Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch

OL-11615-01

IP Source Guard enabled on port(s) 3/1.

Console> (enable) set port dhcp-snooping 1/2 trust enable

Port(s) 1/2 state set to trusted for DHCP Snooping.

Console> (enable) set security acl ip dhcpsnoop permit dhcp-snooping

Successfully configured DHCP Snooping for ACL dhcpsnoop. Use the 'commit' command to save

changes.

Console> (enable) set security acl ip dhcpsnoop permit ip any any

dhcpsnoop editbuffer modified. Use the 'commit' command to apply changes.

Console> (enable) commit security acl dhcpsnoop

ACL commit in progress.

ACL 'dhcpsnoop' successfully committed.

Console> (enable) set security acl map dhcpsnoop 10

Mapping in progress.

ACL dhcpsnoop successfully mapped to VLAN 10.

Console>

For more information on IP Source guard on Catalyst 6500 Series switches running Catalyst OS, refer

to the following URL:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_8_5/confg_gd/dhcp.htm

IP Source Guard in Cisco IOS (Catalyst 4500)

IP Source Guard in Catalyst 4500 Series switches running Cisco IOS allows the configuration of static

IP source bindings, providing support to systems that have fixed IP addresses and which do not use

DHCP (typically servers).

IP Source Guard in Catalyst 4500 Series switches supports Layer 2 ports only, including both access and

trunk. For each untrusted Layer 2 port, there are two levels of IP traffic security filtering:

• Source IP address filter—IP traffic is filtered based on its source IP address. Only IP traffic with a

source IP address that matches the IP source binding entry is permitted. An IP source address filter

is changed when a new IP source entry binding is created or deleted on the port. The per-port VACL

(PVACL) will be recalculated and reapplied in the hardware to reflect the IP source binding change.

By default, if the IP filter is enabled without any IP source binding on the port, a default PVACL

that denies all IP traffic is installed on the port. Similarly, when the IP filter is disabled, any IP source

filter PVACL will be removed from the interface.

• Source IP and MAC address filter—IP traffic is filtered based on its source IP address and its MAC

address; only IP traffic with source IP and MAC addresses matching the IP source binding entry are

permitted.

To enable IP Source Guard on Catalyst 4500 Series switches running Cisco IOS, perform the following

steps:

Step 1 Enable DHCP snooping globally using the ip dhcp snooping command:

Switch(config)# ip dhcp snooping

Step 2 Enable DHCP snooping on the necessary VLANs. Use the ip dhcp snooping vlan command:

Switch(config)# ip dhcp snooping vlan

number

[

number

]

Step 3 Configure the interface as trusted or untrusted using the ip dhcp snooping vlan command:

Switch(config-if)# [no] ip dhcp snooping trust

Step 4 Enable IP source guard, source IP, and source MAC address filtering on the port. Use the ip source

binding command:

Switch(config-if)# ip verify source vlan dhcp-snooping port-security