I am setting up an ASA5505 for a pilot home office, defining a business vlan and a personal vlan. I have setup the dhcp scopes for both vlans, but I need to be able to only permit specific mac-addresses to receive a DHCP address from the business vlan. On a 871 router I can use the mac or "client-identifier" command. Is there a way to do this on the ASA's?
You then need to enable arp inspection with the no-flood keyword. This will mean that all arp entries will be dropped unless they are statically configured. This will lock out all other hosts other than those that you have configured.
Thanks that is a clever work around, however I don't think this will be a viable solution for us, as the mac addresses for the devices connecting to the personal vlan will be unknown and subject to frequent change.
To clarify, I need to setup the ASA so that:
1) It provides Business vlan DHCP assigned IP addresses only to specific static mac defined devices attached to ports in the Business vlan.
2) It provides Personal vlan DHCP assigned IP addresses to any devices attached to ports in the Personal vlan.
3) It prevents any non staic mac defined devices from obtaining a DHCP address on the business vlan.
I will read the url's you linked more closely and see what/if I am missing something.
Unfortunately the TAC engineer I spoke with said this will nto provide the solution I am after in so far as the ASA assigned DHCP addresses to specific MAC's. I would have to statically configure each IP address on the devices that I wisht to have access to the Business LAN and subject to the static arp/arp inspection.
If you can elaborate on your solution I can share it with the TAC engineer.
In parallel I have requested our account team submit a Feature Request for this capability in future ASA code releases.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :