Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Deny device by IP on switch port.

Is there a method of preventing a device with an IP address of 172.25.*.1 (* = any number) from being allowed on the network? The problem I am facing is the end user incorrectly configuring a device and using the .1 gateway address. We run DHCP and have multiple vlans.

I have thought about 802.1x but then all the devices must run a suplicant/client in order to connect and some devices are not capable of doing this.

the ideal solution would be the ability to detect the fraudulant gateway address on the edge port and disable the port.


Re: Deny device by IP on switch port.

what kind of switch do you use?

New Member

Re: Deny device by IP on switch port.

3548, 3550, 2950 & 2960's are the edge switches.

Re: Deny device by IP on switch port.

the best way to achive this would be to block ARP for hosts with this address. The below arp filter block ARP from hosts using the 172.25.X.1 range (on VLAN 1-100) but permits others. I think this syntax is correct but would suggest you test before using it!

arp access-list TEST

deny ip mac any

permit ip any mac any

ip arp inspection filter TEST vlan 1-100

New Member

Re: Deny device by IP on switch port.

How about something like this?:

Switch(config)#ip access-list standard 50


Switch(config-std-nacl)#permit any

Switch(config)#int range fa0/1 - 24

Switch(config-if-range)#ip access-group 50 in

sh run... (example)

interface FastEthernet0/20

switchport access vlan 6

ip access-group 50 in

spanning-tree portfast

Placing an access-list on the router would be a better solution if you have access to the router or High End switch with a switching module like the 6509 series.

Re: Deny device by IP on switch port.

I don't think blocking all traffic on 172.16/16 is the solution. How will hosts send traffic (remember the hosts have source on this network).