Cisco Systems 3130 User Manual
21-17
Cisco Catalyst Blade Switch 3130 for Dell Software Configuration Guide
OL-13270-01
Chapter 21 Configuring DHCP Features and IP Source Guard
Configuring IP Source Guard
Source IP and MAC Address Filtering
When IP source guard is enabled with this option, IP traffic is filtered based on the source IP and MAC
addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in
the IP source binding table.
addresses. The switch forwards traffic only when the source IP and MAC addresses match an entry in
the IP source binding table.
When IP source guard with source IP and MAC address filtering is enabled, the switch filters IP and
non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP source binding,
the switch forwards the packet. The switch drops all other types of packets except DHCP packets.
non-IP traffic. If the source MAC address of an IP or non-IP packet matches a valid IP source binding,
the switch forwards the packet. The switch drops all other types of packets except DHCP packets.
The switch uses port security to filter source MAC addresses. The interface can shut down when a
port-security violation occurs.
port-security violation occurs.
Configuring IP Source Guard
These sections contain this configuration information:
•
•
•
Default IP Source Guard Configuration
By default, IP source guard is disabled.
IP Source Guard Configuration Guidelines
These are the configuration guides for IP source guard:
•
You can configure static IP bindings only on nonrouted ports. If you enter the ip source binding
mac-address vlan vlan-id ip-address interface interface-id global configuration command on a
routed interface, this error message appears:
mac-address vlan vlan-id ip-address interface interface-id global configuration command on a
routed interface, this error message appears:
Static IP source binding can only be configured on switch port.
•
When IP source guard with source IP filtering is enabled on an interface, DHCP snooping must be
enabled on the access VLAN to which the interface belongs.
enabled on the access VLAN to which the interface belongs.
•
If you are enabling IP source guard on a trunk interface with multiple VLANs and DHCP snooping
is enabled on all the VLANs, the source IP address filter is applied on all the VLANs.
is enabled on all the VLANs, the source IP address filter is applied on all the VLANs.
Note
If IP source guard is enabled and you enable or disable DHCP snooping on a VLAN on the
trunk interface, the switch might not properly filter traffic.
trunk interface, the switch might not properly filter traffic.
•
When IP source guard with source IP and MAC address filtering is enabled, DHCP snooping and
port security must be enabled on the interface. You must also enter the ip dhcp snooping
information option global configuration command and ensure that the DHCP server supports
option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC
address is not learned until the host is granted a lease. When forwarding packets from the server to
the host, DHCP snooping uses the option-82 data to identify the host port.
port security must be enabled on the interface. You must also enter the ip dhcp snooping
information option global configuration command and ensure that the DHCP server supports
option 82. When IP source guard is enabled with MAC address filtering, the DHCP host MAC
address is not learned until the host is granted a lease. When forwarding packets from the server to
the host, DHCP snooping uses the option-82 data to identify the host port.