cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1017
Views
0
Helpful
3
Replies

ip source binding HELP !~

hkpatrickpo
Level 1
Level 1

Hi All ,

we want to use the ip source binding, ON  cisco WS-C3750-48P       12.2(53)SE2           C3750-IPSERVICESK9-M

Now i have find a problem about the 2 x ip address in same interface+vlan

SW#config t

SW(config)#ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.88 interface Fa2/0/17

SW(config)#ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.89 interface Fa2/0/17

SW(config)#ip source binding 6CF0.4948.48F9 vlan 20 88.88.88.99 interface Fa2/0/17

SW(config)#do sh run | inc Fa2/0/17  

ip source binding 6CF0.4948.48F9 vlan 19 88.88.88.89 interface Fa2/0/17

ip source binding 6CF0.4948.48F9 vlan 20 88.88.88.99 interface Fa2/0/17

but i add different vlan in same interface is ok !!

I try many many time , why i can't add the different ip address SAME VLAN in same interface ? it is bug ?

because we need to use the DAI(ip arp inspection ) protect in our network.

now 1 x pc with 1 x ip working fine , but 1 x pc 2 x ip not work . we want to LOCK the src mac / ip address .

Thanks your help  ^^

PatrickPo

1 Accepted Solution

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello Patrick,

You are configuring a static mapping for IP Source Guard (IPSG) instead an static Dynamic ARP Inspection entry. The DAI entries are statically configured as follows:

arp access-list static-hosts

permit ip host 88.88.88.88 mac host 6CF0.4948.48F9

permit ip host 88.88.88.89 mac host 6CF0.4948.48F9

ip arp inspection filter static-hosts vlan 19

ip arp inspection filter static-hosts vlan 20

Please note that once you decide to perform the DAI, you will have to run the DHCP and DHCP Snooping to let the DAI verify the non-static entries against the DHCP Snooping database, or to explicitly declare all possible mappings in this ACL. All ARP that are not explicitly matched in the ARP access-list will be verified against the DHCP Snooping database, and if they are not found there, they will be dropped.

For your information, the IPSG static entries you were trying to configure originally do not allow mapping several IPs on the same MAC address. The Command Reference for 3750 Catalyst switches puts it down explicitly:

If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.

See the following link for more information.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11899972

Best regards,

Peter

View solution in original post

3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

Hello Patrick,

You are configuring a static mapping for IP Source Guard (IPSG) instead an static Dynamic ARP Inspection entry. The DAI entries are statically configured as follows:

arp access-list static-hosts

permit ip host 88.88.88.88 mac host 6CF0.4948.48F9

permit ip host 88.88.88.89 mac host 6CF0.4948.48F9

ip arp inspection filter static-hosts vlan 19

ip arp inspection filter static-hosts vlan 20

Please note that once you decide to perform the DAI, you will have to run the DHCP and DHCP Snooping to let the DAI verify the non-static entries against the DHCP Snooping database, or to explicitly declare all possible mappings in this ACL. All ARP that are not explicitly matched in the ARP access-list will be verified against the DHCP Snooping database, and if they are not found there, they will be dropped.

For your information, the IPSG static entries you were trying to configure originally do not allow mapping several IPs on the same MAC address. The Command Reference for 3750 Catalyst switches puts it down explicitly:

If you modify an entry by changing only the IP address, the switch updates the entry instead creating a new one.

See the following link for more information.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11899972

Best regards,

Peter

Hi Peter,

thank peter fast to reply .
i post more detail in here.

interface FastEthernet2/0/17
switchport access vlan 27
switchport mode access
switchport protected
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 001c.c018.66af vlan access
ip arp inspection limit none
speed 10
spanning-tree portfast
end

ip arp inspection vlan 27

ip source binding 001C.C018.66AF vlan 17 88.88.88.81 interface Fa2/0/17

iam running this config want to lock the PC in the switch port number + vlan 27 + 2 x ip address .

in our network all pc is use static IP , no DHCP server.

your solution is work but the client it could be use the same vlan to attack the same vlan other host.

if  no DHCP server network we need to the dhcp snooping?

may i know the question about how to use your solution to lock the arp access list to switch port ?

or use ip source binding ARP ACCESS LIST @@?

thanks your very much.

PatrickPo

thanks Peter the solve ^O^V

Patrick.