Solved: Is there a way to block computers which have a statically assigned IP address

Aklilu Belay · ‎04-10-2012

In a LAN a dhcp server allocates IP addresses. but some users type in their own IP addresses and try to connect to the internet. Sometimes IP conflict occurs because of these computers. To avoid this I was wondering if there is a way to identify these computers with statically assigned IP addresses and block them. Hope there is some kind of solution for this.

Reza Sharifi · ‎04-10-2012

Have the server guys take away their admin right to their PC/laptops so they can't change IP

HTH

Sent from Cisco Technical Support iPhone App

View solution in original post

Ton V Engelen · ‎04-10-2012

Hi,

ok, i try and hope its clear...

lets say we re talking about vlan 2, 21, 22, 23, 24, 25 and every client in these vlans should get an address by DHCP.

But a manually configured address should not get network access.

So i tell the switch to inspect dhcp and arp, the switch will build a table from dhcp information, with

- switchport

- mac address

- vlan

- ip adress

Like

sh ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

01:B9:2B:5F:5C:7D 10.1.193.136 32877 dhcp-snooping 2 FastEthernet3/0/41

01:B9:2B:5F:6F:37 10.11.93.137 32879 dhcp-snooping 2 FastEthernet4/0/15

01:B9:38:5F:D8:f3 10.1.160.86 86145 dhcp-snooping 22 FastEthernet1/0/21

01:B9:D1:5F:42:aD 10.1.193.64 15370 dhcp-snooping 2 FastEthernet3/0/21

01:B9:2B:5F:6B:a3 10.1.161.17 32868 dhcp-snooping 23 FastEthernet3/0/13

01:B9:38:5F:D4:3D 10.1.160.127 32873 dhcp-snooping 22 FastEthernet1/0/18

01:B9:64:5F:66:a6 10.1.162.128 33630 dhcp-snooping 24 FastEthernet2/0/27

01:B9:50:5F:21:aF 10.1.193.157 32875 dhcp-snooping 2 FastEthernet3/0/32

01:B9:2B:5F:9B:73 10.1.161.23 32870 dhcp-snooping 23 FastEthernet2/0/32

01:B9:2B:5F:9B:9C 10.1.193.71 16100 dhcp-snooping 2 FastEthernet3/0/42

01:B9:50:2A:0A:98 10.1.192.13 18847 dhcp-snooping 25FastEthernet2/0/23

Because a manually configured client does not send dhcp packets, the switch can not build a valid "snooping entry" from the dhcp packet.

Every switchport has to inspect these packet. It sees an invalid arp (because no mapping) and decides to deny. See logging below, client was manually configued with 10.1.137.21 (i m testing it now to get this output, and it can not get access whatever i try.)

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:22 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:23 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:25 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:26 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:27 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:29 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:30 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:31 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:32 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:33 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:34 UTC Wed Apr 11 2012])

1y39w: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/45, vlan 2.([001f.bcbc.bcbc/10.1.137.210/0000.0000.0000/10.1.137.3/05:50:35 UTC Wed Apr 11 2012])

This client does not get access, the packets are denied.

How to configure: (this is this example)

Global:

ip dhcp snooping vlan 2,22, 23, 24, 25

no ip dhcp snooping information option

ip dhcp snooping database tftp://10.10.1.1/this_switch

ip dhcp snooping

ip arp inspection vlan 2,22, 23, 24, 25

ip arp inspection validate src-mac ip

ip arp inspection log-buffer entries 1024

ip arp inspection log-buffer logs 1024 interval 10

Switchport:

no ip dhcp snooping trust

no ip arp inspection trust

I suggest that you check out dynamic arp inspection / dhcp snooping subjects at cisco.com for more tech info.

Good luck!

View solution in original post

Ton V Engelen · ‎04-10-2012

Hi,

we use dhcp snooping (and arp inspection) for this. Since there is no dhcp request for a pc which had a statically assigned ip, the port will not be trusted (violation) and the pc will have no network access.

You can probably easely identify these computers because their users will complain they have no network access.

Aklilu Belay · ‎04-10-2012

Thank you for the reply. Can you clarify more about how arp inspection solves my problem?

Reza Sharifi · ‎04-10-2012

Have the server guys take away their admin right to their PC/laptops so they can't change IP

HTH

Sent from Cisco Technical Support iPhone App

Aklilu Belay · ‎04-10-2012

your answer is correct, but I was looking for a networking methodology.

Ton V Engelen · ‎04-10-2012