Solved: Re: Can I only allow an IP Address on a specific MAC Address?

richarddowna · ‎04-27-2011

Hello,

On my cisco IOS 12.4 router,

Can i make it so only lets say mac address 11:22:33:44:55:66 able to use ip address 10.10.10.2?

I want this so that only this IP can configure servers, and so if the computer using it is turned off, any other device cannot use the IP address.

Thanks

paolo bevilacqua · ‎04-27-2011

Yes, disable arp and configure static ARP entries. But since that's a major pain in the neck, there are better ways, eg mac authentication, switch port security, etc. Also note that unless you have an hostile, unsecure environment, nothing is necessary.

View solution in original post

N W · ‎04-27-2011

do it from your DCHP server and reserve it to the MAC address.

View solution in original post

garapoglou · ‎04-27-2011

Hi,

As mentioned, there are lots of ways to do it. You can enable port security on the switch so the port will be accessible to only that MAC address, or use the DHCP server to reserve the IP address to that specific MAC address.

Best practice is to enable DHCP and exclude IP addresses used by servers. Another alternative is to configure static ARP entries but this could cause you lots of trouble updating.

Best regards,

Giorgos

View solution in original post

paolo bevilacqua · ‎04-27-2011

Yes, disable arp and configure static ARP entries. But since that's a major pain in the neck, there are better ways, eg mac authentication, switch port security, etc. Also note that unless you have an hostile, unsecure environment, nothing is necessary.

N W · ‎04-27-2011

do it from your DCHP server and reserve it to the MAC address.

garapoglou · ‎04-27-2011

Hi,

As mentioned, there are lots of ways to do it. You can enable port security on the switch so the port will be accessible to only that MAC address, or use the DHCP server to reserve the IP address to that specific MAC address.

Best practice is to enable DHCP and exclude IP addresses used by servers. Another alternative is to configure static ARP entries but this could cause you lots of trouble updating.

Best regards,

Giorgos

richarddowna · ‎04-27-2011

Thanks for the replys,

Given me some things to look into!

Thanks all

garapoglou · ‎04-27-2011

You're welcome!

If you need any kind of help, don't hesitate to ask.

Good luck!

Giorgos

james-worley · ‎04-27-2011

As others have mentioned. DHCP reservations and port-security are your best bet. I'd encourage you to configure both.

You can reserve the IP to MAC in your DHCP server but that does not stop somebody from statically assigning this IP address if they wanted.

Port security will only authenticate based on MAC address, there is nothing to stop that mac using a different IP address.

If you really wanted to go nuts you could assign on ACL and/or VACL to the port as well and look into some sort of 802.1x based authentication (but like others have said unless your in a hostile environment or work with state secrets this probably a little over kill).