need help deadly !

[bladeka]

dear all !

can anybody help me in that issue i have a 3550 cisco switch ! can i do something that prevent users from using static ip thats i dont want them to use ...

i mean that i have a privliage on my ip address , the problem if anybody on ma network knew my ip he will take my privildge !
so can i restrict my ip to me interface on the switch !
please help !
Bladeka !

 

[Parcival21]

There are probably a lot of possibilities how to do this, some probably better.
You could create two different vlans, one for administration purposes and one for users. Asign your VLAN to your port and the other VLAN to the other ports. THen assign access lists to the user VLAN , permitting only traffic from the ip adresses that have user rights you want ip traffic to be allowed.
In this case if someone tries to fake your IP address he will only get into the network by connecting to your defined ports for your admin vlan.

You should also consider to implement other security features than a simple IP address comparison.

Hope this works,
busche

 

[bladeka]

Thanks ...its a good idea ! but my problem is that i dont want to use VLANs ?!
is there any other solution to restrict the use of ip to fixed port . ? & to block the port that try to use it ???

 

[Parcival21]

Besides assigning vlans you couild also apply access lists to each port, doing the same thing with a lot more administrative overhead. There might be a possibility to assign these vlans to all ports on the network with a script or something similar but I've never done it before. How many effort do you want to put in security. THere are a lot of other ways to secure your network from the inside.

 

[Parcival21]

Another question: Why do you not want to use vlans?

 

[Jsteve]

you could use port ACLs, depending on how small your network is. If you only have one 3550 it may be fesible. But if your network is large, than Vlan is the way to go.

i.e.

Switch(config)# ip access-list standard myport
Switch(config-std-nacl)# permit 192.168.1.1 0.0.0.0 log
Switch(config-std-nacl)# permit any log
Switch(config)# ip access-list standard otherport
Switch(config-std-nacl)# deny 192.168.1.1 0.0.0.0 log
Switch(config-std-nacl)# permit any log
Switch(config-std-nacl)# exit
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# ip access-group myport in
Switch(config)# interface gigabitethernet0/2
Switch(config-if)# ip access-group otherport in
Switch(config)# interface gigabitethernet0/3
Switch(config-if)# ip access-group otherport in
Switch(config)# interface gigabitethernet0/4
Switch(config-if)# ip access-group otherport in

and so on....

 

[dt104896]

How about adding a static arp in your router w/ your MAC and IP?

 

[netwalker1]

The Problem in using VLANs is that he may doesn't use any Router ..
So that when he separate the Administration Area from the Non-Privilage area , they may never been able to contact without a router ,,

So he will need a router inside his office to route the traffic between the 2 VLANS ..

Beside VLANs needs a lot of overhead administration ..

May be the ARP will solve the problem ...

Mohamed Farid
[green]Know Me No Pain , No Me Know Pain !!![/green]
CCNP,CCSP,CCA,MCSE,MCSA

 

[Jsteve]

The 3550 supports InterVlan routing.

http://www.cisco.com/warp/public/473/189.html