Restrict PC's to use static IP address using cisco switch 3560

Unanswered Question
Jun 12th, 2007
User Badges:


I need some help.

I am a network engineer and our network is using DHCP server but we have admin users have static IP address and these IP's have full access to all network (Outside , Firewall , internet , download....etc).

Some of normal users sometimes they take these IP's and use it when the admin laptops are off they are using these ip's specially when they need to download files from the internet (the normal users are using proxy to browse the internet but the admin users have direct access to the internet ).

If i can map the IP addess to the MAC addess for the Admin users and if any one try to use these ip address he can't connect to the network.

Can any one help me to restrict these users to don't use these IP's by using (VLAN Map, access list, MAC ...) Our access switch are cisco 3560.

Our network is one VLAN.

Any other information please tell me.

Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
drolemc Tue, 06/19/2007 - 03:26
User Badges:
  • Silver, 250 points or more

I think you are trying to restrict Pc's with certain IP address to go out to another network. Since the current access list is based on source ip address of the PC's it should be applied inbound on the vlan 225. The packet coming from the PC destined for remote network will have source ip of PC and detination of remote network thecurrent ACL s will block the Inbound packet by looking at the inbound source ip address. If you put the ACL as out bound the source ip address will be different and it will always pass through with reference to the current ACL's established.

guruprasadr Tue, 06/19/2007 - 04:56
User Badges:
  • Gold, 750 points or more


Best Option is to use the "Port Security" Feature in CISCO Switches.

Configuration Commands as follows:


Router(config)# interface interface_id

Router(config-if)# switchport mode access

Router(config-if)# switchport port-security

Router(config-if)# switchport port-security maximum value

Note:Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 128; the default is 128.

Router(config-if)# switchport port-security violation {protect | restrict | shutdown}

Note:Sets the violation mode and the action to be taken when a security violation is detected.

Router(config-if)# switchport port-security mac-address mac_address

Router(config-if)# end

Show commands:


Router# show port-security interface interface_id

Router# show port-security address

PLS Rate if Helps ! !

Best Regards,

Guru Prasad R

sabafonsec Tue, 06/19/2007 - 05:07
User Badges:

Thank you

How can i map the IP address With the MAC address?


guruprasadr Tue, 06/19/2007 - 22:05
User Badges:
  • Gold, 750 points or more

HI, [PLS Rate If Helps]

You can follow below steps:

Another Options is: Create two VLANs (one for Admin Users & another for Normal users).

For Security of Admin Users VLAN:

(config)#interface VLAN 1

(config-if)#ip address ip mask

(config)#mac-address-table static mac-address of host interface FastEthernet # vlan

Map VLAN to Switch Ports:


#vlan database

(vlan)#vlan vlan# name name

(config)#interface type #[.subport]

(config-if)#switchport mode access

(config-if)#switchport access vlan vlan#

#debug sw-vlan packets

PLS RATE if Helps

Best Regards,

Guru Prasad R

sohail_sarwar Mon, 09/23/2013 - 22:16
User Badges:

Use commad

arp IP address mac-address arpa

for example

arp 60EB-693B-6ED1 arpa

syedsohailsarwar Tue, 06/19/2007 - 09:53
User Badges:


try to use switchport portsecurity command on your switch which binds switch port with mac address and see whether ur IOS supports binding of IP address aswell with the port


JORGE RODRIGUEZ Tue, 06/19/2007 - 10:12
User Badges:
  • Green, 3000 points or more

Your problem is very simple to resolve.

Create a Virtual LAN in your core to only be used by admin users. Then your regular users on a different VLAN. This way regular users will not be able to change static IPs even if the admin users are not connected to the network because they will be bound to their vlan membership at the switch port level.

HTH, please rate if this helps



This Discussion