Re: Block non-DHCP allocated client on the switch

irvin3067 · ‎08-28-2007

HI !

Does Cisco switch can block clients that did not get an IP from the DHCP server via the switch ? For example map MACs which got an ip through switch DHCP relay client and put it in some table, then if someone defines an IP manually on the client - just block this client on the port level and does not allow him to connect to the network.

thanx !

Pavel Bykov · ‎08-28-2007

Yes! It is possible to do exactly that.

Please read the following paragraph:

http://www.cisco.com/en/US/customer/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml#dynamicarp

You will need to enable DHCP snooping.

Hope this helps.

Please rate all helpful posts.

irvin3067 · ‎08-28-2007

Great !!!

However I can not access this page, could please redirect me to something else that has the same content ?

thanx !

mario.jost · ‎10-20-2022

Although late, i want to provide an answer to allow people that stumble upon this thread to have a solution. The feature you are looking for is called IP source guard. Here is a link to the corresponding article that does not require you to login:

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.pdf

In case the link does not work in the future, here is the most important bit of information for ip source guard:

IP Source Guard

IP source guard is a security feature that filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings in order to restrict IP traffic on non-routed Layer 2 interfaces. You can use IP source guard to prevent traffic attacks caused when a host tries to use the IP address of its neighbor. IP source guard prevents IP/MAC spoofing.

You can enable IP source guard when DHCP snooping is enabled on an untrusted interface. After IP source guard is enabled on an interface, the switch blocks all IP traffic received on the interface, except for DHCP packets allowed by DHCP snooping. A port ACL is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.

The IP source binding table has bindings that are learned by DHCP snooping or are manually configured (static IP source bindings). An entry in this table has an IP address, its associated MAC address, and its associated VLAN number. The switch uses the IP source binding table only when IP source guard is enabled.

You can configure IP source guard with source IP address filtering, or with source IP and MAC address filtering. When IP source guard is enabled with this option, IP traffic is filtered based on the source IP address. The switch forwards IP traffic when the source IP address matches an entry in the DHCP snooping binding database or a binding in the IP source binding table. When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in the IP source binding table.

Note: IP source guard is supported only on Layer 2 ports, which includes access and trunk ports.

Refer to IP Source Guard Configuration Guidelines for guidelines on how to configure IP source guard.

Here, IP source guard with source IP filtering is configured on the FastEthernet 1/0/1 interface with the ip verify source command. When IP source guard with source IP filtering is enabled on a VLAN, DHCP snooping must be enabled on the access VLAN to which the interface belongs. Issue the show ip verify source command in order to verify the IP source guard configuration on the switch.