The following section describes a simple configuration example to configure IP Source Guard (IPSG) on a port.
When you enable IPSG on a port, filters are installed for the IPv4 or IPv6 addresses that are already learned on that port.
Enable DHCP Snooping globally on the switch and verify the configuration.
enable
configure terminal
ip dhcp-snooping enable
show ip dhcp-snooping
Enable DHCP Snooping and Dynamic ARP Inspection on the VLAN that the port is a member of.
enable
configure terminal
interface vlan <1–4059>
ip dhcp-snooping enable
show ip dhcp-snooping vlan <1-4059>
ip arp-inspection enable
show ip arp-inspection vlan <1-4059>
show ip dhcp-snooping interface gigabitEthernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]
show ip arp-inspection interface gigabitEthernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]
Configure IPSG on a port and verify the configuration.
Enable and verify IPSG on a port for IPv4 addresses:
ip source verify enable
show ip source verify interface gigabitethernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]
Enable and verify IPSG on a port for IPv6 addresses:
ipv6 source-guard enable
ipv6 source-guard [max-allowed-addr <2-10>]
Note
The default value is 4. To reset the value to default, IPSG must first be disabled on the interface.
show ipv6 source-guard interface gigabitEthernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]
The following example describes how to enable IPSG on port 1/5 which is a member of VLAN 10, for IPv4 or IPv6 addresses.
Switch:1>en Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
Enable DHCP Snooping globally and verify the configuration.
Switch:1(config)#ip dhcp-snooping enable Switch:1(config)#show ip dhcp-snooping ================================================================================= Dhcp Snooping General Info ================================================================================= Dhcp Snooping : Enabled ---------------------------------------------------------------------------------Enable DHCP Snooping and Dynamic ARP Inspection on a VLAN that the port is a member of VLAN 10.
Switch:1(config)#interface vlan 10 Switch:1(config-if)#show ip dhcp-snooping vlan 10 ================================================================================== Dhcp Snooping Vlan Info ================================================================================== VLAN VRF ID NAME ENABLE ORIGIN ---------------------------------------------------------------------------------- 10 GlobalRouter true RADIUS ---------------------------------------------------------------------------------- All 1 out of 1 Total Num of Dhcp Snooping entries displayed
Switch:1(config-if)#ip arp-inspection enable Switch:1(config-if)#show ip arp-inspection vlan 10 ================================================================================== Arp Inspection Vlan Info ================================================================================== VLAN VRF ID NAME ENABLE ORIGIN ---------------------------------------------------------------------------------- 10 GlobalRouter true CONFIG ---------------------------------------------------------------------------------- All 1 out of 1 Total Num of Arp Inspection entries displayed
Verify that the port is DHCP Snooping and Dynamic ARP Inspection untrusted.
Switch:1(config-if)#show ip dhcp-snooping interface gigabitEthernet 1/5 ================================================================================ Dhcp Snooping Interface Info ================================================================================ PORT PORT TRUNK NUM CLASS ID -------------------------------------------------------------------------------- 1/5 UNTRUSTED none -------------------------------------------------------------------------------- All 1 out of 1 Total Num of Dhcp Snooping entries displayed
Switch:1(config-if)#show ip arp-inspection interface gigabitEthernet 1/5 =================================================================================== Arp Inspection Port Info =================================================================================== PORT PORT TRUNK NUM CLASS ID ----------------------------------------------------------------------------------- 1/5 UNTRUSTED none ----------------------------------------------------------------------------------- All 1 out of 1 Total Num of Arp Inspection entries displayed
Enable IPSG on port 1/5 for IPv4 addresses, and verify the configuration. This port is a member of VLAN 10.
Switch:1(config-if)#ip source verify enable Switch:1(config-if)#show ip source verify interface gigabitethernet 1/5 =================================================================================== Source Guard Port Info =================================================================================== PORT IPSC NUM ENABLE ORIGIN ----------------------------------------------------------------------------------- 1/5 true RADIUS ----------------------------------------------------------------------------------- All 1 out of 1 Total Num of Ip Source Guard entries displayed
Enable IPSG on port 1/1 for IPv6 addresses, and verify the configuration. This port is a member of VLAN 10.
Switch:1(config-if)#ipv6 source-guard enable Switch:1(config-if)#ipv6 source-guard max-allowed-addr 10 Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 1/1 Slot/Port Source Guard Number of IPv6 Address Mode address allowed overflow count ========================================================== 1/1 Enabled 10 0