60-29
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 60 Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
Configuring IP Source Guard for Static Hosts
This example shows how to enable IPSG for static hosts with IP filters on a PVLAN host port:
Switch(config)# vlan 200
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# exit
Switch(config)# vlan 201
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# exit
Switch(config)# vlan 200
Switch(config-vlan)# private-vlan association 201
Switch(config-vlan)# exit
Switch(config)# int fastEthernet 4/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 200 201
Switch(config-if)# ip device tracking maximum 8
Switch(config-if)# ip verify source tracking
Switch# show ip device tracking all
IP Device Tracking = Enabled
IP Device Tracking Probe Count = 3
IP Device Tracking Probe Interval = 30
---------------------------------------------------------------------
IP Address MAC Address Vlan Interface STATE
---------------------------------------------------------------------
40.1.1.24 0000.0000.0304 200 FastEthernet4/3 ACTIVE
40.1.1.20 0000.0000.0305 200 FastEthernet4/3 ACTIVE
40.1.1.21 0000.0000.0306 200 FastEthernet4/3 ACTIVE
40.1.1.22 0000.0000.0307 200 FastEthernet4/3 ACTIVE
40.1.1.23 0000.0000.0308 200 FastEthernet4/3 ACTIVE
The output shows the five valid IP-to-MAC bindings that have been learned on the interface Fa4/3. For
the PVLAN, the bindings are associated with primary VLAN ID. In this example, the primary VLAN
ID, 200, is shown in the table.
Switch# show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----
Fa4/3 ip trk active 40.1.1.23 200
Fa4/3 ip trk active 40.1.1.24 200
Fa4/3 ip trk active 40.1.1.20 200
Fa4/3 ip trk active 40.1.1.21 200
Fa4/3 ip trk active 40.1.1.22 200
Fa4/3 ip trk active 40.1.1.23 201
Fa4/3 ip trk active 40.1.1.24 201
Fa4/3 ip trk active 40.1.1.20 201
Fa4/3 ip trk active 40.1.1.21 201
Fa4/3 ip trk active 40.1.1.22 201
The output shows that the five valid IP-to-MAC bindings are on both the primary and secondary VLAN.
Step 13
Switch(config-if)# ip device tracking maximum n
Establishes a maximum limit for the bindings on this
port.
Step 14
Switch(config-if)# ip verify source tracking
[port-security]
Activates IPSG for static hosts on this port.
Step 15
Switch(config-if)# end
Exits configuration interface mode.
Step 16
Switch# show ip device tracking all
Verifies the configuration.
Step 17
Switch# show ip verify source interface-name
Verifies the configuration.
Command Purpose
To Next Page
Loading...
