08-07-2013 06:46 AM - edited 03-07-2019 02:48 PM
Hi,
Here is the scenario, my laptop is assigned with an IP 172.16.1.1 and MAC address is 'abcd.efgh.ijkl'. Now is there a way that if a different MAC address '1234.5678.9012' assigned my IP 172.16.1.1, when i am not available in the ofifce, it should not be able to access the network and ofcourse assigning to a different IP 172.16.1.2 he should be able to access. I tried 'arp 172.16.1.1 abcd.efgh.ijkl arpa' on my core switch 3750, but no luck. :-(
08-07-2013 06:54 AM
Are you using Static IP addressing or Dynamic (DHCP)?
08-07-2013 06:58 AM
My Laptop gets the IP assigned from the Windows DHCP. but the other user assigning the IP statically when i am away from the office. so wanted to prevent using my IP. i.e. only when my IP & MAC matches, the switch has to allow, else has to blocked for those who is trying to assign my IP statically on their PCs.
08-07-2013 06:58 AM
Well that is the right command:
#arp
What do you mean no luck? That is does not accept the command or it does not solve the problem? If it is the latter how is this evident?
08-07-2013 07:00 AM
The command is correct, but when the other user trying to add my IP on his PC, it still works.
08-07-2013 07:06 AM
Unless you use Windows Group Polices, you cant stop him assigning the address but you can influence how your switches deal with packets destined to the IP address. The ARP cache holds information on which IP address relates to which MAC address. When a switch needs to forward a packet destined to 172.16.1.1 it looks in the ARP cache to see what the MAC address is. Once it has this, it can forward the frame out of the relevant port using information from the CAM table.
By adding a static MAC address entry on your switch, you can prevent the switch from adding a dynamic ARP entry when the other device tries to use your IP.
08-07-2013 07:16 AM
So the command "arp
08-07-2013 07:18 AM
Is your core switch doing your Routing between Vlans?
Try this on the core switch:
#show ip arp 172.16.1.1
It should show your MAC address.
08-07-2013 07:20 AM
Yes my core switch 3750 does the routing between the vlans. And right now yes I did a show ip arp 172.16.1.1 and it displays my MAC address.
08-07-2013 07:28 AM
That should work then.
You could test it using a second PC, pull your one off the network and assign that the same IP address to the second PC that you use and see if the computer can access the network.
08-07-2013 03:11 PM
HI use arpa to bind mach on switch
arp x.x.x.x abcd.defg.ghij ARPA.
Please implement this first that is your Gateway Switch. Mean then ip that u have mentioned it must have default gateway of some switch or router. So implement this on that gateway device.
***Do rate helpful posts***
Jawad
08-08-2013 12:18 AM
Still no luck. :-(
08-08-2013 12:54 AM
Right, let's go into a bit more depth.
On the L3 gateway device for your network (i.e. what your PC uses as its default gateway) do this:
#ping 172.16.1.1
#show mac-address-table | inc 172.16.1.1
This should show you your PC MAC address.
Now disconnect your PC and connect up your other PC and try and set your IP address to 172.16.1.1 and then repeat the steps above. Please do all that and post the results here.
By the way, the L3 device mentioned above is where you should have your static arp entry defined.
08-08-2013 05:48 AM
Hi,
To accomplish your goal, it is best to enforce DHCP as the sole source of receiving IP addresses, and in this way deny the use of statically assigned IP addresses. The simplest method is to use DHCP snooping and Dynamic ARP Inspection. DCP Snooping will build atable of devices that have requested and received IP addresses from the DHCP server, then Dynamic ARP inspection will only allow devices that have been assigned addresses via DHCP access to the network.
So any statically assigned addresses will be denied access at the port, unless you set the port to be a trusted port, which will overide this security feature at the port level.
Now you may create a reservation on the DHCP server for your PC and nobody can gain access to the network using your IP address in your absence. Do this in stages, because any current statically assigned devices will be denied access when Dynamic ARP Inspection is enabled.
Enable DHCP Snooping
http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_dhcpsnoop.html
Configure the interface that connects to the DHCP server or any devices intened to use static IP addresses.
All other ports are untrusted by default.
conf t
ip dhcp snooping
interface type slot/port
ip dhcp snooping trust
end
Enable Dynamic ARP Inspection
http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_arpinspect.html#wpxref69949
conf t
ip arp inspection vlan vlan# dhcp-bindings all
end
Configure the interface that connects to the DHCP server or any device that intentionally uses a static IP address.
All other ports are untrusted by default.
conf t
interface type slot/port
ip arp inspection trust
end
Cheers,
Brian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide