Support User Manuals

Cisco Systems 4500 Switch User Manual

Open as PDF

of 1504

45-22

Software Configuration Guide—Release 15.0(2)SG

OL-23818-01

Chapter 45 Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts

Displaying IP Source Guard Information

Switch# show ip verify source interface f6/1

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- ----------------- ----------

Fa6/1 ip-mac active 10.0.0.1 10

Fa6/1 ip-mac active deny-all 11-20

Switch#

The output shows that there is one valid DHCP binding to VLAN 10.

Configuring IP Source Guard on Private VLANs

For IP source guard to be effective on PVLAN ports, you must enable DHCP snooping on primary

VLANs. IP source guard on a primary VLAN is automatically propagated to a secondary VLAN. You

can configure static IP source binding on a secondary VLAN, but it does not work. When manually

configuring a static IP source binding on a secondary VLAN, you receive the following message:

IP source filter may not take effect on a secondary VLAN where IP source binding is

configured. If the private VLAN feature is enabled, IP source filter on the primary VLAN

will automatically propagate to all secondary VLAN.

Displaying IP Source Guard Information

You can display IP source guard PVACL information for all interfaces on a switch using the

show ip verify source command, as the following examples show:

• This example shows displayed PVACLs if DHCP snooping is enabled on VLAN 10 through 20, if

interface fa6/1 is configured for IP filtering, or if there is an existing IP address binding 10.0.01 on

VLAN 10:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- ---------

fa6/1 ip active 10.0.0.1 10

fa6/1 ip active deny-all 11-20

Note The second entry shows that a default PVACL (deny all IP traffic) is installed on the port for those

snooping-enabled VLANs that do not have a valid IP source binding.

• This example shows displayed PVACL for a trusted port:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- ---------

fa6/2 ip inactive-trust-port

• This example shows displayed PVACL for a port in a VLAN not configured for DHCP snooping:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- ---------

fa6/3 ip inactive-no-snooping-vlan

• This example shows displayed PVACLs for a port with multiple bindings configured for an

IP-to-MAC filtering:

Interface Filter-type Filter-mode IP-address Mac-address Vlan

--------- ----------- ----------- --------------- -------------- ---------

fa6/4 ip-mac active 10.0.0.2 aaaa.bbbb.cccc 10

fa6/4 ip-mac active 11.0.0.1 aaaa.bbbb.cccd 11

fa6/4 ip-mac active deny-all deny-all 12-20

previous next