06-12-2007 02:29 AM - edited 03-05-2019 04:38 PM
Hi
I need some help.
I am a network engineer and our network is using DHCP server but we have admin users have static IP address and these IP's have full access to all network (Outside , Firewall , internet , download....etc).
Some of normal users sometimes they take these IP's and use it when the admin laptops are off they are using these ip's specially when they need to download files from the internet (the normal users are using proxy to browse the internet but the admin users have direct access to the internet ).
If i can map the IP addess to the MAC addess for the Admin users and if any one try to use these ip address he can't connect to the network.
Can any one help me to restrict these users to don't use these IP's by using (VLAN Map, access list, MAC ...) Our access switch are cisco 3560.
Our network is one VLAN.
Any other information please tell me.
Thank you
Regards
06-19-2007 03:26 AM
I think you are trying to restrict Pc's with certain IP address to go out to another network. Since the current access list is based on source ip address of the PC's it should be applied inbound on the vlan 225. The packet coming from the PC destined for remote network will have source ip of PC and detination of remote network thecurrent ACL s will block the Inbound packet by looking at the inbound source ip address. If you put the ACL as out bound the source ip address will be different and it will always pass through with reference to the current ACL's established.
06-19-2007 04:56 AM
HI, [PLS RATE if HELPS]
Best Option is to use the "Port Security" Feature in CISCO Switches.
Configuration Commands as follows:
------------------------------------
Router(config)# interface interface_id
Router(config-if)# switchport mode access
Router(config-if)# switchport port-security
Router(config-if)# switchport port-security maximum value
Note:Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 128; the default is 128.
Router(config-if)# switchport port-security violation {protect | restrict | shutdown}
Note:Sets the violation mode and the action to be taken when a security violation is detected.
Router(config-if)# switchport port-security mac-address mac_address
Router(config-if)# end
Show commands:
---------------
Router# show port-security interface interface_id
Router# show port-security address
PLS Rate if Helps ! !
Best Regards,
Guru Prasad R
06-19-2007 05:07 AM
Thank you
How can i map the IP address With the MAC address?
Regards
06-19-2007 10:05 PM
HI, [PLS Rate If Helps]
You can follow below steps:
Another Options is: Create two VLANs (one for Admin Users & another for Normal users).
For Security of Admin Users VLAN:
(config)#interface VLAN 1
(config-if)#ip address ip mask
(config)#mac-address-table static mac-address of host interface FastEthernet # vlan
Map VLAN to Switch Ports:
----------------------------
#vlan database
(vlan)#vlan vlan# name name
(config)#interface type #[.subport]
(config-if)#switchport mode access
(config-if)#switchport access vlan vlan#
#debug sw-vlan packets
PLS RATE if Helps
Best Regards,
Guru Prasad R
09-23-2013 10:16 PM
Use commad
arp IP address mac-address arpa
for example
arp 1.1.1.1 60EB-693B-6ED1 arpa
06-19-2007 09:53 AM
hi
try to use switchport portsecurity command on your switch which binds switch port with mac address and see whether ur IOS supports binding of IP address aswell with the port
regards
06-19-2007 10:12 AM
Your problem is very simple to resolve.
Create a Virtual LAN in your core to only be used by admin users. Then your regular users on a different VLAN. This way regular users will not be able to change static IPs even if the admin users are not connected to the network because they will be bound to their vlan membership at the switch port level.
HTH, please rate if this helps
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide