Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting access to the network.

I want to be able to do something like that:

Each and every machine in our network to be allowed to talk on the network if and only if its IP/MAC pair

matches a combination known and authorized by me. That is, when the user changes the IP i want the switch to block or otherwise deny access to the offending workstation. And, most important, any other MAC/IP pairs a switch ever encounters should NOT be allowed to connect/work. I hope you get the idea. Our access layer is based on Catalyst 2900 and 3500 switches.

I tried building static ARP tables on the switches, but it doesn't solve my problem. The MAC/new IP pair still gets in the ARP table and talks merrily on the network... So i want every MAC to be accepted only if it comes with the "right" IP address. I browsed through a lot of documentation but i didn't find anything of real help. I must admit i didn't try Everything (TM) :) Please bear with me.

Is this possible to do at the access level switches ? Has anyone ever stepped into this kind of (perhaps weird) settings?

Any help will be greatly appreciated.

Thank you.

New Member

Re: Restricting access to the network.

I can’t think of any way to do this. Can’t you use user authentication/authorization to secure your network? You might want to talk to tac about it.

New Member

Re: Restricting access to the network.

You can enable the port security administrative status, on every port of each switch that active the port security operational status, its use MAC, so only that MAC is allowed to talk on the network....

hope this help... if not! let me know!

CreatePlease login to create content