Enabling Ip Source Guard - Cisco Catalyst 3560-X Software Configuration Manual

Chapter 1 Configuring DHCP Features and IP Source Guard
•
•
•
•
•
•

Enabling IP Source Guard

Beginning in privileged EXEC mode, follow these steps to enable and configure IP source guard on an
interface.
Command
Step 1 configure terminal
Step 2
interface interface-id
Step 3
ip verify source [smartlog]
OL-25303-03
If you enable IP source guard with source IP and MAC address filtering, DHCP snooping and port
security must be enabled on the interface. You must also enter the ip dhcp snooping information
option global configuration command and ensure that the DHCP server supports option 82. When
IP source guard is enabled with MAC address filtering, the DHCP host MAC address is not learned
until the host is granted a lease. When forwarding packets from the server to the host, DHCP
snooping uses option-82 data to identify the host port.
When configuring IP source guard on interfaces on which a private VLAN is configured, port
security is not supported.
You can enable this feature when 802.1x port-based authentication is enabled.
If the number of ternary content addressable memory (TCAM) entries exceeds the maximum, the
CPU usage increases.
When you configure IP source guard smart logging, packets with a source address other than the
specified address or an address learned by DHCP are denied, and the packet contents are sent to a
NetFlow collector. If you configure this feature, make sure that smart logging is globally enabled.
For more information about smart logging, see
page 1-14.
In a switch stack, if IP source guard is configured on a stack member interface and you remove the
the configuration of that switch by entering the no switch stack-member-number provision global
configuration command, the interface static bindings are removed from the binding table, but they
are not removed from the running configuration. If you again provision the switch by entering the
switch stack-member-number provision command, the binding is restored.
To remove the binding from the running configuration, you must disable IP source guard before
entering the no switch provision command. The configuration is also removed if the switch reloads
while the interface is removed from the binding table. For more information about provisioned
switches, see the Chapter 1, "Managing Switch Stacks."
Purpose
Enter global configuration mode.
Specify the interface to be configured, and enter interface configuration
mode.
Enable IP source guard with source IP address filtering.
the"Configuring Smart Logging" section on
(Optional) Enter smartlog to configure the switch to send the
•
contents of dropped packets to a NetFlow collector.
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
Configuring IP Source Guard
1-19