Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2425
Views
5
Helpful
8
Replies

IP source guard with Wireless AP

Go to solution
snarayanaraju
Level 4
Level 4

‎08-02-2009 09:21 PM - edited ‎03-04-2019 05:37 AM

Hi experts

Recently i have configured DHCP SNOOPING & IP VERIFY SOURCE in all the ports of the switch for enabling anti spoofing. It is also working perfectly as getting the IP address from the DHCP server and not allowing the users to assign the IP Address on their own. They have to configure the PCs to get the IP Address only from DHCP server which is trusted port of the 3560 Switch

At this moment, I have a few CISCO 1310 Autonomous wireless Access points also connected to CE500 switch which is connected to this 3560 switch.

The requirement and the issue is I want these Access points to have static IP address and not from DHCP server. But the clients connecting to these Access points should get the IP address from the DHCP Server. These clients should not be able to assign the IP Address on their own, Even if they do so they should not be able to access the network, similar to they I configured the 3560 switch ports.

Hope the description is clear to understand.

sairam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to snarayanaraju

‎08-05-2009 04:30 AM

Hello Sairam,

I experimented a bit with the LWAP WLC. I have a NM-WLC module but things should be almost identical if you are using the standalone controller.

It seems that the controller itself implements a functionality similar to the IP Source Guard. When you access the Web management interface of the controller, click on the "WLANs" tab and in the displayed list, click on the "Edit" link at the line with the selected WLAN SSID. In the next page, notice the checkbox "DHCP Addr. Assignment". If this option is active, the clients absolutely have to get their IP addresses using DHCP. If they assign IP addresses on their own, they will be denied access.

Can you test it in your network and tell us if it worked for you?

Best regards,

Peter

View solution in original post

8 Replies 8

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎08-03-2009 01:57 AM

Sairam,

I believe you have discussed the same issue in your previous topic here:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&topicID=.ee71a06&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd4384d

Does that not answer your question?

Best regards,

Peter

0 Helpful

Go to solution
snarayanaraju
Level 4
Level 4
In response to Peter Paluch

‎08-03-2009 09:57 PM

Hi Peter,

You aptly pointed out. I was in confusion and raised the similar case again. Your solution in the previous topic was self explanatory and help me. No doubt in it. But I am sorry I missed one thing to point out.

But the challenge here is I am using LWAP and not autonomous APs where I can try with VLANs in AP itself.

In LWAP as you know, the VLANs are configured in WLC and not directly in APs as we discussed.

I am also working to find the solution. If you could share your experience, It will be great

Thanks peter,

sairam

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to snarayanaraju

‎08-04-2009 07:59 AM

Hello Sairam,

Do you have an external wireless controller, or are you using the internal NM-WLC module?

I believe I have seen a support for this but I have to test it in a lab so this will take a day or two before I get back.

Best regards,

Peter

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to snarayanaraju

‎08-05-2009 04:30 AM

Hello Sairam,

I experimented a bit with the LWAP WLC. I have a NM-WLC module but things should be almost identical if you are using the standalone controller.

It seems that the controller itself implements a functionality similar to the IP Source Guard. When you access the Web management interface of the controller, click on the "WLANs" tab and in the displayed list, click on the "Edit" link at the line with the selected WLAN SSID. In the next page, notice the checkbox "DHCP Addr. Assignment". If this option is active, the clients absolutely have to get their IP addresses using DHCP. If they assign IP addresses on their own, they will be denied access.

Can you test it in your network and tell us if it worked for you?

Best regards,

Peter

Go to solution
snarayanaraju
Level 4
Level 4
In response to Peter Paluch

‎08-05-2009 09:57 PM

Hi Peter,

You solved my requirement. It is working as you expected. This is to thank you for your efforts and give feedback for your solution

It is working.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to snarayanaraju

‎08-05-2009 10:29 PM

Sairam,

You are heartily welcome.

Best regards,

Peter

0 Helpful

Go to solution
Iluvnetwork
Level 1
Level 1
In response to Peter Paluch

‎11-29-2017 08:10 PM

I knew there has to be a way to prevent users from accessing the network unless the host has a address that was issued by the DHCP server. Thank you very much, Peter! You are the best :)
0 Helpful

Go to solution
JoaoCadavez
Level 1
Level 1
In response to Peter Paluch

‎03-22-2022 11:33 AM - edited ‎03-23-2022 01:55 AM

Hello Peter,

 

I'm trying to implement the same type of restriction. My DHCP Server have all users taged by their MAC Address, so I try to use this feature to improve security and control in my network. One issue that I came accross was that if I received an IP (from the DHCP Server reservation) and change the IP address after, this feature won't block the traffic or disconnect the user, unlike the IP Source Guard. There is anything that I can do to mitigate this issue?

 

Best regards,

 

João

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card