Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IP source guard with Wireless AP

Hi experts

Recently i have configured DHCP SNOOPING & IP VERIFY SOURCE in all the ports of the switch for enabling anti spoofing. It is also working perfectly as getting the IP address from the DHCP server and not allowing the users to assign the IP Address on their own. They have to configure the PCs to get the IP Address only from DHCP server which is trusted port of the 3560 Switch

At this moment, I have a few CISCO 1310 Autonomous wireless Access points also connected to CE500 switch which is connected to this 3560 switch.

The requirement and the issue is I want these Access points to have static IP address and not from DHCP server. But the clients connecting to these Access points should get the IP address from the DHCP Server. These clients should not be able to assign the IP Address on their own, Even if they do so they should not be able to access the network, similar to they I configured the 3560 switch ports.

Hope the description is clear to understand.

sairam

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IP source guard with Wireless AP

Hello Sairam,

I experimented a bit with the LWAP WLC. I have a NM-WLC module but things should be almost identical if you are using the standalone controller.

It seems that the controller itself implements a functionality similar to the IP Source Guard. When you access the Web management interface of the controller, click on the "WLANs" tab and in the displayed list, click on the "Edit" link at the line with the selected WLAN SSID. In the next page, notice the checkbox "DHCP Addr. Assignment". If this option is active, the clients absolutely have to get their IP addresses using DHCP. If they assign IP addresses on their own, they will be denied access.

Can you test it in your network and tell us if it worked for you?

Best regards,

Peter

7 REPLIES
Cisco Employee

Re: IP source guard with Wireless AP

Community Member

Re: IP source guard with Wireless AP

Hi Peter,

You aptly pointed out. I was in confusion and raised the similar case again. Your solution in the previous topic was self explanatory and help me. No doubt in it. But I am sorry I missed one thing to point out.

But the challenge here is I am using LWAP and not autonomous APs where I can try with VLANs in AP itself.

In LWAP as you know, the VLANs are configured in WLC and not directly in APs as we discussed.

I am also working to find the solution. If you could share your experience, It will be great

Thanks peter,

sairam

Cisco Employee

Re: IP source guard with Wireless AP

Hello Sairam,

Do you have an external wireless controller, or are you using the internal NM-WLC module?

I believe I have seen a support for this but I have to test it in a lab so this will take a day or two before I get back.

Best regards,

Peter

Cisco Employee

Re: IP source guard with Wireless AP

Hello Sairam,

I experimented a bit with the LWAP WLC. I have a NM-WLC module but things should be almost identical if you are using the standalone controller.

It seems that the controller itself implements a functionality similar to the IP Source Guard. When you access the Web management interface of the controller, click on the "WLANs" tab and in the displayed list, click on the "Edit" link at the line with the selected WLAN SSID. In the next page, notice the checkbox "DHCP Addr. Assignment". If this option is active, the clients absolutely have to get their IP addresses using DHCP. If they assign IP addresses on their own, they will be denied access.

Can you test it in your network and tell us if it worked for you?

Best regards,

Peter

Community Member

Re: IP source guard with Wireless AP

Hi Peter,

You solved my requirement. It is working as you expected. This is to thank you for your efforts and give feedback for your solution

It is working.

Cisco Employee

Re: IP source guard with Wireless AP

Sairam,

You are heartily welcome.

Best regards,

Peter

Community Member

Re: IP source guard with Wireless AP

I knew there has to be a way to prevent users from accessing the network unless the host has a address that was issued by the DHCP server. Thank you very much, Peter! You are the best :)
737
Views
5
Helpful
7
Replies
CreatePlease to create content