Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Switchport security, but at layer-3

I know I can implement layer-2 port security on my 4500 switches. That is, I can arrange it so that if a user connects a foreign device to the port, the port goes into errdisable.

What I want to do is the same thing at layer-3. From time to time, users try to attach foreign network-aware devices such as PDAs to the USB port of their PCs. Sometimes these devices try (unsuccessfully) to do a DHCP, and sometimes they seem to just appear on the network as 169.254.2.2 or 192.0.0.192. But they always use the MAC address of the PC.

What I want is for the port to get shut down if the host generates a DHCP, or if the port sees packets from any address in 169.254.0.0/16. Does anyone have a way to do that?

Kevin Dorrell

Luxembourg

4 REPLIES

Re: Switchport security, but at layer-3

Bump! Any ideas?

Hall of Fame Super Silver

Re: Switchport security, but at layer-3

Hello Kevin,

I didn't try directly but you could try to use IP source guard and DCHP snooping

Look at the following link

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/dhcp.html

hope to help

Giuseppe

Re: Switchport security, but at layer-3

Giuseppe,

Thanks, I shall read that chapter over the weekend and let you know if it fitts the bill.

Kevin Dorrell

Luxembourg

Re: Switchport security, but at layer-3

Giuseppe,

Thanks. I read the doc over the long weekend (we had a national holiday for the Grand-Duke's official birthday).

The feature doesn't fit the bill 100% beceause it does not actually disable the port when there is a violation. That is, it is the layer-3 eqivalent of "restrict", but not "shutdown".

However, it does go a long way towards addressing my problem, and it also shows me a fun feature to try out in the lab!

Thanks.

Kevin Dorrell

Luxembourg

144
Views
10
Helpful
4
Replies