You can have the switchport port-security maximum to prevent such things. For eg we have pc connected via IP phone. so we require 2 IP to be released for the same port. so we can mention port-security maximum as 2. If we have only data/voice then we can mention as 1. Am not sure if this helps for your requirement.
Even if we have port security maximum configured, it will not prevent dhcp pool exhaustion . For example
Dhcp server assigns ip address based on client hardware address in dhcp discover message. As long as dhcp receives different mac addresses in client hardware address field, dhcp server assigns ip addresses.
With the above concept in mind, Lets consider an example to see if port security could prevent dhcp pool exhaustion.
h1------ f1/1----Sw-----Dhcp server.
h1 mac address is mac1
Sw has port security enabled on f1/1 allowing only mac1 and maximum mac address 1.
h1 is rogue host. Various tools can be used to generate dhcp discover message each with different mac address in client hardware address field.
Rogure h1 creates a dhcp discover message with client mac address field set to mac2.
Next h1 simply encapsulates the the dhcp message in ip packet which is then encapsulated in ethernet frame with src mac= mac1 ( the mac address of h1).
Sw receives the frame. Sw does not find anything odd as mac address in src mac indeed matches the mac address allowed by port security on f1/1.
Sw simply forwards the frame to to dhcp sever.
Dhcp sever look at client mac address field and finds it is different mac address and assigns an ip address.
Rogue can continue to craft such dhcp discover messages ; each time with different spoofed mac address and thereby causing DHCP pool exhaustion.
In nutshell, port security can not alone prevent dhcp pool exhaustion.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...