Enable IP Source Guard on a Port for IPv4 Addresses
Before you begin
Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise, the system displays error messages.
-
DHCP Snooping is enabled globally.
-
The port is a member of a VLAN that is configured with both DHCP Snooping and Dynamic ARP Inspection.
-
The port is an untrusted port enabled with both DHCP Snooping and Dynamic ARP Inspection.
-
The port has enough resources allocated, to support the maximum number of 10 IP addresses allowed for IPSG.
About this task
Enable IP Source Guard (IPSG) on a port to add a higher level of security to the port by preventing IP spoofing. When you enable IPSG on the interface, filters are automatically installed for the IPv4 addresses that are already learned on that interface.
Important
Do not enable IPSG on MLT, DMLT, SMLT, LAG, trunk ports or ports that are a part of private VLANs.
Procedure
Example
Configure IPSG on port 1/1.
Switch:1>enable Switch:1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch:1(config)#interface gigabitEthernet 1/1 Switch:1(config-if)#ip source verify enable
Verify the configuration.
Switch:1(config-if)#show ip source verify interface gigabitEthernet 1/1 =================================================================================== Source Guard Port Info =================================================================================== PORT IPSC NUM ENABLE ORIGIN ----------------------------------------------------------------------------------- 1/1 true RADIUS ----------------------------------------------------------------------------------- All 1 out of 1 Total Num of Ip Source Guard entries displayed
Variable Definitions
The following table defines parameters for the ip source verify command.
Variable |
Value |
---|---|
enable |
Enables IP Source Guard on the port. |