10-14-2010 07:47 AM - edited 03-04-2019 10:07 AM
Hi All ,
we want to use the ip source binding, ON cisco WS-C3750-48P 12.2(53)SE2 C3750-IPSERVICESK9-M
Now i have find a problem about the 2 x ip address in same interface+vlan
SW#config t
SW(config)#ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.88 interface Fa2/0/17
SW(config)#ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.89 interface Fa2/0/17
SW(config)#ip source binding 6CF0.4948.48F9 vlan 20 88.88.88.99 interface Fa2/0/17
SW(config)#do sh run | inc Fa2/0/17
ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.89 interface Fa2/0/17
ip source binding 6CF0.4948.48F9 vlan 20 88.88.88.99 interface Fa2/0/17
but i add different vlan in same interface is ok !!
I try many many time , why i can't add the different ip address SAME VLAN in same interface ? it is bug ?
because we need to use the DAI(ip arp inspection ) protect in our network.
now 1 x pc with 1 x ip working fine , but 1 x pc 2 x ip not work . we want to LOCK the src mac / ip address .
Thanks your help ^^
PatrickPo
Solved! Go to Solution.
10-14-2010 12:44 PM
Hello Patrick,
You are configuring a static mapping for IP Source Guard (IPSG) instead an static Dynamic ARP Inspection entry. The DAI entries are statically configured as follows:
arp access-list static-hosts
permit ip host 88.88.88.88 mac host 6CF0.4948.48F9
permit ip host 88.88.88.89 mac host 6CF0.4948.48F9
ip arp inspection filter static-hosts vlan 19
ip arp inspection filter static-hosts vlan 20
Please note that once you decide to perform the DAI, you will have to run the DHCP and DHCP Snooping to let the DAI verify the non-static entries against the DHCP Snooping database, or to explicitly declare all possible mappings in this ACL. All ARP that are not explicitly matched in the ARP access-list will be verified against the DHCP Snooping database, and if they are not found there, they will be dropped.
For your information, the IPSG static entries you were trying to configure originally do not allow mapping several IPs on the same MAC address. The Command Reference for 3750 Catalyst switches puts it down explicitly:
If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.
See the following link for more information.
Best regards,
Peter
10-14-2010 12:44 PM
Hello Patrick,
You are configuring a static mapping for IP Source Guard (IPSG) instead an static Dynamic ARP Inspection entry. The DAI entries are statically configured as follows:
arp access-list static-hosts
permit ip host 88.88.88.88 mac host 6CF0.4948.48F9
permit ip host 88.88.88.89 mac host 6CF0.4948.48F9
ip arp inspection filter static-hosts vlan 19
ip arp inspection filter static-hosts vlan 20
Please note that once you decide to perform the DAI, you will have to run the DHCP and DHCP Snooping to let the DAI verify the non-static entries against the DHCP Snooping database, or to explicitly declare all possible mappings in this ACL. All ARP that are not explicitly matched in the ARP access-list will be verified against the DHCP Snooping database, and if they are not found there, they will be dropped.
For your information, the IPSG static entries you were trying to configure originally do not allow mapping several IPs on the same MAC address. The Command Reference for 3750 Catalyst switches puts it down explicitly:
If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.
See the following link for more information.
Best regards,
Peter
10-17-2010 08:17 AM
Hi Peter,
thank peter fast to reply .
i post more detail in here.
interface FastEthernet2/0/17
switchport access vlan 27
switchport mode access
switchport protected
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001c.c018.66af vlan access
ip arp inspection limit none
speed 10
spanning-tree portfast
end
ip arp inspection vlan 27
ip source binding 001C.C018.66AF vlan 17 88.88.88.81 interface Fa2/0/17
iam running this config want to lock the PC in the switch port number + vlan 27 + 2 x ip address .
in our network all pc is use static IP , no DHCP server.
your solution is work but the client it could be use the same vlan to attack the same vlan other host.
if no DHCP server network we need to the dhcp snooping?
may i know the question about how to use your solution to lock the arp access list to switch port ?
or use ip source binding ARP ACCESS LIST @@?
thanks your very much.
PatrickPo
10-19-2010 06:54 AM
thanks Peter the solve ^O^V
Patrick.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide