Deny device by IP on switch port.

captawol7 · ‎11-18-2006

Is there a method of preventing a device with an IP address of 172.25.*.1 (* = any number) from being allowed on the network? The problem I am facing is the end user incorrectly configuring a device and using the .1 gateway address. We run DHCP and have multiple vlans.

I have thought about 802.1x but then all the devices must run a suplicant/client in order to connect and some devices are not capable of doing this.

the ideal solution would be the ability to detect the fraudulant gateway address on the edge port and disable the port.

ohassairi · ‎11-19-2006

what kind of switch do you use?

captawol7 · ‎11-19-2006

3548, 3550, 2950 & 2960's are the edge switches.

mark.edwards · ‎11-21-2006

the best way to achive this would be to block ARP for hosts with this address. The below arp filter block ARP from hosts using the 172.25.X.1 range (on VLAN 1-100) but permits others. I think this syntax is correct but would suggest you test before using it!

arp access-list TEST

deny ip 172.25.0.1 0.0.255.0 mac any

permit ip any mac any

ip arp inspection filter TEST vlan 1-100

rdanevich · ‎11-22-2006

How about something like this?:

Switch(config)#ip access-list standard 50

Switch(config-std-nacl)#deny 172.25.0.0 0.0.255.255

Switch(config-std-nacl)#permit any

Switch(config)#int range fa0/1 - 24

Switch(config-if-range)#ip access-group 50 in

sh run... (example)

interface FastEthernet0/20

switchport access vlan 6

ip access-group 50 in

spanning-tree portfast

Placing an access-list on the router would be a better solution if you have access to the router or High End switch with a switching module like the 6509 series.

mark.edwards · ‎11-23-2006

I don't think blocking all traffic on 172.16/16 is the solution. How will hosts send traffic (remember the hosts have source on this network).