cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6579
Views
8
Helpful
12
Replies

Prevent Wrong IP Address Assignment

rmujeeb81
Level 1
Level 1

Dear All,

My query is that what are the possible solutions for preventing wrong IP address assignment in a LAN campus. How we can block an access port if some host manually assign Gateway's IP Address as his PC's ip address or assign IP address of any other important network resource like DHCP server etc.

Regards,

Mujeeb

1 Accepted Solution

Accepted Solutions

Hello Mujeeb,

>> So how can I force a host(PC) to not use manual IP Address if he is willing to get ip address dynamically through switch (DHCP) and try to assign wrong IP Address ?

the combination of the features makes a user assigning an ip address manually to be out of the network because it will not be part of the DHCP binding table.

Hope to help

Giuseppe

View solution in original post

12 Replies 12

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Mujeeb,

using ip DHCP snooping, IP source guard can be a solution.

another possible solution could be that of using 802.1X authentication

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dhcp.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dot1x.html

Hope to help

Giuseppe

gnijs
Level 4
Level 4

use ip dhcp snooping with ARP inspection.

Using this you can FORCE using DHCP so that no static ips are allowed. It will also block rogue DHCP servers.

I was under the impression that dhcp snooping was only good under the circumstance of a rogue dhcp server inserted into a port. From Mujeeb's question, he wants to know how to prevent a host connecting to the network that has assigned a static address to their workstation. Would dhcp snooping really help in this scenario?

--John

HTH, John *** Please rate all useful posts ***

Ah, I got it. The way that I see it is that you would do as Guiseppe said. You would run DHCP snooping and ip source guard. Source guard would compare the mac address on the port (your statically assigned workstation) to the dhcp snooping database. If the mac address isn't in there, then source guard drops the packets coming in on that interface.

If you enable dhcp snooping, make sure that you enable a trusted interface if you have a dhcp server. All interfaces are untrusted by default, and they will get put in err-disabled state if you don't configure a trusted port that a dhcp server is on.

--John

HTH, John *** Please rate all useful posts ***

Hi All,

Thanks for the replies. I had a problem in one of our customer's network that someone assigned IP Address of Gateway( Router ) on his PC statically and after that all traffic was fowarding towards port on edge switch where that user was connected.

The LAN setup at client side is as follows,

- Multiple 3560s on edge

- 2 * 3750 as Distribution/Core ( Providing DHCP services as well )

- 3845 Router as Gateway.

Distribution/Core switches are not providing routing function. These switches are working as layer 2 switch and providing IP addresses to and gateway(Router IP Address) to hosts. So all hosts are suppose to get ip address dynamically. If I enable DHCP snooping with source guard (I don't want to use manual entries for IP Source Guard) then IP Source Guard feature will use DHCP binding database to verify incoming traffic ? So how can I force a host(PC) to not use manual IP Address if he is willing to get ip address dynamically through switch (DHCP) and try to assign wrong IP Address ?

Regards,

Mujeeb

the easiest way is to let the user log to his computer as a user and not as an administrator. so he can't change any thing.

from network point view, you can use ARP inspection.

for example, We need to protect the IP address of one VLAN (gateway) from ARP poisoning. So we associate its IP with its real MAC and we deny any other MAC address.

arp access-list arp-inspection

permit ip host 10.10.10.254 mac host 1111.2222.3333 log

deny ip host 10.10.10.254 mac any log

permit ip any mac any

!

ip arp inspection vlan 10

ip arp inspection filter arp-inspection vlan 10 static

Hi,

Can we use ARP inspection if the gateway ip address is actually a virtual ip address (HSRP/VVRP) ?

Kindly elaborate the major differences among DHCP snooping,IP Source Guard and ARP Inspection features. What are the best practices to use these features in a campus network as an individual feature or in combination.

Thanks in Advance.

Regards,

Mujeeb

Hello,

I am trying to create a similar configuration on a 6500 without using dhcp snooping. I was told by TAC that this would not work, but it appears okay in my lab. We do not have enough time to fully test dhcp snooping. First I deny any device from responding to an arp request for the gateway IP, then I deny any device from responding with the mac address of the gateway. In my testing, any device connected to vlan 1502 with the IP 10.1.1.65 or mac address 001d.e510.8ef1 was denied and logged. Unfortunately I do not have the output showing DHCP snooping disabled.

john k

arp access-list AL_VLAN_1502

deny response ip host 10.1.1.65 any mac any any log

deny response ip any any mac host 001d.e510.8ef1 any log

permit ip any mac any

!

ip arp inspection vlan 1502

ip arp inspection filter AL_VLAN_1502 vlan 1502

!

*Nov 7 12:20:08.139 EST: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Gi1/3, vlan 1502.([001d.e513.8ef1/10.1.1.65/001d.e513.8ef1/10.1.1.65/12:20:07 EST Fri Nov 7 2008])

Hello Mujeeb,

>> So how can I force a host(PC) to not use manual IP Address if he is willing to get ip address dynamically through switch (DHCP) and try to assign wrong IP Address ?

the combination of the features makes a user assigning an ip address manually to be out of the network because it will not be part of the DHCP binding table.

Hope to help

Giuseppe

Hello,

I am trying to create a similar configuration on a 6500 without using dhcp snooping. I was told by TAC that this would not work, but it appears okay in my lab. We do not have enough time to fully test dhcp snooping. First I deny any device from responding to an arp request for the gateway IP, then I deny any device from responding with the mac address of the gateway. In my testing, any device connected to vlan 1502 with the IP 10.1.1.65 or mac address 001d.e510.8ef1 was denied and logged. Unfortunately I do not have the output showing DHCP snooping disabled.

john k

arp access-list AL_VLAN_1502

deny response ip host 10.1.1.65 any mac any any log

deny response ip any any mac host 001d.e510.8ef1 any log

permit ip any mac any

!

ip arp inspection vlan 1502

ip arp inspection filter AL_VLAN_1502 vlan 1502

!

*Nov 7 12:20:08.139 EST: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Gi1/3, vlan 1502.([001d.e513.8ef1/10.1.1.65/001d.e513.8ef1/10.1.1.65/12:20:07 EST Fri Nov 7 2008])

Hello John,

the question is :

can a new added PC get an ARP response from the the legitimate gateway that is SVI 1502 ?

this is the test to be performed

if the result is fine you can be able to protect default gateway identity on the vlan.

Otherwise you have a not working solution

Hope to help

Giuseppe

In my testing, I found this to be true. A newly added PC will get an arp response from the legitimate gateway. Testing is ongoing.

Thanks Giuseppe!

John k

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: