Table of Contents
Advertisement
Syntax
ip verify source {port-security}
no ip verify source
•
port-security—Enables filtering based on IP address, VLAN, and MAC
address. When not specified, filtering is based upon IP address.
Default Configuration
By default, no sources are blocked.
Command Mode
Interface Configuration mode (physical and port channel)
User Guidelines
DHCP snooping should be enabled on any ports for which ip verify source is
configured. If ip verify source is configured on an interface for which DHCP
snooping is disabled, or for which DHCP snooping is enabled and the port is
trusted, incoming traffic on the interface is dropped.
Incoming traffic is filtered based on the source IP address and VLAN. When
the port-security keyword is configured, filtering occurs based upon source IP
address, VLAN and source MAC address.
IP source guard also interacts with the port security component. Use the
switchport port-security command in interface mode to optionally add
checking of learned MAC addresses. When port security is enabled, MAC
learning coordinates with the IP Source Guard to verify that the MAC address
is in the DHCP binding database. If it is not, port security is notified that the
frame is in violation of the security policy.
Example
console(config)#ip dhcp snooping
console(config)#ip dhcp snooping vlan 1
console(config)#interface gi1/0/1
console(config-if-Gi1/0/1)#ip verify source
Layer 2 Switching Commands
529
Advertisement
Table of Contents
