08-13-2009 07:22 AM - edited 03-06-2019 07:14 AM
Can these two Cisco switch security features affectively prevent a host with a statically assigned IP address from accessing the network?
Thanks
08-13-2009 08:54 AM
IP Source Guard needs the DHCP snooping database which is built upon receiving DHCP dicoveries from the host. Since the host won't ask for an IP, there is not going to be an entry in the snooping database so all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping process. When a client receives a valid IP address from the DHCP server, or when a static IP source binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the port. Again, no DHCP process initiated by the host so all non-DHCP traffic will be blocked.
Switch(config)# ip dhcp snooping
Switch(config)# interface fa6/1
Switch(config-if)# no ip dhcp snooping trust
Switch(config-if)# ip verify source vlan dhcp-snooping
You can also enable arp inspection (but is only possible on the whole vlan) to prevent this host from sending arp replies so no one will be able to communicate with him.
08-13-2009 09:38 AM
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: