IP to MAC/Port Binding

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Create Date: Jan 2 2013 11:29AM

I have configured MAC binding on our Summit x450e-48p Switches using create fdbentry command. Now i need to ensure that the users use only the IP Addresses assigned to them(IP-MAC binding?). How can this be done on the x450e-48p switch?

Thanks in advance

(from vikram_nair)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jan 3 2013 9:44AM

what i have done is make a policy in the switch say (s1). this policy has two rule one the blocking the all ip of the range and another is allowing a particular ip. so policy is :-


Policy: s1
entry drop1 {
if match all {
source-address 192.xxx.xxx.183/32 ;
}
then {
permit ;
}
}
entry drop2 {
if match all {
source-address 192.xxx.xxx.128/25 ;
}
then {
deny ;
}
}

now , i confiqured access list like this


configure access-list s1 port 9 ;


so if PC conneted to port nine has ip 192.xxx.xxx.183 than only he is able to access the network otherwise packets will get dropped.

this is exactly what i want to acheive. now, my concern is that if there is any other better way of doing the same thing and also i have to do it for all the port on switch so this method is very slow...

can anyone help ?

thanks in advance

(from vikram_nair)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jan 3 2013 11:52PM

From what  I understand you want a particular MAC be allowed on a particular port and not the others something like switchport security. Is that correct?

Check out MAC based 802.1X authentication and let me know if that's the thing that you were looking to achieve.

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jan 4 2013 9:11AM

arbhatt wrote:
From what  I understand you want a particular MAC be allowed on a particular port and not the others something like switchport security. Is that correct?

Check out MAC based 802.1X authentication and let me know if that's the thing that you were looking to achieve.  I have already done MAC Binding, i.e., each port is now bound to a particular MAC Address. Now, I want to bind each port/MAC to its own IP Address. We are using a static addressing scheme, and need to ensure that each user uses only the IP Address assigned to him.

thanks :)

(from vikram_nair)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jan 4 2013 10:04PM

This method is not very slow as ACLs are implemeted on the hardware though 48 ACLs would be a pain to configure considering u have 48 ports. The other way I can think is have static arp bindings and not allow dynamic arp learning from those ports or that VLAN. Not sure if it's possible though. Just a thought and it would definitely not be recommended.

The other thing that you can do which would be an easier implementation for me is have DHCP bindings. I think you can implement this on windows DHCP server. IP/MAC binding on DHCP server could be done. So whenever MAC X asks for IP to the DHCP it only gets Y . You would need a windows 2008 server to achieve this. I am not very sure on this either but I think our systems team had done something similar for few hosts on the network

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jan 9 2013 4:06PM

Are you assigning the IP addresses via DHCP? If so, you can have the switch learn its ARP tables via the DHCP leases rather than from the machines themselves, which prevents the users from self-assigning IPs.

(from Ansley_Barnes)