Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
4
Helpful
5
Replies

DHCP Address assignment by MAC on ASA5505

swharvey
Level 3
Level 3

‎01-18-2007 09:19 AM - edited ‎03-11-2019 02:21 AM

I am setting up an ASA5505 for a pilot home office, defining a business vlan and a personal vlan. I have setup the dhcp scopes for both vlans, but I need to be able to only permit specific mac-addresses to receive a DHCP address from the business vlan. On a 871 router I can use the mac or "client-identifier" command. Is there a way to do this on the ASA's?

Labels:
0 Helpful
5 Replies 5

Aaron S Mcquaid
Level 1
Level 1

‎01-18-2007 03:18 PM

You can use a combination of static arp entries and arp inspection to accomplish this. You will need to statically define every host with the arp command:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479532

You then need to enable arp inspection with the no-flood keyword. This will mean that all arp entries will be dropped unless they are statically configured. This will lock out all other hosts other than those that you have configured.

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/cmd_ref/a2_711.htm#wp1479789

swharvey
Level 3
Level 3
In response to Aaron S Mcquaid

‎01-18-2007 04:39 PM

Thanks that is a clever work around, however I don't think this will be a viable solution for us, as the mac addresses for the devices connecting to the personal vlan will be unknown and subject to frequent change.

To clarify, I need to setup the ASA so that:

1) It provides Business vlan DHCP assigned IP addresses only to specific static mac defined devices attached to ports in the Business vlan.

2) It provides Personal vlan DHCP assigned IP addresses to any devices attached to ports in the Personal vlan.

3) It prevents any non staic mac defined devices from obtaining a DHCP address on the business vlan.

I will read the url's you linked more closely and see what/if I am missing something.

0 Helpful

Aaron S Mcquaid
Level 1
Level 1
In response to swharvey

‎01-19-2007 05:23 AM

I think that it will work for you because you can enable ARP inspection on a per interface basis.

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Aaron S Mcquaid

‎01-19-2007 06:12 AM

I just had this same requirement. I ended up creating a new VPN group for the users (there were only two).

0 Helpful

swharvey
Level 3
Level 3
In response to Aaron S Mcquaid

‎01-25-2007 05:17 PM

Unfortunately the TAC engineer I spoke with said this will nto provide the solution I am after in so far as the ASA assigned DHCP addresses to specific MAC's. I would have to statically configure each IP address on the devices that I wisht to have access to the Business LAN and subject to the static arp/arp inspection.

If you can elaborate on your solution I can share it with the TAC engineer.

In parallel I have requested our account team submit a Feature Request for this capability in future ASA code releases.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card