more

HI, [PLS RATE if HELPS]


Best Option is to use the "Port Security" Feature in CISCO Switches.


Configuration Commands as follows:

------------------------------------

Router(config)# interface interface_id

Router(config-if)# switchport mode access

Router(config-if)# switchport port-security

Router(config-if)# switchport port-security maximum value

Note:Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 128; the default is 128.

Router(config-if)# switchport port-security violation {protect | restrict | shutdown}

Note:Sets the violation mode and the action to be taken when a security violation is detected.

Router(config-if)# switchport port-security mac-address mac_address

Router(config-if)# end


Show commands:

---------------

Router# show port-security interface interface_id

Router# show port-security address



PLS Rate if Helps ! !


Best Regards,


Guru Prasad R

sabafonsec Tue, 06/19/2007 - 05:07
User Badges:

Thank you


How can i map the IP address With the MAC address?


Regards



guruprasadr Tue, 06/19/2007 - 22:05
User Badges:
  • Gold, 750 points or more

HI, [PLS Rate If Helps]


You can follow below steps:


Another Options is: Create two VLANs (one for Admin Users & another for Normal users).


For Security of Admin Users VLAN:

(config)#interface VLAN 1

(config-if)#ip address ip mask

(config)#mac-address-table static mac-address of host interface FastEthernet # vlan


Map VLAN to Switch Ports:

----------------------------

#vlan database

(vlan)#vlan vlan# name name

(config)#interface type #[.subport]

(config-if)#switchport mode access

(config-if)#switchport access vlan vlan#

#debug sw-vlan packets


PLS RATE if Helps


Best Regards,


Guru Prasad R

sohail_sarwar Mon, 09/23/2013 - 22:16
User Badges:

Use commad


arp IP address mac-address arpa


for example


arp 1.1.1.1 60EB-693B-6ED1 arpa

syedsohailsarwar Tue, 06/19/2007 - 09:53
User Badges:

hi

try to use switchport portsecurity command on your switch which binds switch port with mac address and see whether ur IOS supports binding of IP address aswell with the port


regards

JORGE RODRIGUEZ Tue, 06/19/2007 - 10:12
User Badges:
  • Green, 3000 points or more

Your problem is very simple to resolve.


Create a Virtual LAN in your core to only be used by admin users. Then your regular users on a different VLAN. This way regular users will not be able to change static IPs even if the admin users are not connected to the network because they will be bound to their vlan membership at the switch port level.


HTH, please rate if this helps


Jorge




Actions

This Discussion