My Laptop gets the IP assigned from the Windows DHCP. but the other user assigning the IP statically when i am away from the office. so wanted to prevent using my IP. i.e. only when my IP & MAC matches, the switch has to allow, else has to blocked for those who is trying to assign my IP statically on their PCs.

The command is correct, but when the other user trying to add my IP on his PC, it still works.

Unless you use Windows Group Polices, you cant stop him assigning the address but you can influence how your switches deal with packets destined to the IP address. The ARP cache holds information on which IP address relates to which MAC address. When a switch needs to forward a packet destined to 172.16.1.1 it looks in the ARP cache to see what the MAC address is. Once it has this, it can forward the frame out of the relevant port using information from the CAM table.

By adding a static MAC address entry on your switch, you can prevent the switch from adding a dynamic ARP entry when the other device tries to use your IP.

So the command "arp arpa" would suffice isn't?

Is your core switch doing your Routing between Vlans?

Try this on the core switch:

#show ip arp 172.16.1.1

It should show your MAC address.

Yes my core switch 3750 does the routing between the vlans. And right now yes I did a show ip arp 172.16.1.1 and it displays my MAC address.

That should work then.

You could test it using a second PC, pull your one off the network and assign that the same IP address to the second PC that you use and see if the computer can access the network.

HI use arpa to bind mach on switch

arp  x.x.x.x abcd.defg.ghij ARPA.

Please implement this first that is your Gateway Switch. Mean then ip that u have mentioned it must have default gateway of some switch or router.  So implement this on that gateway device.

***Do rate helpful posts***

Jawad

Still no luck. :-(

Right, let's go into a bit more depth.

On the L3 gateway device for your network (i.e. what your PC uses as its default gateway) do this:

#ping 172.16.1.1

#show mac-address-table | inc 172.16.1.1

This should show you your PC MAC address.

Now disconnect your PC and connect up your other PC and try and set your IP address to 172.16.1.1 and then repeat the steps above. Please do all that and post the results here.

By the way, the L3 device mentioned above is where you should have your static arp entry defined.

Hi,

To accomplish your goal, it is best to enforce DHCP as the sole source of receiving IP addresses, and in this way deny the use of statically assigned IP addresses. The simplest method is to use DHCP snooping and Dynamic ARP Inspection. DCP Snooping will build atable of devices that have requested and received IP addresses from the DHCP server, then Dynamic ARP inspection will only allow devices that have been assigned addresses via DHCP access to the network.

So any statically assigned addresses will be denied access at the port, unless you set the port to be a trusted port, which will overide this security feature at the port level.

Now you may create a reservation on the DHCP server for your PC and nobody can gain access to the network using your IP address in your absence. Do this in stages, because any current statically assigned devices will be denied access when Dynamic ARP Inspection is enabled.

Enable DHCP Snooping

Configure the interface that connects to the DHCP server or any devices intened to use static IP addresses.

All other ports are untrusted by default.

conf t

ip dhcp snooping

interface type slot/port

ip dhcp snooping trust

end

Enable Dynamic ARP Inspection

conf t

ip arp inspection vlan vlan# dhcp-bindings all

end

Configure the interface that connects to the DHCP server or any device that intentionally uses a static IP address.

All other ports are untrusted by default.

conf t

interface type slot/port

ip arp inspection trust

end

Cheers,

Brian