Cisco SG300 - Is it possible to have IP Source guard work by MAC not by port?

Jonathan Fisher · ‎11-19-2015

Cisco SG300 - Is it possible to have IP Source guard work by MAC not by Port?

Problem: We have our Ubiquiti wireless APs hooked up to an SG300-10P. The user's MAC can roam from AP to AP without asking DHCP for an address. We want to have IP Source Guard enabled as a best practice, to prevent someone wreaking havoc on our wireless network with a static IP address.

Unforutantely we had to disable IP Source Guard because it appears to lock the MAC to a port as well as an IP. Lets say a user connects to an AP on Port 1 and pulls an address via DHCP. They then begin to walk across the office and migrate to another AP on port 2. At that point, IP Source Guard drops all of their traffic until they pull a new DHCP address.

Is there a way around this?

ashok_boin · ‎11-19-2015

Hi Jonathan,

Are you having a WLC controling these APs? If yes, you can enable IP Source guard on trunk port pointing to WLC which would help your issue.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html#pgfId-1019513

Regards...

Ashok.

With best regards...
Ashok

Jonathan Fisher · ‎11-20-2015

These are not Cisco APs, so there is no Cisco WLC. (Cisco wirlesss gear is so $ :( unfortunately)

I imagine the answer is no then and the following statement is true: IP Source Guard binds not only a MAC address and IP, but a Port as well. Correct?

Irakli Shavgulidze · ‎11-20-2015

Hello. It is imposible to make Source Guard in such conditions without smart APs, because such source guard is useless. Attacker can easily change his MAC address and use address of any wifi client

ashok_boin · ‎11-22-2015

Yes, that's right. It binds to the port as well.

Regards...

Ashok.

With best regards...
Ashok