Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
sangey

Bind IP to MAC

Recommended Posts

I can bind IP to MAC in the cisco routers and switches. But i have 20,000 IPs, i feel this will cause the perfomance of the router to drop down. Do anyone know another way to bind or is there any software which can do this.

  • Downvote 1

Share this post


Link to post
Share on other sites

Hi,

 

I am using Cisco VXR 7200 Series router.

 

What's your objective of binding them?

Share this post


Link to post
Share on other sites

What's your objective of binding them?

 

I am Manager of ISP. We provide public IP Addresses to my customers. All free IPs are blocked. There are some customers who think they are smarter. So they use random IP Addresses within same block. Since free IPs are blocked, they use other customers IPs.So i want to bind IP to MAC, so that no one can use random IPs.

Share this post


Link to post
Share on other sites

I doubt DHCP snooping can help him out.

DHCP snooping has many uses, but if the "bad guy" manually configures an IP from the network range, what the equipment will do?

Edited by laf_c

Share this post


Link to post
Share on other sites

well on cisco switches dhcp snooping works along with ip source guard... I was assuming we're talking about cisco devices.

Share this post


Link to post
Share on other sites

then you'd better migrate them to DHCP.

 

 

I gave all customers public IP Addresses and not private IPs. This DHCP solution is not suitable at all, because the thief will still be able to browse with static IPs.

Share this post


Link to post
Share on other sites

I gave all customers public IP Addresses and not private IPs. This DHCP solution is not suitable at all, because the thief will still be able to browse with static IPs.

 

access-lists are there for you :)

 

if I understand you've got layer 2 connectivity to many customers all together.

from the very beginning this should've been avoided.

You could use RFC1918 /30 networks with different customers, and then have either BGP with them, or static route pointing to their /32 WAN ip.

and then as long as you have "ip verify unicast reverse-path" on l3 interfaces to your customers you would be fine.

 

to be honest what I see here is an ISP design problem. you're trying to fix something that was badly designed, so you will not find a good solution.

as I said from the begining, ACL could be your workaround...

 

Cheers,

Share this post


Link to post
Share on other sites

I gave all customers public IP Addresses and not private IPs. This DHCP solution is not suitable at all, because the thief will still be able to browse with static IPs.

well and what does it change? you can use dhcp to assign any ip address. actually they won't be able to do that. source guard checks the locally built dhcp binding database and it won't forward anything expect for dhcp request unless you have a record in that db.

Share this post


Link to post
Share on other sites

well and what does it change? you can use dhcp to assign any ip address. actually they won't be able to do that. source guard checks the locally built dhcp binding database and it won't forward anything expect for dhcp request unless you have a record in that db.

 

This is good, but what if someone just uses an IP address manually assigned on its interface?

Share this post


Link to post
Share on other sites

In this scenario, i am curious how users are going to authenticate on RAS? Where is the Radius? IMHO ISP billing system have to control these unauthorized access via live IPs.

Share this post


Link to post
Share on other sites

This is good, but what if someone just uses an IP address manually assigned on its interface?

than it is not in the switch's binding DB and he cannot do anything else than request an IP. piece of cake ;)

Share this post


Link to post
Share on other sites

In this scenario, i am curious how users are going to authenticate on RAS? Where is the Radius? IMHO ISP billing system have to control these unauthorized access via live IPs.

exactly... you sure do not want to manage 20k users DHCP binding manually.

Share this post


Link to post
Share on other sites

Hi,

 

I am planning to configure VTP and vlans to all my customers. So specific IP to specific vlans only. So this will help to avoid even broadcast. Now in this i need each customer to configure /29 subnet. But how to different for point-to-multipoint customers. I have one way, to configure secondary IP in the vlans, but this will be in same broadcast. Any idea how to differentiate.

Share this post


Link to post
Share on other sites

have you considered using routing? I mean dynamic routing. something like BGP

Edited by chrcel

Share this post


Link to post
Share on other sites

have you considered using routing? I mean dynamic routing. something like BGP

 

I do not think BGP would be good choice for all customers OR may be i am missing something :).

 

@sangey.. Please if possible then provide us a rough diagram of your network and a bit detail of your customers CPE types and protocols you are using so that our experts could guide you accordingly.

Share this post


Link to post
Share on other sites

well with 20k customers and you want to push prefixes to/from them? isis comes to mind, but I doubt they'll have someone to configure it.

Share this post


Link to post
Share on other sites

I do not think BGP would be good choice for all customers OR may be i am missing something :).

 

@sangey.. Please if possible then provide us a rough diagram of your network and a bit detail of your customers CPE types and protocols you are using so that our experts could guide you accordingly.

 

 

Diagram: i have base-station everywhere. Its point-to-multipoint (ie one AP and many SUs). So only one cable enters the cisco switch. i need to segment each customer's IP separately either /30 or /29. Currently i can do by adding secondary IP Address in vlans. Any other way.

Share this post


Link to post
Share on other sites

Someone asked to use SQUID to bind IP to MAC.

 

Any comments. Still searching squid details.

 

Squid can easily restrict MAC but i am not 100% about the binding. In my thinking Squid can do anything you wants. I am confuse on this solution because squid or any proxy machine comes to play later but first users have to authenticate on RAS.

Are you talking about to make squid as your primary RAS also?

Share this post


Link to post
Share on other sites

Some kind of passive solution is to implement arpwatch on linux. Just create arp entries file on you linux box and copy all the traffic to it.

Edited by pedalkin

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×