Will i have to configure this on all 5 boxes or just the SG300-20 boxes ?

the 300-10SFP will only be for uplinking and connecting the different 300-20.

do i also enable the arp pacekt validation ?

I'm mostly using gui :-)  Just stareted to figure out i got to learn some more CLI :-)

If i got this right i do as following

security -> ARP inspection and check the "enable" ARP Inspections status"

In interface settings i check all to trusted interface = No for port 1-18 while port 19-10 is trusted interface=Yes

In Arp Access Control i enter the MAC address for the endusers firewall and the 1 ip address it should have ie 100.100.12.34

that should do it ??

Hi Thomas, your concept sounds correct.

This is how this works

Assuming your topology is this-

Internet -> Router -> Core switch (no client/customer) -> Access switch -> Client/customer

For argument sake, your uplink from access switch is port 18 which connects to port 18 of the core switch

Problem statement-

On access switch, your desire is to have a client or customer connect to the switch using a specific MAC address and IP address and no other

Possible solutions-

Dynamic ARP inspections statically MAPS and IP address to a MAC address, any connection using the same MAC but different IP will be dropped and any connection using the same IP but different MAC will be dropped

Create an access list to permit only the desire IP address on the INGRESS port and block any other traffic to that port

Solution work flow-

Enable dynamic ARP inspection

Security -> ARP inspection -> Properties -> Enable

Enable trusted interfaces - These interfaces will allow any traffic and not subject to your inspection list. Untrusted is subject to the inspect list

Security -> ARP Inspection -> Interface Settings -> Edit interfaces as desired

Build your inspection table

Security -> ARP inspection -> ARP access control -> Add ->

-Control name is an arbitrary value, it is a description

-IP address is the IP you want in the database

-MAC address is the binding to the IP address for the switch to look up in the data

If DAI is too stringent for you, you may create an access list as an alternative solution

Access Control -> IPV4 based ACL -> Add

-ACL Name is what you want to call it, a description -> Apply

Next define the access list by going to IPV4 ACE bu click IPV4-based ACE -> Add

-Priority is an ordering system, you should structure your rules in an order for the switch to look up the rules

-Action permit or deny, in your case you want to permit

-Protocol will be IP (all traffic)

-Source IP address will be your host connection 100.100.12.34

-Wildcard mask will be 0.0.0.0  (this is a single host wild card)

-Destination will be Any

Click apply

Once the access list is built, it then gets bound to an interface. The interface must be the interface where the traffic goes to and not leaving

Access Control -> ACL Binding (port)

-Check box for the port your customer/client connects

-Interface is where the customer/client connects to the switch

-Check box for Select IPV4-Based ACL

-Default action is Deny Any

-Apply

With this completed correctly, only your IP for all traffic will connect to that port and any other IP will not be allowed, will discard if connection through that same port.

-Tom
Please mark answered for helpful posts

I had a misstype in my previous post, should been 19-20 as trusted. Thoose are the ports that gone get minigbic :-)

i gone have a try at this on monday, the most important is that if i try to connect some other device using another ip it wont interfer with the guy using that because it wont be let in on that port.

It might be that i have to use the ACL by the way you explain here it looks like the correct solution :-)

If i got it correct i have to create 60 different ACL lists, 1 from each ip and the when all are made i have to bind them to the correct port.

so if i am to use 4 switches i create the number of connections to each of them and then bind them to the port the users are connected on.

Will the priority have any featuere here ? since they all are the "same" ??

Hi Thomas, all traffic will be equal unless you make another access list to give priorities OR the connected host is sending tag packet then the PCP in the packet will determine traffic priority.

-Tom
Please mark answered for helpful posts

If i got the aCL bit correct wouldnt that just deny traffic on the port, but will it also stop the guy on switch 3 port 20 from settings ie ip 100.100.12.34 and not 100.100.12.33 that he should use and then create a ip crash with the guy actually using 100.100.12.34. ??

This is how i would like the net to be :-)   would it work to use VLAN ??

Vlan5: 100.100.12.5\26- tag på GE1

Vlan6: 100.100.12.6\26 - tag på GE2

Vlan7: 100.100.12.7\26- tag på GE3

Vlan8: 100.100.12.8\26- tag på GE4

Vlan23: 100.100.12.23\26- tag på GE3 on switch 3

Vlan34: 100.100.12.34\26- tag på GE3 on switch 4

The internet/router is GW where 0.0.0.0/0.0.0.0 100.100.12.1 will be