cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

4648
Views
0
Helpful
12
Replies
junkycosmos
Beginner

IP and MAC Binding on RV340 RV345 missing feature

Migrating from an RV042 where we have 120+ static IP reservations set by MAC address and the option used to "block traffic from unknown MAC / IP".    Called Cisco support who confirms the feature is missing in RV340 RV345.

 

RV 345 DHCP.JPG

 

Here is a page that notes where this feature is in the RV325

 

https://supportforums.cisco.com/t5/small-business-support-documents/manage-ip-and-mac-binding-on-rv320-and-rv325-vpn-routers/ta-p/3170581

 

anyone have a suggested work around here?

requirements:

1. 120+ static DHCP IP reservations based on MAC

2. block MAC/IPs not on that list

3. ability to display MAC/IPs not in that reserved table

12 REPLIES 12
Iliya Gatsev
Cisco Employee

Hi, My name is Iliya Gatsev. I am a Cisco TAC Network Engineer in the Cisco Small Business Support Center.

 

Let me check what can be done.

 

Iliya Gatsev
Cisco TAC Network Engineer
Together we are the human network .:|:.:|:. CISCO

Hi,

If you are searching for "Block MAC address on the list with wrong IP address." and  "Block MAC address not on the list.", please take a look on Security -> IP Source Guard

 

The IP Source Guard is a security feature that restricts IP traffic on untrusted IPs and MAC addresses by filtering traffic based on the configured IP MAC bindings. It is a filter that permits traffic on LAN ports only when the IP address and MAC address of each packet matches entries in the IP-MAC Binding table. This feature helps prevent IP spoofing attacks when a host tries to spoof and use the IP address of another host.

 

To configure the IP source guard, follow these steps:

Step 1    Click Security > IP Source Guard.

Step 2    Check Enable IP Source Guard if IP and MAC binding are required.

Step 3    Check Block Unknown MAC Address, if only the MAC address requires filtering irrespective of the IP Address.

Step 4    In the IP & MAC Binding Table, click Add and enter the Static IPv4 address and MAC address for binding.

Step 5    Click Apply.

Step 6    Click Edit or Delete to edit or delete and existing address.

  

Note: The IP Source Guard works only on the wired host of the RV340W and not the wireless.

 

Please rate this post or marked as answered to help other Cisco customers.

 

Iliya Gatsev
Cisco TAC Network Engineer
Together we are the human network .:|:.:|:. CISCO

Thank you for the reply.   There are 2 problems with using source guard on the rv345

 

1. There is a 100 client limit.  That puts a real haircut on being able to use this router in a small business or large home setup! 

 

Noted the rv345 also has a 100 client limit on static dhcp reservations.  

 

This limit really is silly given the much older rv42g does not have a limit.  

 

2. Using ip source guard would require manually adding clients into both the dhcp reservation table and the source guard table.   Duplicate manual work.  Noted  both the rv325 and rv42 have an option to “block all other traffic” not listed in static DHCP reservation table.  

 

 

So overall the 100 client limit is really a problem here.  

Each time I try to "apply" then "save" IP source guard, the router hangs.
Is it because I am in "evaluation mode".....I am waiting for my "smart token".
CitNetGuy
Beginner

A work around using vlans.

 

You could lower the subnet to a /25 just for those devices you want to reserve mac to ip.  That would lower the number of macs/ip to block.

 

Create another vlan for everything else.  Of course you would have to make the appropriate adjustment for switches.

A workaround is not an acceptable solution for a feature that is simply missing from CISCO's latest and greatest small business router. I can see more and more flaws in CISCO routers' firmware. It seems like firmware development project planning and testing was not implemented. A simple checklist (based on the RV325's features list) could have avoided this mistake.

 

Someone from CISCO please let the community know if there are plans to implement a real DHCP reservation feature in the near future.

not such good news

Cisco looks to have released firmware 1.0.01.18 today.   

 

In it there is no mention or change to either:

1. block unknown MAC address not in DHCP reservation table (missing feature that is in the RV320/RV42g).   

2. no update to allow more than 100 clients in the source guard table (where you can white list MAC bindings) 

 

This is a real bummer given the amount of requests here and my open SR for last 9 months.

 

 

Small good news is that they now allow you to disable IPv6 on WAN interfaces which has helped with max CPU messages on my own setup here.  Now that our RV345s are not at max CPU they also have stopped dropping VPN pass through sessions too!

 

 

other updates in release notes for 1.0.01.18 as follows

 

Number Description

CSCvg55169 RV34x: Router provides DHCP addresses when the DHCP server is disabled.

CSCvg94597 RV34x: S2S VPN status shows up but stops passing traffic.

CSCvf80775 RV34X: Pre-shared key shown in clear text in the router's log.

CSCvf25351 RV34x: VPN doesn't work when the DMZ Host is configured.

CSCvf94125 Wrong MDFID and SWTID in Bonjour for the RV340W and RV345.

CSCvg74957 Allow to disable IPv6 on the WAN interface

CSCvg62258 RV34x: User configuration issues when User Group name has a space in the name. CSCvf45093 RV34x: Can't restrict web access for VLANs

CSCve91854 RV34x: Web filtering doesn't work if the URL has "_" in the address.

CSCve19873 Option82 cause win7/win10 client to send offer continuously.

CSCvd09880 RV34x: Reply to option3 info when option82 is enabled.

 

Known Issues

CSCve80862 SNMP/syslog does not work over the VPN tunnel if the VPN remote subnet is configured as “Any”. Solution: Configure the VPN remote subnet with a specific subnet. Or, the User can add a specific route under “Routing -> static routing -> IPv4” using the SNMP agent host as the destination network address, mask 255.255.255.255, and “” as the next hop, and the interface as the appropriate LAN interface (such as VLAN1). This route ensures that the reply traffic from the RV34X will be tunneled..

CSCvd39976 A SSID name that included a space character is identified as two SSIDs in the User Group setting page. Solution: Remove the special character from the SSID name.

CSCve55189 RV340W fails to save the running configuration to startup configuration. It becomes abnormal, after creating 10 captive portal profiles with 10 background pictures. Solution: Too many new pictures will occupy the configuration space. Please limit the captive portal profiles to less than 5 if you have to upload new pictures to each profile. Press the reset button for 10 seconds to reset to factory settings if the issue occurred.

CSCvd25865 IPv6 status shows that it is down when the IPv6 WAN type is PPPoE and IPv4 type is DHCP or static. Solution: Ignore the IPv6 status. If both IPv4 and IPv6 are PPPoE, the status is correct.

CSCvd17343 SNMP system uptime value is not the same as the device web GUI. Solution: None

CSCvd34369 Can not connect to the Teleworker VPN Client manually. Solution: Enable the Auto Initiation Retry. It will connect/ reconnect automatically in the backend. Or, choose “Do not Activate the Connection” before applying, then click the connect button. CSCvd34360 Teleworker VPN Client IOT issue with ASA and RV325. Solution: Enable the PFS (Perfect Forward Secrecy) option on the ASA device.

CSCva62803 AC340U sometimes can not dial a connection on the USB1. Solution: Try the USB2 port and unplug and replug the dongle again.

 

Also sad to report that the static DHCP table also has a 100 client limit!

 

RV345 100 client limit in static DHCP.JPG

RV345 100 client limit in Sourceguard.JPG

sfixispiatsion
Beginner

Me too have upgraded from rv042 to rv345 with dhcp address more than 150 but with rv345 the 100 static dhcp clients limitation is a big problem. Cisco should do something with it and very soon.

Has there been any update to the 100 limit on the RV345?

Both DHCP static device list and IP Source Guard have a 100 device limit. 

I originally posted about it here in this thread 

https://community.cisco.com/t5/small-business-routers/ip-and-mac-binding-on-rv340-rv345-missing-feature/td-p/3175387 

but also found references to other users in these threads

https://community.cisco.com/t5/small-business-routers/rv345-static-dhcp-table-limited-to-25-30-devices/td-p/3842083

 

Had been told by Cisco in 2018 that they would be updating the device limit as the old RV42G supported well over 200 IPs (or had no limit) but I have heard nothing.

vineetyadav
Beginner

It seems more than 2 years and no update on this thread. Has it been addressed or not. And its surprising to see Cisco Support not even responding back. Focus seems more towards selling anyhow without support, sadly. This is apparent as from other similar threads, there is 1 response from some support guy, then all gone.