Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
5
Helpful
3
Replies

Configure Access-list to protect IP address

megahostzone
Level 1
Level 1

‎08-26-2013 12:34 AM - edited ‎03-04-2019 08:52 PM

I have connected around 30 server with 2 cisco 2950 switch. the switch are connected to a mikrotik router. I am doing BGP with /24 IP address provided by APNIC. I have enabled DHCP in the router so that each server can get an IP automatically. Some of client have additional ip address too. they are configured manually. now how can i protect ip address to be stolen from client. One suggest me to configure ACL so that no IPs can be "stolen". Client can access only the IP allow them in switch.

So please give me a example how to configure it. if my address block is xxx.yyy.zzz.0/24

thanks in advance

Labels:
0 Helpful
3 Replies 3

Lei Tian
Cisco Employee
Cisco Employee

‎08-26-2013 03:41 AM

Hi Santu,

Can you put client and server in different VLAN?

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

0 Helpful

megahostzone
Level 1
Level 1
In response to Lei Tian

‎08-26-2013 04:14 AM

I don't want to use vlan as its waste of IP Address i have only /24 IP block

0 Helpful

Karsten Iwen
VIP
VIP

‎08-26-2013 03:43 AM

There are two ways to achieve it, but the first and better way is only available on newer switches.

1) Using DHCP-Snooping and IP Source-Guard

The switch monitors the DHCP-comunication from the client to the server and limits the communication to only that IP that was assigned by the DHCP-server. Additional IPs can be configured manually. These functions add some more security-measures that are very usefull in environments with untrusted clients. So if there is a chance to upgrade your switch to at least a 2960, then go for it.

2) Using port-ACLs where only the IP of the server is allowed as a source. That could look like the following and works also with older switches:

ip access-list standard Server1

  permit host 10.10.10.1

ip access-list standard Server2

  permit host 10.10.10.11

  permit host 10.10.10.12

!

interface fast 0/1

  description Server1

  ip access-group Server1 in

interface fast 0/2

  description Server2

  ip access-group Server2 in

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card