Solved: Re: how to restrict all except local subnet on a cisco switch

Abu Qasim · ‎12-19-2017

Dear all,

I need to restrict all my switch ports to only work with 192.168.0.0/24 network, even if a user on the network change the ip address of their pc, it shouldn't be worked... I have cisco 3560E 48-p switch.

Thanks.

Seb Rupik · ‎12-20-2017

Ah much simpler. Assuming you have clients connected to ports 1 to 46:

!
ip access-list standard LOCAL_NET01
  permit ip 192.168.0.0 0.0.0.255
!
int range gi1/0/1-46
  ip access-group LOCAL_NET01 in
!

cheers,

Seb.

View solution in original post

Seb Rupik · ‎12-19-2017

Hi there,

You need to look at DHCP snooping combined with IP Source Guard

The DHCP snooping will build a database of valid DHCP leases, and the IP Source Guard will enure that only packets with a valid combination of source IP and MAC address are permitted to transmit on the selected switchports.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750e_3560e/software/release/15-0_1_se/configuration/guide/scg3750e/swdhcp82.html

cheers,

Seb.

Abu Qasim · ‎12-20-2017

Dear Seb.

I need to done it without dhcp,,,,

Seb Rupik · ‎12-20-2017

OK, you can still achieve this via a static binding, but you will need to know the switchport which each device is connected to. If the device moves to another switchport, IP Source Guard will deny its traffic:

The syntax is:

!
ip source binding mac-address vlan vlan-id ip-address interface type mod /port 
!

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr-i4.html#wp3449769671

Just to clarify when you said "user on the network change the ip address of their pc", were you suggesting that if a user changes their address to another IP in the permitted 192.168.0.0/24 subnet the connection will still work?

If users are allowed to change their IP within 192.168.0.0/24, then a simple standard ACL will suffice.

cheers,

Seb.

Abu Qasim · ‎12-20-2017

let me give you some more details.

the switch should only work with the network address of 192.168.0.0/24, if another network address is used with any node/device, the switch should deny/stop the communication.

Seb Rupik · ‎12-20-2017

Ah much simpler. Assuming you have clients connected to ports 1 to 46:

!
ip access-list standard LOCAL_NET01
  permit ip 192.168.0.0 0.0.0.255
!
int range gi1/0/1-46
  ip access-group LOCAL_NET01 in
!

cheers,

Seb.

Abu Qasim · ‎12-20-2017

dear seb,

can you write me all steps..... :)

paul driver · ‎12-20-2017

Hello

@Abu Qasim wrote:

let me give you some more details.

the switch should only work with the network address of 192.168.0.0/24, if another network address is used with any node/device, the switch should deny/stop the communication.

is this a layer 3 switch?

res

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Abu Qasim · ‎12-20-2017

its layer 2 switch