12-19-2017 11:09 PM - edited 03-08-2019 01:10 PM
Dear all,
I need to restrict all my switch ports to only work with 192.168.0.0/24 network, even if a user on the network change the ip address of their pc, it shouldn't be worked... I have cisco 3560E 48-p switch.
Thanks.
Solved! Go to Solution.
12-20-2017 02:38 AM
Ah much simpler. Assuming you have clients connected to ports 1 to 46:
! ip access-list standard LOCAL_NET01 permit ip 192.168.0.0 0.0.0.255 ! int range gi1/0/1-46 ip access-group LOCAL_NET01 in !
cheers,
Seb.
12-19-2017 11:52 PM
Hi there,
You need to look at DHCP snooping combined with IP Source Guard
The DHCP snooping will build a database of valid DHCP leases, and the IP Source Guard will enure that only packets with a valid combination of source IP and MAC address are permitted to transmit on the selected switchports.
cheers,
Seb.
12-20-2017 01:02 AM
Dear Seb.
I need to done it without dhcp,,,,
12-20-2017 01:33 AM - edited 12-20-2017 01:37 AM
OK, you can still achieve this via a static binding, but you will need to know the switchport which each device is connected to. If the device moves to another switchport, IP Source Guard will deny its traffic:
The syntax is:
! ip source binding mac-address vlan vlan-id ip-address interface type mod /port !
Just to clarify when you said "user on the network change the ip address of their pc", were you suggesting that if a user changes their address to another IP in the permitted 192.168.0.0/24 subnet the connection will still work?
If users are allowed to change their IP within 192.168.0.0/24, then a simple standard ACL will suffice.
cheers,
Seb.
12-20-2017 02:15 AM
let me give you some more details.
the switch should only work with the network address of 192.168.0.0/24, if another network address is used with any node/device, the switch should deny/stop the communication.
12-20-2017 02:38 AM
Ah much simpler. Assuming you have clients connected to ports 1 to 46:
! ip access-list standard LOCAL_NET01 permit ip 192.168.0.0 0.0.0.255 ! int range gi1/0/1-46 ip access-group LOCAL_NET01 in !
cheers,
Seb.
12-20-2017 03:16 AM
dear seb,
can you write me all steps..... :)
12-20-2017 02:38 AM
Hello
@Abu Qasim wrote:
let me give you some more details.
the switch should only work with the network address of 192.168.0.0/24, if another network address is used with any node/device, the switch should deny/stop the communication.
is this a layer 3 switch?
res
paul
12-20-2017 03:14 AM
its layer 2 switch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide