07-14-2016 03:13 AM - edited 03-08-2019 06:37 AM
I want to do IP+MAC binding on Cisco L3 3650 switch without DHCP server.
Single IP with Single MAC so that no one can change their MAC and IP address with any one.
07-14-2016 03:19 AM
You could use static macs and static arps and then set everyone on static ip
Not the most flexible and will require more manual administration than dhcp
(config)# arp 10.1.1.1 00.02.9a.3b.94.d9
mac-address-table static 12ab.47dd.ff89 vlan 3 interface ethernet 2/1
07-14-2016 03:24 AM
mac-address-table static 12ab.47dd.ff89 vlan 3 interface ethernet 2/1
The interface ethernet 2/1 will be which because my vlan is created on L3 switch and uplinks are going to below access switch. I want to bind all IPs with MAC on L3 only not on lower access switch.
07-14-2016 03:27 AM
Just use the arp on the l3 and if you have l2 switches you can use the mac as well but the arp will be enough to lock mac to ip on L3 switch and then set the users as static ip to match
07-14-2016 03:29 AM
OK, Thanks for your support. But one confusion the interface ethernet2/1 will be which interface. Uplink to my lower switch????
07-14-2016 03:35 AM
if you were using static mac it would go on l2 only , the 2/1 interface would actually be the user interface like pc
so say 24 port switch you would have 23 static macs each going to a port where user are connected letting switch know what macs should be only
its just saying mac of the 2/1 interface is part of vlan 3 and this is what it is x.x.x
You can then go to the l3 device and match that mac also to specific ip
Its a lot of manual administration on large networks but small networks its not to bad but removes any type of automation for the users connecting
07-14-2016 03:40 AM
But I want to bind all on L3 switch which would be my trunk port or access port for lower switch. Means whole building load (approx150 IP+MAC) coming to this switch as it is my core switch.
07-14-2016 03:56 AM
Well the other option is to automate it to an extent with dhcp /dhcp snooping /port-security and arp inspection features like that if you don't want to manually tag every mac/ip being learnt
manual you can do 150 static arps on the L3 device rather than have anything dynamic
static macs is extra really and I would only apply on the l2 switch where the actual device is physically located but once the static arp is in place it will cover the ips so they cant just use that ip as it will be bound to specific mac so static macs as well may be overkill
07-14-2016 03:59 AM
Thanks for your support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide