Were running into an issue with a property where one of the wireless clients is static assigning the gateway IP. The problems we have is we must support Multicast in the same VLAN. Our first thought to prevent this type of IP theft was to implement dynamic ARP inspection for the router, and Ip Source guard on the switch ports towards the APs. The problem is roaming however, if a client moves from Port 1 to Port 2.. our thought is that this could enforce source guard to only allow on Port1.
Has anyone implemented such a security design where hosts must use DHCP creating a ip binding in the switch but allow roaming ?
if ip source guard supported DHCP LEASEQUERY which would allow lookups for moves the problem would be resolved but i don't see that feature set in the switch. (Cisco 2960X).
No comments:
Post a Comment