Restricting access to a IP

Anand Narayana · ‎01-13-2013

This is my scenario. I have my IP as 172.16.1.1 (aaaa.bbbb.cccc.dddd) which has full internet access. Now when i am not available in the office, i noticed some one assigning my IP in to his workstation and gaining full internet access. How do i restrict such things? i.e. even if some one assigning my IP on the network, they shouldnt access LAN or WAN.

I tried 'arp 172.16.1.1 aaaa.bbbb.cccc.dddd arpa' configuring on my L3 Cisco 3750X switch assuming i can acheive, but that did not help

Abzal · ‎01-17-2013

Hi,

1. You could exclude this IP from DHCP and assign IP manually.

2. Or you could reserve this IP for particular machine.


ip dhcp pool TEST

 network 172.16.1.0 255.255.255.0

 default-router 172.16.1.254

 dns-server 8.8.8.8

 lease 30

ip dhcp pool Test_User

 host 172.16.1.1

 hardware-address aaaa.bbbb.cccc

 client-name Test_User

https://supportforums.cisco.com/thread/2081838

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Anand Narayana · ‎01-17-2013

Other than configuring DHCP on the switch, is it possible in any other way?

Abzal · ‎01-18-2013

Of course there is you can use Windows 200X servers or Linux/FreeBSD servers which you prefer and know how to configure it. I assumed you are running DHCP on L3 switch.

And as I know MAC address is 48 bit long aaaa.bbbb.cccc

Example:

Conf t
arp 10.140.8.74 0100.5e7f.084a ARPA
arp 10.140.8.75 0100.5e7f.084b ARPA

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

cadet alain · ‎01-18-2013

Hi,

This won't prevent other people from taking his IP address if they do it purposefully by assigning it statically.

In this case you'll need DHCP snooping and IP Sourceguard features to prevent this

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swdhcp82.html

Regards.

Alain

Don't forget to rate helpful posts.

Anand Narayana · ‎01-18-2013

As i mentioned earlier, 'arp 1.1.1.1 abcd.efgh.ijkl arpa' did not help me in that. DHCP running on Windows / Linux is not going ti help in this regard, however i will then stick with the DHCP on the switch if that restricts.

cadet alain · ‎01-18-2013

Hi,

configuring a static mapping is the same on all DHCP servers if we except the configuration of course.

But this won't prevent someone from configuring your IP statically while you're not on the subnet.

Regards.

Alain

Don't forget to rate helpful posts.

Abzal · ‎01-18-2013

If you you are running Windows AD with Group Policy on the network you could restrict changing IP address to standard user. The it should be ok. With Cisco devices honestly I'm not aware if it's possible.

Abzal

Best regards,
Abzal

ogamanya · ‎01-21-2013

Cadet Alain is 100% correct.

You are dealing with a smart user. He known you are not in the office, he /she statically assigns your privileged IP to their device. The only way to restrict this is as follows

•1. Reserve your IP address on the DHCP server. This will ensure no one else gets assigned the IP

•2. Enable DHCP snooping and IP source guard.

•3. Create static entry Source IP to your MAC.

Point 2 will enable you to populate a mapping of MAC to IP based on DHCP transactions. Since your IP is not assigned by DHCP, it will not appear in the list. Point 3 will add your IP to MAC mapping. So effectively your switch will only forward traffic which has passed point 2 & 3. Problem solved