33-16
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 33 Configuring DHCP Snooping and IP Source Guard
Understanding How IP Source Guard Works
DHCP Snooping bindings storage file set to disk1:dhcp-bindings.
Console> (enable)
This example shows how to display the DHCP-snooping bindings-database configuration:
Console> (enable) show dhcp-snooping config
DHCP Snooping MAC address matching is enabled.
DHCP Snooping host-tracking information option is disabled.
Remote ID used in information option is 00-01-64-41-60-ff.
DHCP Snooping auto save interval is 600.
DHCP Snooping bindings storage file is disk1:dhcp-bindings.
Console> (enable)
Understanding How IP Source Guard Works
IP source guard prevents IP spoofing by allowing only the IP addresses that are obtained through DHCP
snooping on a particular port. Initially, all IP traffic on the port is blocked except for the DHCP packets
that are captured by DHCP snooping. When a client receives a valid IP address from the DHCP server,
a port access control list (PACL) is installed on the port that permits the traffic from the IP address. This
process restricts the client IP traffic to those source IP addresses that are obtained from the DHCP server;
any IP traffic with a source IP address other than that in the PACL’s permit list is filtered out. This
filtering limits the ability of a host to attack the network by claiming a neighbor host’s IP address.
Note If you enable IP source guard on a trunk port with a large number of VLANs that have DHCP snooping
enabled, you might run out of the ACL hardware resources, and some clients that are connected to the
ports may not be able to send the traffic. We do not recommend using this configuration because you are
limited to ten IP addresses per port.
Note In software releases prior to software release 8.6(1), you are limited to ten IP addresses per port. In
software release 8.6(1) and later releases, you can have up to 48 IP addresses per port.
IP source guard uses source IP address filtering, which filters the IP traffic that is based on its source IP
address. Only the IP traffic with a source IP address that matches the IP source binding entry is
permitted.
A port’s IP source address filter is changed when a new DHCP-snooping binding entry for a port is
created or deleted. The port PACL is modified and reapplied in the hardware to reflect the IP source
binding change. By default, if you enable IP source guard without any DHCP-snooping bindings on the
port, a default PACL that denies all IP traffic is installed on the port. When you disable IP source guard,
any IP source filter PACL is removed from the port.
IP Source Guard Configuration Guidelines
This section describes the guidelines for configuring IP source guard in your network:
• IP source guard is supported on PFC 3 and later versions.
• In software releases prior to software release 8.6(1), you are limited to ten IP addresses per port. In
software release 8.6(1) and later releases, you can have up to 48 IP addresses per port.
• IP source guard is not recommended on trunk ports.
To Next Page
Loading...
Need help?
General