11-19-2015 02:13 PM
Cisco SG300 - Is it possible to have IP Source guard work by MAC not by Port?
Problem: We have our Ubiquiti wireless APs hooked up to an SG300-10P. The user's MAC can roam from AP to AP without asking DHCP for an address. We want to have IP Source Guard enabled as a best practice, to prevent someone wreaking havoc on our wireless network with a static IP address.
Unforutantely we had to disable IP Source Guard because it appears to lock the MAC to a port as well as an IP. Lets say a user connects to an AP on Port 1 and pulls an address via DHCP. They then begin to walk across the office and migrate to another AP on port 2. At that point, IP Source Guard drops all of their traffic until they pull a new DHCP address.
Is there a way around this?
11-19-2015 11:27 PM
Hi Jonathan,
Are you having a WLC controling these APs? If yes, you can enable IP Source guard on trunk port pointing to WLC which would help your issue.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html#pgfId-1019513
Regards...
Ashok.
11-20-2015 07:53 AM
These are not Cisco APs, so there is no Cisco WLC. (Cisco wirlesss gear is so $ :( unfortunately)
I imagine the answer is no then and the following statement is true: IP Source Guard binds not only a MAC address and IP, but a Port as well. Correct?
11-20-2015 02:44 PM
Hello. It is imposible to make Source Guard in such conditions without smart APs, because such source guard is useless. Attacker can easily change his MAC address and use address of any wifi client
11-22-2015 11:35 PM
Yes, that's right. It binds to the port as well.
Regards...
Ashok.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide