Configuring Ip Source Guard Work Flow - Cisco 500 Series Administration Manual
Stackable managed
Hide thumbs
Also See for 500 Series:
- Configuration manual (1140 pages) ,
- Administration manual (485 pages) ,
- Quick start manual (72 pages)
Table of Contents
Advertisement
21
STEP 1
STEP 2
STEP 3
STEP 4
STEP 5
STEP 6
471
•
When the ports status changes from DHCP untrusted to DHCP trusted, the
static IP address filtering entries remain in the Binding database, but they
become inactive.
•
Port security cannot be enabled if source IP and MAC address filtering is
configured on a port.
•
IP Source Guard uses TCAM resources and requires a single TCAM rule per
IP Source Guard address entry. If the number of IP Source Guard entries
exceeds the number of available TCAM rules, the extra addresses are
inactive.
Filtering
If IP Source Guard is enabled on a port then:
•
DHCP packets allowed by DHCP Snooping are permitted.
•
If source IP address filtering is enabled:
-
IPv4 traffic: Only traffic with a source IP address that is associated with
the port is permitted.
-
Non IPv4 traffic: Permitted (Including ARP packets).
Configuring IP Source Guard Work Flow
To configure IP Source Guard:
Enable DHCP Snooping in the IP Configuration > DHCP > Properties page or in the
Security > DHCP Snooping > Properties page.
Define the VLANs on which DHCP Snooping is enabled in the IP Configuration >
DHCP > Interface Settings page.
Configure interfaces as trusted or untrusted in the IP Configuration > DHCP >
DHCP Snooping Interface page.
Enable IP Source Guard in the Security > IP Source Guard > Properties page.
Enable IP Source Guard on the untrusted interfaces as required in the Security > IP
Source Guard > Interface Settings page.
View entries to the Binding database in the Security > IP Source Guard > Binding
Database page.
Cisco 500 Series Stackable Managed Switch Administration Guide
Security
IP Source Guard
Hide quick links:
Advertisement
Table of Contents
