Configure IP Source Guard

The following section describes a simple configuration example to configure IP Source Guard (IPSG) on a port.

When you enable IPSG on a port, filters are installed for the IPv4 or IPv6 addresses that are already learned on that port.

Procedure

Enable DHCP Snooping globally on the switch and verify the configuration.

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Enable DHCP Snooping globally.

    ip dhcp-snooping enable

  3. Verify the configuration.

    show ip dhcp-snooping

Enable DHCP Snooping and Dynamic ARP Inspection on the VLAN that the port is a member of.

  1. Enter VLAN Interface Configuration mode:

    enable

    configure terminal

    interface vlan <1–4059>

  2. Enable DHCP Snooping on the VLAN.

    ip dhcp-snooping enable

  3. Verify the configuration.

    show ip dhcp-snooping vlan <1-4059>

  4. Enable Dynamic ARP Inspection on the VLAN.

    ip arp-inspection enable

  5. Verify the configuration.

    show ip arp-inspection vlan <1-4059>

  6. Verify that the port on which you want to configure IPSG is a DHCP Snooping and a Dynamic ARP Inspection untrusted port.

    show ip dhcp-snooping interface gigabitEthernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]

    show ip arp-inspection interface gigabitEthernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]

Configure IPSG on a port and verify the configuration.

  1. Perform one of the following steps to configure IPSG on a port, for IPv4 or IPv6 addresses.
    • Enable and verify IPSG on a port for IPv4 addresses:

      1. ip source verify enable

      2. show ip source verify interface gigabitethernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]

    • Enable and verify IPSG on a port for IPv6 addresses:

      1. ipv6 source-guard enable

      2. ipv6 source-guard [max-allowed-addr <2-10>]

        Note

        Note

        The default value is 4. To reset the value to default, IPSG must first be disabled on the interface.

      3. show ipv6 source-guard interface gigabitEthernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]

Examples

The following example describes how to enable IPSG on port 1/5 which is a member of VLAN 10, for IPv4 or IPv6 addresses.

Switch:1>en
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

Enable DHCP Snooping globally and verify the configuration.

Switch:1(config)#ip dhcp-snooping enable 
Switch:1(config)#show ip dhcp-snooping

=================================================================================
                           Dhcp Snooping General Info
=================================================================================
        Dhcp Snooping                  : Enabled

---------------------------------------------------------------------------------
Enable DHCP Snooping and Dynamic ARP Inspection on a VLAN that the port is a member of VLAN 10.
Switch:1(config)#interface vlan 10
Switch:1(config-if)#show ip dhcp-snooping vlan 10

==================================================================================
                            Dhcp Snooping Vlan Info
==================================================================================
VLAN       VRF
ID         NAME            ENABLE        ORIGIN
----------------------------------------------------------------------------------
10         GlobalRouter    true          RADIUS
----------------------------------------------------------------------------------

All 1 out of 1 Total Num of Dhcp Snooping entries displayed
Switch:1(config-if)#ip arp-inspection enable
Switch:1(config-if)#show ip arp-inspection vlan 10

==================================================================================
                            Arp Inspection Vlan Info
==================================================================================
VLAN       VRF
ID         NAME            ENABLE          ORIGIN
----------------------------------------------------------------------------------
10         GlobalRouter    true            CONFIG
----------------------------------------------------------------------------------

All 1 out of 1 Total Num of Arp Inspection entries displayed

Verify that the port is DHCP Snooping and Dynamic ARP Inspection untrusted.

Switch:1(config-if)#show ip dhcp-snooping interface gigabitEthernet 1/5

================================================================================
                          Dhcp Snooping Interface Info
================================================================================
PORT       PORT            TRUNK
NUM        CLASS           ID
--------------------------------------------------------------------------------
1/5        UNTRUSTED       none
--------------------------------------------------------------------------------
All 1 out of 1 Total Num of Dhcp Snooping entries displayed
Switch:1(config-if)#show ip arp-inspection interface gigabitEthernet 1/5

===================================================================================
                            Arp Inspection Port Info
===================================================================================
PORT       PORT            TRUNK
NUM        CLASS           ID
-----------------------------------------------------------------------------------
1/5        UNTRUSTED       none
-----------------------------------------------------------------------------------

All 1 out of 1 Total Num of Arp Inspection entries displayed

Enable IPSG on port 1/5 for IPv4 addresses, and verify the configuration. This port is a member of VLAN 10.

Switch:1(config-if)#ip source verify enable
Switch:1(config-if)#show ip source verify interface gigabitethernet 1/5

===================================================================================
                             Source Guard Port Info
===================================================================================
PORT                       IPSC
NUM        ENABLE          ORIGIN
-----------------------------------------------------------------------------------
1/5        true            RADIUS
-----------------------------------------------------------------------------------

All 1 out of 1 Total Num of Ip Source Guard entries displayed

Enable IPSG on port 1/1 for IPv6 addresses, and verify the configuration. This port is a member of VLAN 10.

Switch:1(config-if)#ipv6 source-guard enable
Switch:1(config-if)#ipv6 source-guard max-allowed-addr 10

Switch:1(config-if)#show ipv6 source-guard interface gigabitEthernet 1/1
Slot/Port  Source Guard  Number of  IPv6  Address
             Mode        address allowed  overflow count
==========================================================
1/1          Enabled           10          0