Re: Block a Switch with Cisco Asa 5500 series..

RAMANciscoD1 · ‎07-20-2019

Hi,
please tell me,
Can I block a switch locally connected in a network with Cisco ASA 5500 series firewall, so that any computer connected to that switch does not get the ip address from firewall dhcp service?

Thanks.

Reza Sharifi · ‎07-20-2019

Hi,

Not clear what you are asking. If the hosts supposed to get IPs from the firewall than they have to communicated with it to get IPs, if not, hosts without IPs can't communicate with anything. This is assuming the firewall is the gateway for the hosts.

HTH

RAMANciscoD1 · ‎07-21-2019

Hi,
thanks for your valuable reply,
i just asking that, Could it be possible that all the hosts connected with a switch do not receive an IP address from ASA? This switch and ASA are in the same local network and the switch is not directly connected to ASA interface.
Thanks.

kubn2 · ‎07-20-2019

Hi,

If you want that hosts connected to specified switch will not get an IP address from ASA then its only possible if this switch is connected directly to ASA then you can just disable DHCP on this interface with command: no dhcpd enable interface and ASA will not wait to hear or respond to DHCP requests on this port.
If switch isnt directly connected to ASA you can't do that.

RAMANciscoD1 · ‎07-21-2019

Hi kubn2,
Thanks for your valuable reply,
actually the switch is not directly connected to ASA,
Can this thing done if we use Manageable switch like cisco 3560E-12d?
what configuration should be done with Manageable Switch to make this job done?
Thanks

kubn2 · ‎07-21-2019

Switch don't provide packet filtering so using a different switch will not change much.

What you can do is for example provide different addressing scheme for devices attached to this switch so you need create vlan and use different addresing which is outside of ASA DHCP pool. So for example your ASA have pool for 172.16.10.0/24 network then vlan on this switch should have 172.16.11.0/24.

Also why do you want this devices will not get IPs from DHCP? This is servers or something?

Richard Burts · ‎07-21-2019

There are several things in the original question that are not clear. The little part that is clear is that there is some switch in the network that is not directly connected to the ASA. So it implies that some switch(es) are connected to the ASA and provide connectivity to this switch. It is not clear but seems logical that the ASA connection to switches is on a trunk port where the trunk carries multiple vlans. It is implied but not entirely clear that all DHCP for this network is provided by the ASA. It is not clear whether all devices in this switch are in a single vlan or are in multiple vlans. It is not clear whether the vlan (or vlans) with devices on this switch also have devices in other switches that are in the vlans used on this switch. Can we get clarification about this?

The one possibility that I can see is that if the devices on this switch are in vlan(es) that are not used on other switches then the ASA can just not have a DHCP scope configured for those subnets. Otherwise I am not clear how this could be accomplished. Perhaps some other alternative might emerge if we get clarification about this environment.

HTH

Rick

HTH

Rick

RAMANciscoD1 · ‎07-24-2019

Hi Sir,
thanks for your precious reply, i have got some suggestions from your reply and some other answers in this post, now i can manage this job easily.
thanks.

RAMANciscoD1 · ‎07-24-2019

Hi kubn2,
thanks for your precious reply, i have got good suggestion from you and some other answers, so now i can do this job easily. thanks.