Configuring Ip Source Guard On Interfaces - Cisco SF500-24 Administration Manual

Configuring Security
IP Source Guard
STEP 1
STEP 2
STEP 3
STEP 4
NOTE
Cisco 500 Series Stackable Managed Switch Administration Guide

Configuring IP Source Guard on Interfaces

If IP Source Guard is enabled on an untrusted port/LAG, DHCP packets, allowed
by DHCP Snooping, are transmitted. If source IP address filtering is enabled,
packet transmission is permitted as follows:
• IPv4 traffic — Only IPv4 traffic with a source IP address that is associated
with the specific port is permitted.
• Non IPv4 traffic — All non-IPv4 traffic is permitted.
See the Interactions with Other Features
enabling IP Source Guard on interfaces.
To configure IP Source Guard on interfaces:
Click Security > IP Source Guard > Interface Settings. The Interface Settings
page is displayed.
Select port/LAG from the Filter field and click Go. The ports/LAGs on this unit are
displayed along with the following:
• IP Source Guard —Indicates whether IP Source Guard is enabled on the
port.
• DHCP Snooping Trusted Interface—Indicates whether this is a DHCP
trusted interface.
Select the port/LAG and click Edit. The Edit Interface Settings page is displayed.
Select Enable in the IP Source Guard field to enable IP Source Guard on the
interface.
Click Apply to copy the setting to the Running Configuration file.
DHCP Snooping Binding Database
IP Source Guard uses the DHCP Snooping Binding database to check packets
from untrusted ports. If the switch attempts to write too many entries to the DHCP
Snooping Binding database, the excessive entries are maintained in an inactive
status. Entries are deleted when their lease time expires and so inactive entries
may be made active.
The Binding Database page only displays the entries in the DHCP Snooping
Binding database defined on IP-Source-Guard-enabled ports.
section for more information about
18
340