Re: 4510 switch- clinet IP only DHCP

searskarthik · ‎09-06-2011

Hi

We have 4510 switches , all associates using laptops. IP assigning through windows DHCP server with dhcp filter.

if any way configure in switch client should get IP from DHCP only ie , if somebody assign IP address manually, it should not get connected with network.

Thanks

Karthik

tarun_cisco · ‎09-06-2011

You want to implement for every port/associate or for few.like if few are on one floor or on what basis vlans are formed and scope is defined in dhcp?

Sent from Cisco Technical Support iPhone App

srikanth ath · ‎09-06-2011

Hi karthikeyan

1. a) Are you looking to configure DHCP on switch. making switch as a DHCP server

b) Are you using any Vlans . if so U neeed to create different scopes for each vlan.

c) if u are looking for above then, we have a option like host will be assigned a static ip based on MAC-address under DHCP pool.

for above answer

2. Using a windows DHCP server and making switch as an agent between server and client.
here switch will just act as a mediator between client and server and hence it passes the request of DHCP discover to Server where server should now assign an IP to client . so i think you should make scopes in windows on assigning IP based on MAC-address of client. that will be secure and even if the client try to assign a static ip first of all he should know the Ip network .

to be bit more secure create some Vlans on switch and make and you will be assigning different network to each vlans.

As far as my knowledge there is no such command to configure on switch where u can stop a client assigning an static ip avoid him out of the network provided if he is using or awware of the network ip of corp.

Hope i answred ur part any corrections pleased to be known. rate it if it is helpful

thanks and regards

srikanth

cadet alain · ‎09-06-2011

Hi,

you want people not being able to put another IP address? if so then you can use IP Source guard

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/20ew/configuration/guide/dhcp.html

Regards.

Alain.

Don't forget to rate helpful posts.

tarun_cisco · ‎09-06-2011

Well above said can be done only if you have access to dhcp to modify scopes.

And as per the original question if it's just about changing config in switch -it could be hard I guess.

If have access to AD and allowed to write then policies can always be linked to block tcp/ip settings from client subject to the fact pcs are in domain.

Sent from Cisco Technical Support iPhone App

searskarthik · ‎09-06-2011

Hi

As mentioned by Srikanth I am using windows 2003 R2 as DHCP server, in switch each vlan I have added ip helper address pointing to windows DHCP server,and also tested with DHCP filter (new feature in windows 2003 R2 and 2008) permit nearly 700 mac address in DHCP server.

here my concern is if somebody bring his personal laptop and connected with wired network, more over he knows what IP being assigned to him daily basis, based on guess he may assigned IP with in DHCP range .

pl share all your view.

thanks

Karthik

cadet alain · ‎09-06-2011

Hi,

following your last explanation then I think that DHCP snooping with IP Source guard will do the trick for you.

So they are authorized to bring in their home laptop and connect and then receive a DHCP address or you don't want them to connect with their home laptop ? in second case then dot1x would be the best option imho.

Regards.

Alain.

Don't forget to rate helpful posts.

searskarthik · ‎09-06-2011

Hi

I don't want them to connect with their home laptop ,anyway again it is unauthorised.

pl update or biref about dot1x.

thanks

Karthik

cadet alain · ‎09-06-2011

Hi,

here is a link for dot1x.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/50sg/configuration/guide/dot1x.html

Regards.

Alain.

Don't forget to rate helpful posts.

searskarthik · ‎09-06-2011

thanks for your time , i will go thro the link , test and confirm.

-Karthik