cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
472
Views
10
Helpful
4
Replies

Switchport security, but at layer-3

Kevin Dorrell
Level 10
Level 10

I know I can implement layer-2 port security on my 4500 switches. That is, I can arrange it so that if a user connects a foreign device to the port, the port goes into errdisable.

What I want to do is the same thing at layer-3. From time to time, users try to attach foreign network-aware devices such as PDAs to the USB port of their PCs. Sometimes these devices try (unsuccessfully) to do a DHCP, and sometimes they seem to just appear on the network as 169.254.2.2 or 192.0.0.192. But they always use the MAC address of the PC.

What I want is for the port to get shut down if the host generates a DHCP, or if the port sees packets from any address in 169.254.0.0/16. Does anyone have a way to do that?

Kevin Dorrell

Luxembourg

4 Replies 4

Kevin Dorrell
Level 10
Level 10

Bump! Any ideas?

Hello Kevin,

I didn't try directly but you could try to use IP source guard and DCHP snooping

Look at the following link

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/dhcp.html

hope to help

Giuseppe

Giuseppe,

Thanks, I shall read that chapter over the weekend and let you know if it fitts the bill.

Kevin Dorrell

Luxembourg

Giuseppe,

Thanks. I read the doc over the long weekend (we had a national holiday for the Grand-Duke's official birthday).

The feature doesn't fit the bill 100% beceause it does not actually disable the port when there is a violation. That is, it is the layer-3 eqivalent of "restrict", but not "shutdown".

However, it does go a long way towards addressing my problem, and it also shows me a fun feature to try out in the lab!

Thanks.

Kevin Dorrell

Luxembourg

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco