33-11
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 33 Configuring DHCP Snooping and IP Source Guard
Configuring IP Source Guard on the Switch
Note If IP Source Guard is enabled on a trunk port with a large number of VLANs that have DHCP snooping
enabled, you might run out of ACL hardware resources, and some packets might be switched in software
instead.
Note When IP Source Guard is enabled, you might want to designate an alternative scheme for ACL hardware
programming. For more information, see the “TCAM Programming and ACLs” section in the
"Configuring Network Security with ACLs” chapter.
IP Source Guard supports the Layer 2 port only, including both access and trunk. For each untrusted
Layer 2 port, there are two levels of IP traffic security filtering:
• Source IP address filter
IP traffic is filtered based on its source IP address. Only IP traffic with a source IP address that
matches the IP source binding entry is permitted.
An IP source address filter is changed when a new IP source entry binding is created or deleted on
the port. The port PVACL will be recalculated and reapplied in the hardware to reflect the IP source
binding change. By default, if the IP filter is enabled without any IP source binding on the port, a
default PVACL that denies all IP traffic is installed on the port. Similarly, when the IP filter is
disabled, any IP source filter PVACL will be removed from the interface.
• Source IP and MAC address filter
IP traffic is filtered based on its source IP address as well as its MAC address; only IP traffic with
source IP and MAC addresses matching the IP source binding entry are permitted.
Note When IP source guard is enabled in IP and MAC filtering mode, the DHCP snooping option 82 must be
enabled to ensure that the DHCP protocol works properly. Without option 82 data, the switch cannot
locate the client host port to forward the DHCP server reply. Instead, the DHCP server reply is dropped,
and the client cannot obtain an IP address.
Configuring IP Source Guard on the Switch
To enable IP Source Guard, perform this task:
Command Purpose
Step 1
Switch(config)# ip dhcp snooping
Enables DHCP snooping globally.
You can use the no keyword to disable DHCP snooping.
Step 2
Switch(config)# ip dhcp snooping vlan
number
[
number
]
Enables DHCP snooping on your VLANs.
Step 3
Switch(config-if)# no ip dhcp snooping trust
Configures the interface as trusted or untrusted.
You can use the no keyword of to configure an interface
to receive only messages from within the network.
Step 4
Switch(config-if)# ip verify source vlan
dhcp-snooping port-security
Enables IP source guard, source IP, and source MAC
address filtering on the port.
To Next Page
Loading...
Need help?
General
