Chapter 33
Configuring DHCP Snooping and IP Source Guard
Displaying IP Source Guard Information
You can display IP Source Guard PVACL information for all interfaces on a switch using the
show ip verify source command.
•
Note
The second entry shows that a default PVACL (deny all IP traffic) is installed on the port for those
snooping-enabled VLANs that do not have a valid IP source binding.
•
•
•
•
•
OL-6696-01
This example shows displayed PVACLs if DHCP snooping is enabled on VLAN 10 through 20, if
interface fa6/1 is configured for IP filtering, and if there is an existing IP address binding 10.0.01
on VLAN 10:
Interface
Filter-type
---------
-----------
fa6/1
ip
fa6/1
ip
This example shows displayed PVACL for a trusted port:
Interface
Filter-type
---------
-----------
fa6/2
ip
This example shows displayed PVACL for a port in a VLAN not configured for DHCP snooping:
Interface
Filter-type
---------
-----------
fa6/3
ip
This example shows displayed PVACLs for a port with multiple bindings configured for an IP/MAC
filtering:
Interface
Filter-type
---------
-----------
fa6/4
ip-mac
fa6/4
ip-mac
fa6/4
ip-mac
This example shows displayed PVACLs for a port configured for IP/MAC filtering but not for port
security:
Interface
Filter-type
---------
-----------
fa6/5
ip-mac
fa6/5
ip-mac
The MAC filter shows permit-all because port security is not enabled, so the MAC filter
Note
cannot apply to the port/VLAN and is effectively disabled. Always enable port security first.
This example shows displayed error message when issuing the show ip verify source command on
a port that does not have an IP source filter mode configured:
IP Source Guard is not configured on the interface fa6/6.
Filter-mode
IP-address
-----------
---------------
active
10.0.0.1
active
deny-all
Filter-mode
IP-address
-----------
---------------
inactive-trust-port
Filter-mode
IP-address
-----------
---------------
inactive-no-snooping-vlan
Filter-mode
IP-address
-----------
---------------
active
10.0.0.2
active
11.0.0.1
active
deny-all
Filter-mode
IP-address
-----------
---------------
active
10.0.0.3
active
deny-all
Software Configuration Guide—Release 12.2(25)EW
Displaying IP Source Guard Information
Mac-address
Vlan
--------------
---------
10
11-20
Mac-address
Vlan
--------------
---------
Mac-address
Vlan
--------------
---------
Mac-address
Vlan
--------------
---------
aaaa.bbbb.cccc
10
aaaa.bbbb.cccd
11
deny-all
12-20
Mac-address
Vlan
--------------
---------
permit-all
10
permit-all
11-20
33-13