cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
572
Views
0
Helpful
6
Replies

switch problem

csc010854800
Level 1
Level 1

somebody has put a broadband in my network of 30 switches. PC's are getting IP's of 192.160.x.x range through DHCP and DNS of MTNL . can i put ACL on the Layer 2 switches to block this range of IP's and allow 10.x.x.x series .kindly suggest the ACL .

6 Replies 6

a.alekseev
Level 7
Level 7

i don't have a DHCP server.we are using statis IP address .

i need to block 192.168.x.x series ofip's on my switch , what will be the acl.

access-list 1 deny 192.168.0.0 0.0.255.255 log

access-list 1 permit any any

interface vlan 1

access-group 1 in

don't u think this access-list should be applied on uplink port and not to vlan1 ?

if so,kindly suggest the reason for that.

interafce VLAN 1 is only for management. is there any other purpose of that interface vlan 1 ..?

Tony.henry
Level 1
Level 1

Yangesh,

I don't think you can block layer 3 problems with a layer 2 device. your best bet would be to hunt down the DHCP server and disable it from the switch.

1. Determine the IP address of the server. Client machine.

2. Log onto switch, and determine the MAC address of the server. show ip arp, may need to ping the server first.

3. Hunt down the mac address doing commands like show mac address-table dynanic

4. Find out where the server plugs in and figure out if you can find the owner. Make sure you don't do this on a switch uplink as you might disable that arm of the network

The fact that the users are supposed to be statically assigned and have started to change their SOE's means you have a few bigger problems anyway. why are they changing their systems from static to dynamic? what new service is this server giving that they need?

Good Luck

Tony

hobbe
Level 7
Level 7

If you are using static addresses then you do not have a problem that inflicts your working system.

however I can see how this could be quite a nusance so if you do want to get rid of the problem per se, hunt down the offender.

I know that I would.

An ACL will not work unless you either install it in every port or if you find the offending device and add the access-list to the same interface the device is on, on the outgoing traffic of that interface ie the traffic moving towards the device from the interface.

so depending on what switch you have it might not be possible to add an access-list in both ingress and egress, most only support ingress.

what are the type of switches you have?

Depending on the model and type, there are different commands available to track the offender.

in my world the adding of an device such as yours is a stricktly forbidden offence and grounds for fiering someone.

it could be used to let hackers in and or a means to control a pc in the network from the internet.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco