Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
41424344454647484950
44
OL-11615-01
IP source guard cannot coexist with PACLs.
IP source guard is not supported on EtherChannel-enabled ports, and EtherChannel is not supported
on IP source guard-enabled ports.
VLAN-based ACL features, such as static ARP inspection, are disabled when you enable IP source
guard.
Note We recommend that you enable high availability when using dynamic ARP inspection (DAI), DHCP
snooping, and IP source guard. If high availability is not enabled, clients have to renew their IP addresses
for these features to work after a switchover.
Note In Catalyst 6500 Series switches, IP Source Guard is supported on Supervisor 32, and Supervisor 720.
To enable IP Source Guard on Catalyst 6500 Series switches running Catalyst OS, perform the following
steps:
Step 1 Configure the port as port based using the set port security-acl port-based command:
Console> (enable) set port security-acl
mod/ports
port-based
Step 2 Enable IP source guard. Use the set port dhcp-snooping source-guard enable command:
Console> (enable) set port dhcp-snooping
mod/ports
source-guard enable
Step 3 Enable DHCP snooping using the set security acl ip permit dhcp-snooping command:
Console> (enable) set security acl ip
acl_name
permit dhcp-snooping
Step 4 Allow the port to forward other traffic. Use the set security acl ip command:
Console> (enable) set security acl ip
acl_name
permit ip any any
Step 5 Save the ACL configuration by executing the commit security acl command:
Console> (enable) commit security acl
acl_name
Step 6 Enable the ACL on the VLAN. Use the set security acl map command:
Console> (enable) set security acl map
acl_name vlan_id
Step 7 Enable DHCP-snooping trust on a port, using the set port dhcp-snooping command:
Console> (enable) set port dhcp-snooping
mod/ports
trust enable
Note Before you can enable IP source guard, you must enable DHCP snooping on the VLAN to which the port
belongs. You must configure the port as either port based or in merge mode for security ACLs. You
should only enable IP source guard on DHCP-snooping untrusted ports.
This example shows how to enable IP source guard:
Console> (enable) set port security-acl 3/1 port-based
Warning:Vlan-based ACL features will be disabled on port 3/1.
ACL interface is set to port-based mode for port(s) 3/1.
Console> (enable) set port dhcp-snooping 3/1 source-guard enable