11-11-2008 10:42 PM - edited 03-06-2019 02:25 AM
Dear All,
My query is that what are the possible solutions for preventing wrong IP address assignment in a LAN campus. How we can block an access port if some host manually assign Gateway's IP Address as his PC's ip address or assign IP address of any other important network resource like DHCP server etc.
Regards,
Mujeeb
Solved! Go to Solution.
11-13-2008 04:41 AM
Hello Mujeeb,
>> So how can I force a host(PC) to not use manual IP Address if he is willing to get ip address dynamically through switch (DHCP) and try to assign wrong IP Address ?
the combination of the features makes a user assigning an ip address manually to be out of the network because it will not be part of the DHCP binding table.
Hope to help
Giuseppe
11-12-2008 12:46 AM
Hello Mujeeb,
using ip DHCP snooping, IP source guard can be a solution.
another possible solution could be that of using 802.1X authentication
see
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dhcp.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/dot1x.html
Hope to help
Giuseppe
11-12-2008 06:25 AM
use ip dhcp snooping with ARP inspection.
Using this you can FORCE using DHCP so that no static ips are allowed. It will also block rogue DHCP servers.
11-12-2008 11:09 AM
I was under the impression that dhcp snooping was only good under the circumstance of a rogue dhcp server inserted into a port. From Mujeeb's question, he wants to know how to prevent a host connecting to the network that has assigned a static address to their workstation. Would dhcp snooping really help in this scenario?
--John
11-12-2008 11:23 AM
Ah, I got it. The way that I see it is that you would do as Guiseppe said. You would run DHCP snooping and ip source guard. Source guard would compare the mac address on the port (your statically assigned workstation) to the dhcp snooping database. If the mac address isn't in there, then source guard drops the packets coming in on that interface.
If you enable dhcp snooping, make sure that you enable a trusted interface if you have a dhcp server. All interfaces are untrusted by default, and they will get put in err-disabled state if you don't configure a trusted port that a dhcp server is on.
--John
11-13-2008 02:02 AM
Hi All,
Thanks for the replies. I had a problem in one of our customer's network that someone assigned IP Address of Gateway( Router ) on his PC statically and after that all traffic was fowarding towards port on edge switch where that user was connected.
The LAN setup at client side is as follows,
- Multiple 3560s on edge
- 2 * 3750 as Distribution/Core ( Providing DHCP services as well )
- 3845 Router as Gateway.
Distribution/Core switches are not providing routing function. These switches are working as layer 2 switch and providing IP addresses to and gateway(Router IP Address) to hosts. So all hosts are suppose to get ip address dynamically. If I enable DHCP snooping with source guard (I don't want to use manual entries for IP Source Guard) then IP Source Guard feature will use DHCP binding database to verify incoming traffic ? So how can I force a host(PC) to not use manual IP Address if he is willing to get ip address dynamically through switch (DHCP) and try to assign wrong IP Address ?
Regards,
Mujeeb
11-13-2008 02:28 AM
the easiest way is to let the user log to his computer as a user and not as an administrator. so he can't change any thing.
from network point view, you can use ARP inspection.
for example, We need to protect the IP address of one VLAN (gateway) from ARP poisoning. So we associate its IP with its real MAC and we deny any other MAC address.
arp access-list arp-inspection
permit ip host 10.10.10.254 mac host 1111.2222.3333 log
deny ip host 10.10.10.254 mac any log
permit ip any mac any
!
ip arp inspection vlan 10
ip arp inspection filter arp-inspection vlan 10 static
11-13-2008 03:28 AM
Hi,
Can we use ARP inspection if the gateway ip address is actually a virtual ip address (HSRP/VVRP) ?
Kindly elaborate the major differences among DHCP snooping,IP Source Guard and ARP Inspection features. What are the best practices to use these features in a campus network as an individual feature or in combination.
Thanks in Advance.
Regards,
Mujeeb
11-17-2008 11:45 AM
Hello,
I am trying to create a similar configuration on a 6500 without using dhcp snooping. I was told by TAC that this would not work, but it appears okay in my lab. We do not have enough time to fully test dhcp snooping. First I deny any device from responding to an arp request for the gateway IP, then I deny any device from responding with the mac address of the gateway. In my testing, any device connected to vlan 1502 with the IP 10.1.1.65 or mac address 001d.e510.8ef1 was denied and logged. Unfortunately I do not have the output showing DHCP snooping disabled.
john k
arp access-list AL_VLAN_1502
deny response ip host 10.1.1.65 any mac any any log
deny response ip any any mac host 001d.e510.8ef1 any log
permit ip any mac any
!
ip arp inspection vlan 1502
ip arp inspection filter AL_VLAN_1502 vlan 1502
!
*Nov 7 12:20:08.139 EST: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Gi1/3, vlan 1502.([001d.e513.8ef1/10.1.1.65/001d.e513.8ef1/10.1.1.65/12:20:07 EST Fri Nov 7 2008])
11-13-2008 04:41 AM
Hello Mujeeb,
>> So how can I force a host(PC) to not use manual IP Address if he is willing to get ip address dynamically through switch (DHCP) and try to assign wrong IP Address ?
the combination of the features makes a user assigning an ip address manually to be out of the network because it will not be part of the DHCP binding table.
Hope to help
Giuseppe
11-19-2008 07:20 AM
Hello,
I am trying to create a similar configuration on a 6500 without using dhcp snooping. I was told by TAC that this would not work, but it appears okay in my lab. We do not have enough time to fully test dhcp snooping. First I deny any device from responding to an arp request for the gateway IP, then I deny any device from responding with the mac address of the gateway. In my testing, any device connected to vlan 1502 with the IP 10.1.1.65 or mac address 001d.e510.8ef1 was denied and logged. Unfortunately I do not have the output showing DHCP snooping disabled.
john k
arp access-list AL_VLAN_1502
deny response ip host 10.1.1.65 any mac any any log
deny response ip any any mac host 001d.e510.8ef1 any log
permit ip any mac any
!
ip arp inspection vlan 1502
ip arp inspection filter AL_VLAN_1502 vlan 1502
!
*Nov 7 12:20:08.139 EST: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Gi1/3, vlan 1502.([001d.e513.8ef1/10.1.1.65/001d.e513.8ef1/10.1.1.65/12:20:07 EST Fri Nov 7 2008])
11-19-2008 07:32 AM
Hello John,
the question is :
can a new added PC get an ARP response from the the legitimate gateway that is SVI 1502 ?
this is the test to be performed
if the result is fine you can be able to protect default gateway identity on the vlan.
Otherwise you have a not working solution
Hope to help
Giuseppe
11-19-2008 07:36 AM
In my testing, I found this to be true. A newly added PC will get an arp response from the legitimate gateway. Testing is ongoing.
Thanks Giuseppe!
John k
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide