dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
603

Edrick
I aspire to tell the story of a lifetime
Premium Member
join:2004-09-11
San Diego, CA

Edrick

Premium Member

Cisco SA520 IP Addresses

I have a bunch of devices which have Static IPs on the network, I also want to ensure DHCP doesn't give out those IPs. So I can still add the IP with the MAC address of those devices to the config and that'll be fine correct?

Secondly is there a way to block a device from accessing the network if it's using an IP statically that's already assigned on the network via the DHCP reservation.

So scenario:

IP Camera static IP of 192.168.0.100
This device is setup by myself and should be the only device allowed on the network with the .100 address.

I add that cameras MAC address to the DHCP Reserve as a measure of protection so the DHCP server doesn't give out that address.

Now someone comes along and decides they want to plugin a device that they configured with the .100 address that's not my camera. This now causes a conflict on the network, I want the network to not allow this device on.

The network consists of a SA520 and SG500 switches.

Thanks!
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

I tend to believe that in mission critical networks, unused ports should be shut down. Anyone wanting to add a device to the wired network should need to submit a change request.
Basic user security policy should also state that users are not allowed to attach devices to the network without first seeking permission or they will face disciplinary proceedings.
If someone has physical access to the network then having a duplicate IP address popping up is the least of your worries!

Edrick
I aspire to tell the story of a lifetime
Premium Member
join:2004-09-11
San Diego, CA

Edrick

Premium Member

In this scenario it's actually a home environment that I manage for a customer.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Edrick

MVM

to Edrick
said by Edrick:

So I can still add the IP with the MAC address of those devices to the config and that'll be fine correct?

Short answer, yes.
said by Edrick:

Secondly is there a way to block a device from accessing the network if it's using an IP statically that's already assigned on the network via the DHCP reservation.

Not off the top of my head. Second what markysharkey See Profile said about securing your network, especially if
this is going to be for an enterprise. If this is a home setup, shouldn't have to worry too much about it, unless
you have alot of unknown devices plugging in.

Regards
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to Edrick

Premium Member

to Edrick
Yes. You can exclude the address:
ip dhcp excluded-address 192.168.1.240 192.168.1.254
Or add a DHCP entry for it, even if the host will never use DHCP. I use a static file:
ip dhcp pool pool-static
origin file tftp://server/DHCP/1760-db


To limit access you'd need to setup dhcp snooping and arp/mac protection on a switch. The router can only do arp security, and only to traffic passing through it. The switch can watch DHCP and only allow that MAC access. Of course, at this level you'd want to use dot1x port authentication.

Edrick
I aspire to tell the story of a lifetime
Premium Member
join:2004-09-11
San Diego, CA

Edrick

Premium Member

It's possible that it wont be an issue however I've already had them plug in a few things that someone at one point setup a static IP address and caused issues. I'm hoping once I'm finished with the rollout it wont be an issue as I'll have gone through and configured all devices but just was curious if what I was thinking was possible.