Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
41424344454647484950
43
OL-11615-01
Step 6 Optionally, for Catalyst 6500, enable DHCP Option-82 data insertion when the DHCP clients and servers
do not reside in the same subnet or network, and when the switch seats between them. Use the ip dhcp
snooping information option command:
Router(config)# ip dhcp snooping information option
Step 7 Optionally, for Catalyst 4500, when used as an aggregation switch, configure the switch to accept DHCP
requests with Option-82 information from any snooping untrusted port. Use the ip dhcp snooping
information option command:
Switch(config)# ip dhcp snooping information option allow-untrusted
This example shows how to enable DHCP snooping for VLANs 10 through 12 with a DHCP server on
interface FastEthernet 5/12:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip dhcp snooping
Router(config)# ip dhcp snooping vlan 10 12
Router(config)# interface FastEthernet 5/12
Router(config-if)# ip dhcp snooping trust
For more information on DHCP snooping on Catalyst 6500 Series switches running Cisco IOS, refer to
the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/snoodhcp.htm
For more information on DHCP snooping on Catalyst 4500 Series switches running Cisco IOS, refer to
the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31s/conf/dhcp.htm
IP Source Guard
IP Source Guard is a security feature available on Catalyst 6500 Series switches running Catalyst OS,
and on Catalyst 4500 Series switches running Cisco IOS software. IP source guard prevents IP spoofing
by allowing only the IP addresses that are obtained through DHCP snooping on a particular port.
Initially, all IP traffic on the port is blocked except for the DHCP packets that are captured by DHCP
snooping. When a client receives a valid IP address from the DHCP server, a port access control list
(PACL) is installed on the port that permits the traffic from the IP address. This process restricts the
client IP traffic to those source IP addresses that are obtained from the DHCP server; any IP traffic with
a source IP address other than that in the PACLs permit list is filtered out. This filtering limits the ability
of a host to attack the network by claiming a neighbor host's IP address.
IP Source Guard in Catalyst OS (Catalyst 6500)
There are some considerations that need to be taken into account before enabling IP Source Guard on
Catalyst 6500 running Catalyst OS:
IP Source Guard requires DHCP snooping to be configured
IP source guard is supported on PFC 3 and later versions.
A maximum of 10 IP addresses are allowed per port.
IP source guard is not recommended on trunk ports.