09-06-2011 02:55 AM - edited 03-07-2019 02:03 AM
Hi
We have 4510 switches , all associates using laptops. IP assigning through windows DHCP server with dhcp filter.
if any way configure in switch client should get IP from DHCP only ie , if somebody assign IP address manually, it should not get connected with network.
Thanks
Karthik
09-06-2011 04:09 AM
You want to implement for every port/associate or for few.like if few are on one floor or on what basis vlans are formed and scope is defined in dhcp?
Sent from Cisco Technical Support iPhone App
09-06-2011 04:50 AM
Hi karthikeyan
1. a) Are you looking to configure DHCP on switch. making switch as a DHCP server
b) Are you using any Vlans . if so U neeed to create different scopes for each vlan.
c) if u are looking for above then, we have a option like host will be assigned a static ip based on MAC-address under DHCP pool.
for above answer
2. Using a windows DHCP server and making switch as an agent between server and client.
here switch will just act as a mediator between client and server and hence it passes the request of DHCP discover to Server where server should now assign an IP to client . so i think you should make scopes in windows on assigning IP based on MAC-address of client. that will be secure and even if the client try to assign a static ip first of all he should know the Ip network .
to be bit more secure create some Vlans on switch and make and you will be assigning different network to each vlans.
As far as my knowledge there is no such command to configure on switch where u can stop a client assigning an static ip avoid him out of the network provided if he is using or awware of the network ip of corp.
Hope i answred ur part any corrections pleased to be known. rate it if it is helpful
thanks and regards
srikanth
09-06-2011 04:26 AM
Hi,
you want people not being able to put another IP address? if so then you can use IP Source guard
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/dhcp.html
Regards.
Alain.
09-06-2011 04:59 AM
Well above said can be done only if you have access to dhcp to modify scopes.
And as per the original question if it's just about changing config in switch -it could be hard I guess.
If have access to AD and allowed to write then policies can always be linked to block tcp/ip settings from client subject to the fact pcs are in domain.
Sent from Cisco Technical Support iPhone App
09-06-2011 05:20 AM
Hi
As mentioned by Srikanth I am using windows 2003 R2 as DHCP server, in switch each vlan I have added ip helper address pointing to windows DHCP server,and also tested with DHCP filter (new feature in windows 2003 R2 and 2008) permit nearly 700 mac address in DHCP server.
here my concern is if somebody bring his personal laptop and connected with wired network, more over he knows what IP being assigned to him daily basis, based on guess he may assigned IP with in DHCP range .
pl share all your view.
thanks
Karthik
09-06-2011 05:26 AM
Hi,
following your last explanation then I think that DHCP snooping with IP Source guard will do the trick for you.
So they are authorized to bring in their home laptop and connect and then receive a DHCP address or you don't want them to connect with their home laptop ? in second case then dot1x would be the best option imho.
Regards.
Alain.
09-06-2011 05:44 AM
Hi
I don't want them to connect with their home laptop ,anyway again it is unauthorised.
pl update or biref about dot1x.
thanks
Karthik
09-06-2011 06:01 AM
Hi,
here is a link for dot1x.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html
Regards.
Alain.
09-06-2011 06:11 AM
thanks for your time , i will go thro the link , test and confirm.
-Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide