Switchport security, but at layer-3

Kevin Dorrell · ‎06-17-2008

I know I can implement layer-2 port security on my 4500 switches. That is, I can arrange it so that if a user connects a foreign device to the port, the port goes into errdisable.

What I want to do is the same thing at layer-3. From time to time, users try to attach foreign network-aware devices such as PDAs to the USB port of their PCs. Sometimes these devices try (unsuccessfully) to do a DHCP, and sometimes they seem to just appear on the network as 169.254.2.2 or 192.0.0.192. But they always use the MAC address of the PC.

What I want is for the port to get shut down if the host generates a DHCP, or if the port sees packets from any address in 169.254.0.0/16. Does anyone have a way to do that?

Kevin Dorrell

Luxembourg

Kevin Dorrell · ‎06-19-2008

Bump! Any ideas?

Giuseppe Larosa · ‎06-20-2008

Hello Kevin,

I didn't try directly but you could try to use IP source guard and DCHP snooping

Look at the following link

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/dhcp.html

hope to help

Giuseppe

Kevin Dorrell · ‎06-20-2008

Giuseppe,

Thanks, I shall read that chapter over the weekend and let you know if it fitts the bill.

Kevin Dorrell

Luxembourg

Kevin Dorrell · ‎06-23-2008

Giuseppe,

Thanks. I read the doc over the long weekend (we had a national holiday for the Grand-Duke's official birthday).

The feature doesn't fit the bill 100% beceause it does not actually disable the port when there is a violation. That is, it is the layer-3 eqivalent of "restrict", but not "shutdown".

However, it does go a long way towards addressing my problem, and it also shows me a fun feature to try out in the lab!

Thanks.

Kevin Dorrell

Luxembourg