Enable IP Source Guard on a Port for IPv4 Addresses

About this task

Enable IP Source Guard (IPSG) on a port to add a higher level of security to the port by preventing IP spoofing. When you enable IPSG on the interface, filters are automatically installed for the IPv4 addresses that are already learned on that interface.

Important

Important

Do not enable IPSG on MLT, DMLT, SMLT, LAG, trunk ports or ports that are a part of private VLANs.

Before you begin

Ensure that the following conditions are all satisfied, before you enable IPSG on a port. Otherwise, the system displays error messages.

  • DHCP Snooping is enabled globally.

  • The port is a member of a VLAN that is configured with both DHCP Snooping and Dynamic ARP Inspection.

  • The port is an untrusted port enabled with both DHCP Snooping and Dynamic ARP Inspection.

  • The port has enough resources allocated, to support the maximum number of 10 IP addresses allowed for IPSG.

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Enable IPSG on the port:

    ip source verify enable

  3. Verify IPSG configuration:

    show ip source verify interface gigabitethernet [{slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}]

Example

Configure IPSG on port 4/1.

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#interface gigabitEthernet 4/1
Switch:1(config-if)#ip source verify enable 

Verify the configuration.

Switch:1(config-if)#show ip source verify interface gigabitEthernet

===================================================================================
                             Source Guard Port Info
===================================================================================
PORT
NUM        ENABLE
-----------------------------------------------------------------------------------
1/1        false
1/2        false
4/1        true
4/2        false
4/3        false
4/4        false
4/5        false
4/6        false
-----------------------------------------------------------------------------------

All 8 out of 8 Total Num of Ip Source Guard entries displayed
Switch:1(config-if)#show ip source verify interface gigabitEthernet 4/1

===================================================================================
                             Source Guard Port Info
===================================================================================
PORT
NUM        ENABLE
-----------------------------------------------------------------------------------
4/1        true
-----------------------------------------------------------------------------------

All 1 out of 1 Total Num of Ip Source Guard entries displayed

Variable Definitions

The following table defines parameters for the ip source verify command.

Variable

Value

enable

Enables IP Source Guard on the port.