60-20
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 60 Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
Configuring IP Source Guard
the client IP traffic to those source IP addresses configured in the binding; any IP traffic with a source
IP address other than that in the IP source binding is filtered out. This filtering limits the ability of a host
to attack the network by claiming a neighbor host’s IP address.
Note If IP source guard is enabled on a trunk port with a large number of VLANs that have DHCP snooping
enabled, you might exhaust ACL hardware resources, and some packets might be switched in software
instead.
Note When IP source guard is enabled, you might want to designate an alternative scheme for ACL hardware
programming. For more information, see the “TCAM Programming and ACLs” section in Chapter 62,
“Configuring Network Security with ACLs”.
Note When an interface is in down state, TCAMs are consumed for PACLs, but not for RACLs.
IP source guard supports the Layer 2 port only, including both access and trunk. For each untrusted Layer
2 port, there are two levels of IP traffic security filtering:
• Source IP address filter
IP traffic is filtered based on its source IP address. Only IP traffic with a source IP address that
matches the IP source binding entry is permitted.
An IP source address filter is changed when a new IP source entry binding is created or deleted on
the port. The port VACL is recalculated and reapplied in the hardware to reflect the IP source binding
change. By default, if the IP filter is enabled without any IP source binding on the port, a default
PVACL that denies all IP traffic is installed on the port. Similarly, when the IP filter is disabled, any
IP source filter PVACL is removed from the interface.
• Source IP and MAC address filter
IP traffic is filtered based on its source IP address as well as its MAC address; only IP traffic with
source IP and MAC addresses matching the IP source binding entry are permitted.
Note When IP source guard is enabled in IP and MAC filtering mode, the DHCP snooping Option 82 must be
enabled to ensure that the DHCP protocol works properly. Without Option 82 data, the switch cannot
locate the client host port to forward the DHCP server reply. Instead, the DHCP server reply is dropped,
and the client cannot obtain an IP address.
Configuring IP Source Guard
To enable IP source guard, perform this task:
Command Purpose
Step 1
Switch(config)# ip dhcp snooping
Enables DHCP snooping globally.
You can use the no keyword to disable DHCP snooping.
Step 2
Switch(config)# ip dhcp snooping vlan number
[number]
Enables DHCP snooping on your VLANs.
To Next Page
Loading...
