Catalyst switch 2960 configuration

hraghav · ‎08-05-2010

Hello Friends,

I have a very different requirement to be configured on the 24 port catalyst switch. Switch details are given below

C2960-LANBASEK9-M, Version 12.2(53)SE1, RELEASE SOFTWARE (fc2).

IP address assigned to users should not be used by others, and the assigned IP address should be binded to MAC address of the client laptop on one of the switch port. If any user tries to use other than the assigned IP address should be blocked.The user should communicate only through his approved MAC address and given IP. Changing any one of them should be blocked. Maxumum users connected to this port is approximately 350.

Is it possible to configure the above requirement through the switch IOS, if yes pl tell me how to do it or post the URL.

Pl guide me how to achieve this.

Regards,

Raghavan.

u1kumar2002 · ‎08-05-2010

Hi,

I would like to suggest you use 802.1x for this. Many companies use 802.1x authentication process to authenticate network access to laptop users.

For more detailed information.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuration/guide/Sw8021x.html

Uttam

hraghav · ‎08-05-2010

Thank you Sri Uttam. Yes using Radius is one possibility.

Is it possible to achieve this using the switch IOS.

Regards,

Raghavan.

u1kumar2002 · ‎08-05-2010

yes, you can do it in this switch. Plz ensure your IOS will support these features.

I provided the link of configuration also in last post.

First you have to host a server , it can be radius or tacas , Then you can configure 801.x authentication on switch.

It will work fine.

if your query is resolved, Plz rate...

Uttam

hraghav · ‎08-05-2010

Sorry, my message was not clear. I mean, is it possible to achieve the configuration on switch without using any external hardware or software. Use only the switch IOS to get the complete functionality.

u1kumar2002 · ‎08-05-2010

By using Cisco IOS , you can configure username and passwords and

enable 802.1x authentication local.

Then authentication will be done locally.

But you can't get full flexibility.Such as user base Vlan assignment.

cmd : aaa authentication dot1x default local

Do rate if post helped u.

Uttam

hraghav · ‎08-05-2010

I think I am missing the key information. Users traffic is aggregated to single port on the switch.The port where the users traffic is arriving, to be configured for MAC and IP binding.

Their packets should be dropped if the MAC and IP are not matching. If matching, the traffic should be passed on to uplink port for further transmission.

User authentication locally is fine. We don't want to authenticate users through Radius or through switch. What is required is the configuration we have to make on the switch for that perticular port to check for IP and MAC binding (no external Radius/hardware).

The switch has to pass the packets if the condition is satisfied, else drop the packets. If condition is matching forward the packets to uplink port for further transmission.

u1kumar2002 · ‎08-05-2010

Hi,

You can configure as described previous post. Configure username and password locally and enable 802.1x authentication default and then configure client in laptop, those who wants to connects to switch. Then the client will communicate with switch if switch authenticate locally then it will provide access to network.

Try it and then update me... before that go thru documentation which i provided u earlier.

Uttam

arun kumar · ‎08-05-2010

Hi Raghav,

IP Source Guard can be used to meet your requirements. You can bind an IP address and MAC address and the frames only with that IP and MAC will be accepted and the rest are dropped. Mostly this feature is used along with DHCP binding database but you can have a static IP to MAC binding as well.

Pls chk this below link:

http://origin-www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/ipsrcgrd.pdf

I think this may meet your requirements.

Hope this helps.

Arun