03-26-2009 03:30 AM - edited 03-04-2019 04:06 AM
somebody has put a broadband in my network of 30 switches. PC's are getting IP's of 192.160.x.x range through DHCP and DNS of MTNL . can i put ACL on the Layer 2 switches to block this range of IP's and allow 10.x.x.x series .kindly suggest the ACL .
03-26-2009 03:37 AM
Maybe somebody have run a secondary DHCP server.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/dhcp.html
03-26-2009 03:41 AM
i don't have a DHCP server.we are using statis IP address .
i need to block 192.168.x.x series ofip's on my switch , what will be the acl.
03-26-2009 02:24 PM
access-list 1 deny 192.168.0.0 0.0.255.255 log
access-list 1 permit any any
interface vlan 1
access-group 1 in
03-27-2009 12:30 AM
don't u think this access-list should be applied on uplink port and not to vlan1 ?
if so,kindly suggest the reason for that.
interafce VLAN 1 is only for management. is there any other purpose of that interface vlan 1 ..?
03-30-2009 02:24 PM
Yangesh,
I don't think you can block layer 3 problems with a layer 2 device. your best bet would be to hunt down the DHCP server and disable it from the switch.
1. Determine the IP address of the server. Client machine.
2. Log onto switch, and determine the MAC address of the server. show ip arp, may need to ping the server first.
3. Hunt down the mac address doing commands like show mac address-table dynanic
4. Find out where the server plugs in and figure out if you can find the owner. Make sure you don't do this on a switch uplink as you might disable that arm of the network
The fact that the users are supposed to be statically assigned and have started to change their SOE's means you have a few bigger problems anyway. why are they changing their systems from static to dynamic? what new service is this server giving that they need?
Good Luck
Tony
04-08-2009 08:00 AM
If you are using static addresses then you do not have a problem that inflicts your working system.
however I can see how this could be quite a nusance so if you do want to get rid of the problem per se, hunt down the offender.
I know that I would.
An ACL will not work unless you either install it in every port or if you find the offending device and add the access-list to the same interface the device is on, on the outgoing traffic of that interface ie the traffic moving towards the device from the interface.
so depending on what switch you have it might not be possible to add an access-list in both ingress and egress, most only support ingress.
what are the type of switches you have?
Depending on the model and type, there are different commands available to track the offender.
in my world the adding of an device such as yours is a stricktly forbidden offence and grounds for fiering someone.
it could be used to let hackers in and or a means to control a pc in the network from the internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide