https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650139#M1028587 <P>I am setting up an ASA5505 for a pilot home office, defining a business vlan and a personal vlan. I have setup the dhcp scopes for both vlans, but I need to be able to only permit specific mac-addresses to receive a DHCP address from the business vlan. On a 871 router I can use the mac or "client-identifier" command. Is there a way to do this on the ASA's?</P> Mon, 11 Mar 2019 09:21:36 GMT swharvey 2019-03-11T09:21:36Z https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650139#M1028587 <P>I am setting up an ASA5505 for a pilot home office, defining a business vlan and a personal vlan. I have setup the dhcp scopes for both vlans, but I need to be able to only permit specific mac-addresses to receive a DHCP address from the business vlan. On a 871 router I can use the mac or "client-identifier" command. Is there a way to do this on the ASA's?</P> Mon, 11 Mar 2019 09:21:36 GMT https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650139#M1028587 swharvey 2019-03-11T09:21:36Z https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650140#M1028589 <HTML><HEAD></HEAD><BODY><P>You can use a combination of static arp entries and arp inspection to accomplish this. You will need to statically define every host with the arp command:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479532" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479532</A></P><P></P><P>You then need to enable arp inspection with the no-flood keyword. This will mean that all arp entries will be dropped unless they are statically configured. This will lock out all other hosts other than those that you have configured. </P><P></P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479789" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479789</A></P><P></P></BODY></HTML> Thu, 18 Jan 2007 23:18:42 GMT https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650140#M1028589 Aaron S Mcquaid 2007-01-18T23:18:42Z https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650141#M1028590 <HTML><HEAD></HEAD><BODY><P>Thanks that is a clever work around, however I don't think this will be a viable solution for us, as the mac addresses for the devices connecting to the personal vlan will be unknown and subject to frequent change.</P><P></P><P>To clarify, I need to setup the ASA so that:</P><P>1) It provides Business vlan DHCP assigned IP addresses only to specific static mac defined devices attached to ports in the Business vlan.</P><P>2) It provides Personal vlan DHCP assigned IP addresses to any devices attached to ports in the Personal vlan.</P><P>3) It prevents any non staic mac defined devices from obtaining a DHCP address on the business vlan. </P><P></P><P>I will read the url's you linked more closely and see what/if I am missing something.</P></BODY></HTML> Fri, 19 Jan 2007 00:39:41 GMT https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650141#M1028590 swharvey 2007-01-19T00:39:41Z https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650142#M1028591 <HTML><HEAD></HEAD><BODY><P>I think that it will work for you because you can enable ARP inspection on a per interface basis. </P></BODY></HTML> Fri, 19 Jan 2007 13:23:24 GMT https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650142#M1028591 Aaron S Mcquaid 2007-01-19T13:23:24Z https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650143#M1028592 <HTML><HEAD></HEAD><BODY><P>I just had this same requirement. I ended up creating a new VPN group for the users (there were only two).</P></BODY></HTML> Fri, 19 Jan 2007 14:12:22 GMT https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650143#M1028592 Collin Clark 2007-01-19T14:12:22Z https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650144#M1028593 <HTML><HEAD></HEAD><BODY><P>Unfortunately the TAC engineer I spoke with said this will nto provide the solution I am after in so far as the ASA assigned DHCP addresses to specific MAC's. I would have to statically configure each IP address on the devices that I wisht to have access to the Business LAN and subject to the static arp/arp inspection.</P><P>If you can elaborate on your solution I can share it with the TAC engineer.</P><P></P><P>In parallel I have requested our account team submit a Feature Request for this capability in future ASA code releases.</P></BODY></HTML> Fri, 26 Jan 2007 01:17:56 GMT https://community.cisco.com/t5/network-security/dhcp-address-assignment-by-mac-on-asa5505/m-p/650144#M1028593 swharvey 2007-01-26T01:17:56Z