Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Is there a way to block computers which have a statically assigned IP address

In a LAN a dhcp server allocates IP addresses. but some users type in their own IP addresses and try to connect to the internet. Sometimes IP conflict occurs because of these computers. To avoid this I was wondering if there is a way to identify these computers with statically assigned IP addresses and block them. Hope there is some kind of solution for this.

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Super Bronze

Re: Is there a way to block computers which have a statically as

Have the server guys take away their admin right to their PC/laptops so they can't change IP

HTH

Sent from Cisco Technical Support iPhone App

Is there a way to block computers which have a statically assign

Hi,

ok,  i try and hope its clear...

lets say we re talking about vlan 2, 21, 22, 23, 24, 25 and every client in these vlans should get an address by DHCP.

But a manually configured address should not get network access.

So i tell the switch to inspect dhcp and arp, the switch will build a table from dhcp information, with 

- switchport

- mac address

- vlan

- ip adress

Like

sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

01:B9:2B:5F:5C:7D   10.1.193.136   32877       dhcp-snooping  2   FastEthernet3/0/41

01:B9:2B:5F:6F:37   10.11.93.137   32879       dhcp-snooping  2   FastEthernet4/0/15

01:B9:38:5F:D8:f3   10.1.160.86    86145       dhcp-snooping  22   FastEthernet1/0/21

01:B9:D1:5F:42:aD   10.1.193.64    15370       dhcp-snooping  2   FastEthernet3/0/21

01:B9:2B:5F:6B:a3   10.1.161.17    32868       dhcp-snooping  23   FastEthernet3/0/13

01:B9:38:5F:D4:3D   10.1.160.127   32873       dhcp-snooping  22   FastEthernet1/0/18

01:B9:64:5F:66:a6   10.1.162.128   33630       dhcp-snooping  24   FastEthernet2/0/27

01:B9:50:5F:21:aF   10.1.193.157   32875       dhcp-snooping  2   FastEthernet3/0/32

01:B9:2B:5F:9B:73   10.1.161.23    32870       dhcp-snooping  23   FastEthernet2/0/32

01:B9:2B:5F:9B:9C   10.1.193.71    16100       dhcp-snooping  2   FastEthernet3/0/42

01:B9:50:2A:0A:98   10.1.192.13    18847       dhcp-snooping  25FastEthernet2/0/23

Because a manually configured client does not send dhcp packets, the switch can not build a valid "snooping entry" from the dhcp packet.

Every switchport has to inspect these packet. It sees an invalid arp (because no mapping) and decides to deny. See logging below, client was manually configued with 10.1.137.21 (i m testing it now to get this output, and it can not get access whatever i try.)

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:22 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:23 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:25 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:26 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:27 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:29 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:30 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:31 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:32 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:33 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:34 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:35 UTC Wed Apr 11 2012])

This client does not get access, the packets are denied.

How to configure: (this is this example)

Global:

ip dhcp snooping vlan 2,22, 23, 24, 25

no ip dhcp snooping information option

ip dhcp snooping database tftp://10.10.1.1/this_switch

ip dhcp snooping

ip arp inspection vlan 2,22, 23, 24, 25

ip arp inspection validate src-mac ip

ip arp inspection log-buffer entries 1024

ip arp inspection log-buffer logs 1024 interval 10

Switchport:

no ip dhcp snooping trust

no ip arp inspection trust

I suggest that you check out dynamic arp inspection / dhcp snooping subjects at cisco.com for more tech info.

Good luck!

6 REPLIES

Re: Is there a way to block computers which have a statically as

Hi,

we use dhcp snooping (and arp inspection) for this. Since there is no dhcp request for a pc which had a statically assigned ip, the port will not be trusted (violation) and the pc will have no network access.

You can probably easely identify these computers because their users will complain they have no network access.

Community Member

Is there a way to block computers which have a statically assign

Thank you for the reply. Can you clarify more about how arp inspection solves my problem?

VIP Super Bronze

Re: Is there a way to block computers which have a statically as

Have the server guys take away their admin right to their PC/laptops so they can't change IP

HTH

Sent from Cisco Technical Support iPhone App

Community Member

Is there a way to block computers which have a statically assign

your answer is correct, but I was looking for a networking methodology.

Is there a way to block computers which have a statically assign

Hi,

ok,  i try and hope its clear...

lets say we re talking about vlan 2, 21, 22, 23, 24, 25 and every client in these vlans should get an address by DHCP.

But a manually configured address should not get network access.

So i tell the switch to inspect dhcp and arp, the switch will build a table from dhcp information, with 

- switchport

- mac address

- vlan

- ip adress

Like

sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

01:B9:2B:5F:5C:7D   10.1.193.136   32877       dhcp-snooping  2   FastEthernet3/0/41

01:B9:2B:5F:6F:37   10.11.93.137   32879       dhcp-snooping  2   FastEthernet4/0/15

01:B9:38:5F:D8:f3   10.1.160.86    86145       dhcp-snooping  22   FastEthernet1/0/21

01:B9:D1:5F:42:aD   10.1.193.64    15370       dhcp-snooping  2   FastEthernet3/0/21

01:B9:2B:5F:6B:a3   10.1.161.17    32868       dhcp-snooping  23   FastEthernet3/0/13

01:B9:38:5F:D4:3D   10.1.160.127   32873       dhcp-snooping  22   FastEthernet1/0/18

01:B9:64:5F:66:a6   10.1.162.128   33630       dhcp-snooping  24   FastEthernet2/0/27

01:B9:50:5F:21:aF   10.1.193.157   32875       dhcp-snooping  2   FastEthernet3/0/32

01:B9:2B:5F:9B:73   10.1.161.23    32870       dhcp-snooping  23   FastEthernet2/0/32

01:B9:2B:5F:9B:9C   10.1.193.71    16100       dhcp-snooping  2   FastEthernet3/0/42

01:B9:50:2A:0A:98   10.1.192.13    18847       dhcp-snooping  25FastEthernet2/0/23

Because a manually configured client does not send dhcp packets, the switch can not build a valid "snooping entry" from the dhcp packet.

Every switchport has to inspect these packet. It sees an invalid arp (because no mapping) and decides to deny. See logging below, client was manually configued with 10.1.137.21 (i m testing it now to get this output, and it can not get access whatever i try.)

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:22 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:23 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:25 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:26 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:27 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:29 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:30 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:31 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:32 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:33 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:34 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:35 UTC Wed Apr 11 2012])

This client does not get access, the packets are denied.

How to configure: (this is this example)

Global:

ip dhcp snooping vlan 2,22, 23, 24, 25

no ip dhcp snooping information option

ip dhcp snooping database tftp://10.10.1.1/this_switch

ip dhcp snooping

ip arp inspection vlan 2,22, 23, 24, 25

ip arp inspection validate src-mac ip

ip arp inspection log-buffer entries 1024

ip arp inspection log-buffer logs 1024 interval 10

Switchport:

no ip dhcp snooping trust

no ip arp inspection trust

I suggest that you check out dynamic arp inspection / dhcp snooping subjects at cisco.com for more tech info.

Good luck!

Community Member

Is there a way to block computers which have a statically assign

Thank you very much. Your answer is very helpful and I will look deeper into DHCP snooping and ARP inspection.

311
Views
0
Helpful
6
Replies
CreatePlease to create content