33-12
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 33 Configuring DHCP Snooping and IP Source Guard
Configuring IP Source Guard on the Switch
Note The static IP source binding can only be configured on switch port. If you issue the
ip source binding vlan interface command on a Layer 3 port, you will receive this error message:
Static IP source binding can only be configured on switch port.
This example shows how to enable per-Layer 2-port IP source guard on VLANs 10 through 20:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10 20
Switch(config)# interface fa6/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 10
Switch(config-if)# switchport trunk allowed vlan 11-20
Switch(config-if)# no ip dhcp snooping trust
Switch(config-if)# ip verify source vlan dhcp-snooping
Switch(config)# end
Switch# sh ip verify source interface f6/1
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa6/1 ip-mac active 10.0.0.1 10
Fa6/1 ip-mac active deny-all 11-20
Switch#
The output shows that there is one valid DHCP binding to VLAN 10.
Configuring IP Source Guard on Private VLANs
For private VLAN ports, you must enable DHCP snooping on primary VLANs in order for IP source
guard to be effective. IP source guard on a primary VLAN will automatically propagate to a secondary
VLAN. Configuring a static IP source binding on a secondary VLAN is allowed, but it will not take
effect. When manually configuring a static IP source binding on a secondary VLAN, you will receive
the following warning:
Warning
IP source filter may not take effect on secondary vlan where IP source binding is configured. If private
vlan feature is enabled, IP source filter on primary vlan will automatically propagate to all secondary
vlans.
Step 5
Switch(config-if)# switchport port-security limit
rate invalid-source-mac N
Enables security rate limiting for learned source MAC
addresses on the port.
Note This limit only applies to the port where IP
Source Guard is enabled as filtering both IP and
MAC addresses.
Step 6
Switch(config)# ip source binding
ip-addr
ip
vlan
number
interface
interface
Configures a static IP binding on the port.
Step 7
Switch(config)# end
Exits configuration mode.
Step 8
Switch# show ip verify source interface
interface-name
Verifies the configuration.
Command Purpose
To Next Page
Loading...
Need help?
General
