06-17-2008 02:06 AM - edited 03-05-2019 11:40 PM
I know I can implement layer-2 port security on my 4500 switches. That is, I can arrange it so that if a user connects a foreign device to the port, the port goes into errdisable.
What I want to do is the same thing at layer-3. From time to time, users try to attach foreign network-aware devices such as PDAs to the USB port of their PCs. Sometimes these devices try (unsuccessfully) to do a DHCP, and sometimes they seem to just appear on the network as 169.254.2.2 or 192.0.0.192. But they always use the MAC address of the PC.
What I want is for the port to get shut down if the host generates a DHCP, or if the port sees packets from any address in 169.254.0.0/16. Does anyone have a way to do that?
Kevin Dorrell
Luxembourg
06-19-2008 06:49 AM
Bump! Any ideas?
06-20-2008 02:56 AM
Hello Kevin,
I didn't try directly but you could try to use IP source guard and DCHP snooping
Look at the following link
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/44sg/configuration/guide/dhcp.html
hope to help
Giuseppe
06-20-2008 04:58 AM
Giuseppe,
Thanks, I shall read that chapter over the weekend and let you know if it fitts the bill.
Kevin Dorrell
Luxembourg
06-23-2008 11:26 PM
Giuseppe,
Thanks. I read the doc over the long weekend (we had a national holiday for the Grand-Duke's official birthday).
The feature doesn't fit the bill 100% beceause it does not actually disable the port when there is a violation. That is, it is the layer-3 eqivalent of "restrict", but not "shutdown".
However, it does go a long way towards addressing my problem, and it also shows me a fun feature to try out in the lab!
Thanks.
Kevin Dorrell
Luxembourg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide