Switches, Hubs, and Modems
1748063 Members
5531 Online
108758 Solutions
New Discussion юеВ

IP-MAC binding for static IP hosts

 
Recep Sefer
Occasional Contributor

IP-MAC binding for static IP hosts

I want my hosts connected to 28xx L3 Switch (Version I.10.70 Software) not to change their IP Adresses already assigned them.

Are there any working configuration?

THANKS
5 REPLIES 5
rick jones
Honored Contributor

Re: IP-MAC binding for static IP hosts

Do you mean you want the 28XX switch to enforce that a given IP address and only a given IP address may appear as a source IP address on packets arriving on a given port on the switch? And, presumably, drop any traffic arriving on the port for which that is not the case?
there is no rest for the wicked yet the virtuous have no pillows
Recep Sefer
Occasional Contributor

Re: IP-MAC binding for static IP hosts

No, not this case,

I give static IP adresses manually to the hosts according to their mac addresses.

I dont know on which port of the switch hosts are connected.

I want to lock arp cache of the switch statically.

Thanks
rick jones
Honored Contributor

Re: IP-MAC binding for static IP hosts

The *switch's* ARP cache will only be used for IP traffic to and from the switch itself - ie its managment function. It will not be involved at all with communication between hosts connected to the switch. So, locking the ARP cache of the switch will not do what you want.

When you say you are assigning IP addresses statically based on their MAC addresses, I presume you mean you are using DHCP where the DHCP server is configured to give-out specific IP addresses to specific MAC addresses yes?

More generally, all locking an ARP cache does is say that a given IP address is associated with a given MAC address. That would preclude having that same IP address assigned to a different MAC address from "working" but it would not preclude a second IP address becoming associated with that first MAC address. You would have to disable ARP entirely on all the hosts in your network to be able to prevent them from learning new IPs associated with existing MACs. Even if you could block ARP traffic at the switch, you would still need to populate all your hosts with static ARP tables, and the means by which you might (or might not) be able to do that will vary with each distict host OS.

And, if the users of those hosts already had enough priviledges on those host OSes to try to assign their own IPs, they would have enough priviledges to enter new IP-MAC translations into their local ARP caches.
there is no rest for the wicked yet the virtuous have no pillows
Jeff Carrell
Honored Contributor

Re: IP-MAC binding for static IP hosts

You could implement 2 features:
DHCP Snooping
ARP Protection

You mainly want the ARP Protection feature but you must also enable DHCP Snooping for AP to work (even if you are not doing DHCP).

AP tells the switch to only allow specific IP-to-MAC pairs to be able to pass any traffic through it.

If you are doing DHCP on clients with reservations, then the switch will learn these mappings. If you are doing static assigned IP's on clients, you can enter a table of static mappings into the switch.

These features also lock the IP-MAC pairs at the port/vlan they are coming into and only allow that traffic to flow.

The downside, anyone could Wireshark the network, listen from broadcasts, glean the IP-MAC pairs, and spoof them, and they would look legit.

Basically, to control changes at the client, you must control ADMIN access on the client (as mentioned in a port here). This type of control can't totally be done in the infrastructure, but you can contain some of the allowed traffic.

You could also implement 802.1X/PCM/IDM and build policies that force IP, MAC, machine specific, uid, network location (switch/port) and even time-of-day/day-of-week tests, and if everything passes the test, allow that traffic.

hth...Jeff

Recep Sefer
Occasional Contributor

Re: IP-MAC binding for static IP hosts

I try following command to the 28xx switch
Giving the following error?
What is this limit?

SWITCH(config)# ip source-lockdown Trk1
Cannot enable Dynamic IP Lockdown on port(s)Trk1, manual binding limits are exceeded.

Thanks?