Configuring IP-MAC Address Binding

IP-MAC Address Binding

The controller enforces strict IP address-to-MAC address binding in client packets. The controller checks the IP address and MAC address in a packet, compares them to the addresses that are registered with the controller, and forwards the packet only if they both match. The controller checks only the MAC address of the client and ignores the IP address. Disable IP-MAC Address Binding if you have a wireless client that has multiple IP addresses mapped to the same MAC address. Examples include a PC running a VM software in Bridge mode, or a third-party WGB.

You must disable IP-MAC address binding to use an access point in sniffer mode if the access point is associated with a Cisco 2504 Wireless Controller, a Cisco 5508 Wireless Controller, or a controller network module. To disable IP-MAC address binding, enter the config network ip-mac-binding disable .

WLAN must be enabled to use an access point in sniffer mode if the access point is associated with a Cisco 2504 Wireless Controller, a Cisco 5508 Wireless Controller, or a controller network module. If WLAN is disabled, the access point cannot send packets.


Note

If the IP address or MAC address of the packet has been spoofed, the check does not pass, and the controller discards the packet. Spoofed packets can pass through the controller only if both the IP and MAC addresses are spoofed together and changed to that of another valid client on the same controller.


This section contains the following subsection:

Configuring IP-MAC Address Binding (CLI)

Procedure


Step 1

Enable or disable IP-MAC address binding by entering this command:

config network ip-mac-binding {enable | disable}

The default value is enabled.

Note 

You might want to disable this binding check if you have a routed network behind a workgroup bridge (WGB).

Note 

You must disable this binding check in order to use an access point in sniffer mode if the access point is joined to a Cisco 5508 WLC.

Step 2

Save your changes by entering this command:

save config

Step 3

View the status of IP-MAC address binding by entering this command:

show network summary

Information similar to the following appears:


RF-Network Name............................. ctrl4404
Web Mode.................................... Disable
Secure Web Mode............................. Enable
Secure Web Mode Cipher-Option High.......... Disable
Secure Web Mode Cipher-Option SSLv2......... Disable
...

IP/MAC Addr Binding Check ............... Enabled 

...<?Line-Break?><?HardReturn?>