Cisco Catalyst 4500 Series Configuration Manual page 1207
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Chapter 50
Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
Command
Step 3
Switch(config-if)# no ip dhcp snooping trust
Step 4
Switch(config-if)# ip verify source vlan
dhcp-snooping port-security
Step 5
Switch(config-if)# switchport port-security limit
rate invalid-source-mac N
Step 6
Switch(config)# ip source binding mac-address
Vlan vlan-id ip-address interface interface-name
Step 7
Switch(config)# end
Step 8
Switch# show ip verify source interface
interface-name
If you want to stop IP source guard with static hosts on an interface, use the following commands in
interface configuration submode:
Switch(config-if)# no ip verify source
Switch(config-if)# no ip device tracking max
If the no ip device tracking command is used in interface configuration submode, it actually runs in
global configuration mode and causes IP device tracking to be disabled globally. Disabling IP device
tracking globally causes IP source guard with static hosts to deny all IP traffic on interfaces using the ip
verify source tracking [port-security] command.
Note
The static IP source binding can only be configured on switch port. If you enter the
ip source binding vlan interface command on a Layer 3 port, you receive this error message:
Static IP source binding can only be configured on switch port
This example shows how to enable per-Layer 2 port IP source guard on VLAN 10 through 20:
Switch# configure terminal
Enter configuration commands, one per line.
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10 20
Switch(config)# interface fa6/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 10
Switch(config-if)# switchport trunk allowed vlan 11-20
Switch(config-if)# no ip dhcp snooping trust
Switch(config-if)# ip verify source vlan dhcp-snooping
Switch(config)# end
OL-25340-01
Purpose
Configures the interface as trusted or untrusted.
You can use the no keyword of to configure an interface
to receive only messages from within the network.
Enables IP source guard, source IP, and source MAC
address filtering on the port.
Enables security rate limiting for learned source MAC
addresses on the port.
Note
This limit only applies to the port where IP
source guard is enabled as filtering both IP and
MAC addresses.
Configures a static IP binding on the port.
Exits configuration mode.
Verifies the configuration.
End with CNTL/Z.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Configuring IP Source Guard
.
50-21
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
