12-07-2015 10:42 PM - edited 03-08-2019 03:00 AM
Hi Friends,
I have Cisco 6500 core switch having several VLAN's. We have created user VLAN - 10 having IP 10.10.10.1/24.
Now one of literate user changing IP address statically on his Laptop same as gateway IP address 10.10.101/24 and silently putting in to the network intentionally.
because of this my all network failing to get an IP address from DHCP and showing yellow escalation mark.
Pls. assist so switch port can be blocked from duplicate IP addressing.
Regards
Sanjeev
12-08-2015 12:16 AM
Hi Sanjeev,
Take a look at IP Source Guard. It will block host switchports which attempt to use an IP address that has not been issued via a trusted DHCP source:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/ipsrcgrd.html
cheers,
Seb.
12-08-2015 10:59 PM
Thanks Guys,
let me check.
Regards
Sanjeev
12-08-2015 08:00 AM
Hello Sanjeev,
IPSG with DHCP snooping would be benficial for your problem.As it is a security feature that restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor.
After IPSG is enabled on an interface, the switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping. A port access control list (ACL) is applied to the interface. The port ACL allows only IP traffic with a source IP address in the IP source binding table and denies all other traffic.
Hope it Helps..
-GI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide