Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Locking swith ports to an IP-address


We are about to build an ethernet network for about a 100 home users.

I would like to have the ability to lock ports on swithes to a single ip address so if the clients change their ip address they cant get anywhere. Also broadcast control is important.

What Cisco products do you recommend for this?

  • Other Network Infrastructure Subjects
New Member

Re: Locking swith ports to an IP-address

Hi Anderson,

If you are going to use cisco switch and would like to bind ports with IP it doesn't possible. Because it is layer 2 device. But you can bind the MAC address of NIC using port security feature available with cisco switch. With this option only a perticuar MAC will be able to use that port. You can use any switch. It is recommended by cisco to use Cat5000 for 100+ users. Otherwise you can go for more then 2 switches of 48 ports and stack them.

All the best and happy networking


New Member

Re: Locking swith ports to an IP-address

Thanks for your answer Dilip.

Is it not possible to apply access-lists to an interface on the 3550 or 4000 series swithes with layer3 functionality?.

If possible, do you know how the perfomance is affected. The users should be able to communicate at wire speed if possible.

Cisco Employee

Re: Locking swith ports to an IP-address

if a user changes is IP address to a different one from a different vlan, he won't be able to go anywhere because, it won't be able to find a default gateway.

If it changes the ip address to a different one from the current vlan, he might create some duplicate address issue, but you will see it immediately and he won't be able to do anything also.

So, is it really important to assign 1 ip address to 1 port ???

Otherwise, as you mentioned the cat4000 and cat3550 are the 2 switches to go for. The 5000 is getting old and won't let you do Layer3 ACL.


New Member

Re: Locking swith ports to an IP-address

Hi Gilles and thanks for the answer.

I am not afraid that the users might try to get in another vlan but that they would take the identity of another user.

I have been reading about ACL's applied to an layer2 interface called port ACL's. I know that the ACL's are inbound only but that is what i am looking for.

Do you know the ACL's impact on network perfomance or is this done at wire speed?.


This widget could not be displayed.