Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2674
Views
0
Helpful
5
Replies

Restrict port to specific range of IP addresses?

donohoecompanies
Level 1
Level 1

‎10-21-2019 03:12 AM - edited ‎10-21-2019 03:32 AM

All my access switches are 2960X, and I'd like to restrict all the ports to only allow IP addresses in a specific range to connect to the port. I want this to insure only IPs in the client range can actually be on those ports.

I'm planning on also configuring IP Source Guard, but that won't protect against someone manually changing the IP addresses on the client to something outside the allowed client range.

I'm pretty sure this can be done, but so far I haven't been able to find out ho

Labels:
0 Helpful
5 Replies 5

marce1000
VIP
VIP

‎10-21-2019 03:32 AM

 

 - Note that switch-ports basically handle layer 2 traffic which they can perfectly do from a device that doesn't even have an IP address. In this the usual debate arises from controller network management versus I-don't-know-what-is-going-on. Personally I prefer the first approach implemented through well configured DHCP servers (e.g.) , so that you question 'becomes no longer needed'.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

kubn2
Level 1
Level 1

‎10-21-2019 03:46 AM

Hi,

 

Dynamic ARP inspection which relies on DHCP snooping building database with bindings mac to ip addresses. So if user will change his ip address switch will drop those packets because bindings in DHCP snooping database will not match.

 

 

0 Helpful

paul driver
VIP
VIP

‎10-21-2019 04:32 AM - edited ‎10-21-2019 04:32 AM

Hello

@donohoecompanies wrote:

All my access switches are 2960X, and I'd like to restrict all the ports to only allow IP addresses in a specific range to connect to the port. I want this to insure only IPs in the client range can actually be on those ports.

Just to clarify and if possible elaborate?
 Do you mean these ports are able to reach this specific ip range or these ports are allowcated ip addressing from a specific ip range?

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

donohoecompanies
Level 1
Level 1
In response to paul driver

‎10-21-2019 05:33 PM

@paul driver wrote:

 Do you mean these ports are able to reach this specific ip range or these ports are allowcated ip addressing from a specific ip range?

 

The ports are allocated IP addressing from a specific IP range.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-21-2019 05:17 AM

For now, i can only think of DHCP with IP reserved and MAC ACL to protect.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card