https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305496#M221838 <HTML><HEAD></HEAD><BODY><P>Hi Santu,<BR /><BR />Can you put client and server in different VLAN?<BR /><BR />HTH,<BR />Lei Tian<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 26 Aug 2013 10:41:00 GMT Lei Tian 2013-08-26T10:41:00Z https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305495#M221837 <P>I have connected around 30 server with 2 cisco 2950 switch. the switch are connected to a mikrotik router. I am doing BGP with /24 IP address provided by APNIC. I have enabled DHCP in the router so that each server can get an IP automatically. Some of client have additional ip address too. they are configured manually. <SPAN style="font-size: 10pt;"> now how can i protect ip address to be stolen from client. One suggest me to configure </SPAN><SPAN style="font-size: 10pt;">ACL </SPAN><SPAN style="font-size: 10pt;"> so that</SPAN><SPAN style="font-size: 10pt;"> no IPs can be "stolen". Client can access only the IP allow them in switch.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">So please give me a example how to configure it. </SPAN><SPAN style="font-size: 10pt;">if my address block is xxx.yyy.zzz.0/24</SPAN></P><P></P><P></P><P><SPAN style="font-size: 10pt;">thanks in advance</SPAN></P> Tue, 05 Mar 2019 04:52:00 GMT https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305495#M221837 megahostzone 2019-03-05T04:52:00Z https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305496#M221838 <HTML><HEAD></HEAD><BODY><P>Hi Santu,<BR /><BR />Can you put client and server in different VLAN?<BR /><BR />HTH,<BR />Lei Tian<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 26 Aug 2013 10:41:00 GMT https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305496#M221838 Lei Tian 2013-08-26T10:41:00Z https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305497#M221839 <HTML><HEAD></HEAD><BODY><P>There are two ways to achieve it, but the first and better way is only available on newer switches.</P><P></P><P>1) Using DHCP-Snooping and IP Source-Guard</P><P>The switch monitors the DHCP-comunication from the client to the server and limits the communication to only that IP that was assigned by the DHCP-server. Additional IPs can be configured manually. These functions add some more security-measures that are very usefull in environments with untrusted clients. So if there is a chance to upgrade your switch to at least a 2960, then go for it.</P><P></P><P>2) Using port-ACLs where only the IP of the server is allowed as a source. That could look like the following and works also with older switches:</P><P></P><P><SPAN style="font-family: 'courier new', courier;">ip access-list standard Server1</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; permit host 10.10.10.1</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">ip access-list standard Server2</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; permit host 10.10.10.11</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; permit host 10.10.10.12</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">!</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">interface fast 0/1</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; description Server1</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; ip access-group Server1 in</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">interface fast 0/2</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; description Server2</SPAN></P><P><SPAN style="font-family: 'courier new', courier;">&nbsp; ip access-group Server2 in</SPAN></P><P></P><P></P><P>--&nbsp; <BR />Don't stop after you've improved your network! Improve the world by lending money to the working poor: <BR /><A class="jive-link-external-small" href="http://www.kiva.org/invitedby/karsteni" rel="nofollow">http://www.kiva.org/invitedby/karsteni</A></P></BODY></HTML> Mon, 26 Aug 2013 10:43:49 GMT https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305497#M221839 Karsten Iwen 2013-08-26T10:43:49Z https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305498#M221840 <HTML><HEAD></HEAD><BODY><P>I don't want to use vlan as its <SPAN style="font-size: 10pt;">waste of IP Address i have only /24 IP block</SPAN></P></BODY></HTML> Mon, 26 Aug 2013 11:14:43 GMT https://community.cisco.com/t5/routing-and-sd-wan/configure-access-list-to-protect-ip-address/m-p/2305498#M221840 megahostzone 2013-08-26T11:14:43Z