How to stop IP spoofing on the Network

olutoyo01 · ‎06-05-2018

Please, can we configure DHCP Snooping and IP Source Guard on a Distribution Switch or is it only on access level that these can work?
The Scenario here is: We have Cisco 2960X as our distribution switches with VLANs on it for more than 50 subnets at different locations. The router that does the routing and also serves as our DHCP is connected to this switch. Configured DHCP Snooping on the switch but once IP source guard is configured, the DHCP stopped working. Note that the ports on this switch is connected to the FMC of each subnet and the switches at these subnets are not catalyst, just ordinary switch. We want to be able to stop malicious users hijacking sessions of users by stealing the IP and assigning it as static IP on their systems. How can we go about this? Thank you.

johnd2310 · ‎06-05-2018

Hi,

Dhcp snooping and IP source guard should work on the distribution switch.

You will need to configure the following:

enable dhcp snooping and trust the port connected to the router(dhcp server)
enable IP source Guard on the ports connected to end devices and not router port

Thanks

John

**Please rate posts you find helpful**

olutoyo01 · ‎06-06-2018

Thanks for the response. I have done all these but not working. The
challenge is that the switch(access switch) to which the end devices are
connected to are not configurable just ordinary switches. Once I configure
IP source guard on the switch port where the FMC(Fibre Media Converter) is
connected to, the DHCP stopped working. Is there any way round this?

Another alternative is to bind MAC with IP on the Router that serves as
DHCP server so that any system with IP that does not match the MAC address
will not be allowed on the Network. How can this be done on Cisco 2900
Router?.

Thank you.