Chapter 11: Controlling Traffic and Switch Access 189
Section 11-9
switch# show port-security interface fastEthernet 1/0/2
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.8565.4B75:1
Security Violation Count : 1
DHCP Snooping
DHCP Snooping acts like a firewall between untrusted hosts and DHCP servers. You use
DHCP Snooping to differentiate between untrusted interfaces connected to the end user
and trusted interfaces connected to the DHCP server or another switch. When a switch
receives a packet on an untrusted interface and the interface belongs to a VLAN that has
DHCP Snooping enabled, the switch compares the source MAC address and the DHCP
client hardware address. If the addresses match (the default), the switch forwards the
packet. If the addresses do not match, the switch drops the packet.
Tip For DHCP Snooping to function properly, all DHCP servers must be connected to
the switch through trusted interfaces.
To ensure that the lease time in the database is accurate, Cisco recommends that you
enable and configure NTP.
Feature Example
The DHCP server connects to interface Fastethernet 1/0/3; all interfaces on the switch are
in VLAN 1:
1. Enable DHCP Snooping on the switch:
switch(config)# ip dhcp snooping vlan 1
Note DHCP Snooping is not active until it is enabled on a VLAN.
Note Port security can only be configured on static access ports or trunk ports.
To Next Page
Loading...
Need help?
General