Filter
Top Products
31-11
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 31 Configuring DHCP Snooping and IP Source Guard
Overview of IP Source Guard
Displaying the DHCP Snooping Configuration
This example shows how to display the DHCP snooping configuration for a switch.
Switch# show ip dhcp snooping
Switch DHCP snooping is enabled.
DHCP Snooping is configured on the following VLANs:
10 30-40 100 200-220
Insertion of option 82 is enabled
Option82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
--------- ------- ----------------
FastEthernet2/1 yes 10
FastEthernet3/1 yes none
GigabitEthernet1/1 no 20
Switch#
Overview of IP Source Guard
Similar to DHCP snooping, this feature is enabled on a DHCP snooping untrusted Layer 2 port. Initially,
all IP traffic on the port is blocked except for DHCP packets that are captured by the DHCP snooping
process. When a client receives a valid IP address from the DHCP server, or when a static IP source
binding is configured by the user, a per-port and VLAN Access Control List (PVACL) is installed on the
port. This process restricts the client IP traffic to those source IP addresses configured in the binding;
any IP traffic with a source IP address other than that in the IP source binding will be filtered out. This
filtering limits a host’s ability to attack the network by claiming a neighbor host's IP address.
Note If IP Source Guard is enabled on a trunk port with a large number of VLANs that have DHCP snooping
enabled, you might run out of ACL hardware resources, and some packets might be switched in software
instead.
Note When IP Source Guard is enabled, you might want to designate an alternative scheme for ACL hardware
programming. For more information, see the “TCAM Programming and ACLs” section in the
“Configuring Network Security with ACLs” chapter.
IP Source Guard supports the Layer 2 port only, including both access and trunk. For each untrusted
Layer 2 port, there are two levels of IP traffic security filtering:
• Source IP address filter
IP traffic is filtered based on its source IP address. Only IP traffic with a source IP address that
matches the IP source binding entry is permitted.
An IP source address filter is changed when a new IP source entry binding is created or deleted on
the port. The port PVACL will be recalculated and reapplied in the hardware to reflect the IP source
binding change. By default, if the IP filter is enabled without any IP source binding on the port, a
default PVACL that denies all IP traffic is installed on the port. Similarly, when the IP filter is
disabled, any IP source filter PVACL will be removed from the interface.
• Source IP and MAC address filter
IP traffic is filtered based on its source IP address as well as its MAC address; only IP traffic with
source IP and MAC addresses matching the IP source binding entry are permitted.